From a30cdc970132e7994f38109f759f2e8bfbd84a4a Mon Sep 17 00:00:00 2001 From: David van der Spek <28541758+DavidSpek@users.noreply.github.com> Date: Tue, 5 Sep 2023 13:54:06 +0200 Subject: [PATCH] feat(bootstrap): add capz chart (#825) Signed-off-by: David van der Spek --- .../cluster-api-provider-azure/.helmignore | 23 + .../cluster-api-provider-azure/Chart.lock | 6 + .../cluster-api-provider-azure/Chart.yaml | 10 + .../helm/cluster-api-provider-azure/README.md | 3 + .../cluster-api-provider-azure-0.1.8.tgz | Bin 0 -> 57928 bytes .../helm/cluster-api-provider-azure/deps.yaml | 7 + .../scripts/Makefile | 24 + .../templates/_helpers.tpl | 62 + .../templates/azurecluster-crd.yaml | 1089 +++++++++++++++++ .../templates/azureclusteridentity-crd.yaml | 183 +++ .../templates/azureclustertemplate-crd.yaml | 659 ++++++++++ .../templates/azureidentity-crd.yaml | 96 ++ .../templates/azureidentitybinding-crd.yaml | 66 + .../templates/azuremachine-crd.yaml | 625 ++++++++++ .../templates/azuremachinepool-crd.yaml | 814 ++++++++++++ .../azuremachinepoolmachine-crd.yaml | 209 ++++ .../templates/azuremachinetemplate-crd.yaml | 521 ++++++++ .../templates/azuremanagedcluster-crd.yaml | 75 ++ .../azuremanagedcontrolplane-crd.yaml | 513 ++++++++ .../azuremanagedmachinepool-crd.yaml | 511 ++++++++ .../azurepodidentityexception-crd.yaml | 62 + .../templates/job.yaml | 64 + .../cluster-api-provider-azure/values.yaml | 26 + .../values.yaml.tpl | 1 + 24 files changed, 5649 insertions(+) create mode 100644 bootstrap/helm/cluster-api-provider-azure/.helmignore create mode 100644 bootstrap/helm/cluster-api-provider-azure/Chart.lock create mode 100644 bootstrap/helm/cluster-api-provider-azure/Chart.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/README.md create mode 100644 bootstrap/helm/cluster-api-provider-azure/charts/cluster-api-provider-azure-0.1.8.tgz create mode 100644 bootstrap/helm/cluster-api-provider-azure/deps.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/scripts/Makefile create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/_helpers.tpl create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azurecluster-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azureclusteridentity-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azureclustertemplate-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azureidentity-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azureidentitybinding-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremachine-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepool-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepoolmachine-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremachinetemplate-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcluster-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcontrolplane-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedmachinepool-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/azurepodidentityexception-crd.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/templates/job.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/values.yaml create mode 100644 bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl diff --git a/bootstrap/helm/cluster-api-provider-azure/.helmignore b/bootstrap/helm/cluster-api-provider-azure/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bootstrap/helm/cluster-api-provider-azure/Chart.lock b/bootstrap/helm/cluster-api-provider-azure/Chart.lock new file mode 100644 index 000000000..d4b06aca3 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cluster-api-provider-azure + repository: https://pluralsh.github.io/capi-helm-charts + version: 0.1.8 +digest: sha256:a121b432405288d78644e268fab20ac4369a2bfd13084094b9de9e0f65c05ad1 +generated: "2023-08-24T17:11:19.117169+02:00" diff --git a/bootstrap/helm/cluster-api-provider-azure/Chart.yaml b/bootstrap/helm/cluster-api-provider-azure/Chart.yaml new file mode 100644 index 000000000..21308854a --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: cluster-api-provider-azure +description: A Helm chart for Kubernetes +type: application +version: 0.1.11 +appVersion: v1.10.2 +dependencies: +- name: cluster-api-provider-azure + version: 0.1.8 + repository: https://pluralsh.github.io/capi-helm-charts diff --git a/bootstrap/helm/cluster-api-provider-azure/README.md b/bootstrap/helm/cluster-api-provider-azure/README.md new file mode 100644 index 000000000..61b8bd37f --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/README.md @@ -0,0 +1,3 @@ +# Cluster API Provider Azure + +A helm chart that deploys the Cluster API Provider for Azure diff --git a/bootstrap/helm/cluster-api-provider-azure/charts/cluster-api-provider-azure-0.1.8.tgz b/bootstrap/helm/cluster-api-provider-azure/charts/cluster-api-provider-azure-0.1.8.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ad02854de331e261676c0eef51e8bac54ed659ea GIT binary patch literal 57928 zcmbT-Q;cXqyC&eaZQHhO+qP}nwr$(k?e5*SZQGvxpOZ70naioHtW>Hl*40YB@2#is zqajcL{xg0l0jLcnlo*U9WZ7gqIa!UE)fh~aSuM4cIoagZ)YxRzZLAFKOgvQ-?Rh0k zZEOLqdN18JIhrW8`o2*#c0RS+ylLK%$QQ3&Kc*b7WJbFWhsT^2E@k9zF(X1qVkiTI z1KgI*dp_G0IuJ@c0FR{?yod24MGurHP@q&pg;Z0HgpzCml({6B{iKbb4_A4Jy~~+% z#`l3{lkIO_uWoN|`#89QeqUc-tAB6#H-8V=!NtY>c|7h9)_~nI8rAy}Rn*bN`NXN~~OsL@8UT<%2!z#Zq zp)|wlHf5r)9}$s`L6lnx5!V2$ceE5J!#$B;vg(=iMwCsmd)8tV*tp^cp_p2CJ8@sLG+ zGtx^Dm0$tvFcB%{DRy!k%Ou4s`HMo3L-ut~ozcqvP3b{Glxr~41l55Mlg#aRzwq4Rup3(8J9Ta)U@A^kw`&Y zRhjR<-r@K;Sc$iess0&k{5TXM&auwm{FUTPX%e=$7&9Cq8HKzpF9exK}hA?}a~G&eWr=lf!Le0^8EUan5=SLx&BW%+qm zeui#lm#(*$>zy)(iuL*W()6#L?K!HuoIYmCMD+W$m0Su90OoT|iJB&- z>Db2IDRdq-`xg7Z)1Q4Lk1PX85xsr05=luiFs5Bm6myNg{JX!0hMvFtJZro9x4-fa zJ|8Ww*Q3?(lxB=c%s?bjZy-Nlg#I1(*E^@P*!g_03NmCVh%M_f%)+X^$gojR9P%Vs zR;mxRR^D%d(WzBO-P%c}EM#ZwqGdEf^mzmME_@T@$RCKdaBPW|(G42koqz!OgG9n> z&kWdR2H!4Io&_5T`)|1E<5vMl3*NDI|>o9K>1h zi5QY`M=?+>ym|mmGdpoAniFLbB_tb|b~*A2Vn{)u14Zi+A&O~xxT$AxWRO_MDbS$h z0vG}8b1ws}RcfQ`xg1X$@o*z$5{It|loBD%rHy5mS{%~! z-azSQDdUhEU%$h9zsT9CZ7${eDC)oFk#N0`YL|b{%B-9WlVC^Alo|-1vMnk!rkq?| z_zs?T#X`mV0BH4cbtos+eKQVfcQ8P(&y3 zz+t^80HdjhX4rnkp8K3B<_=6pHak?S&yZH`S#_e)u8aoX z3$dF}&RxB=cC<15rCO_l^HG3KP2&f0tkj%r@bgK5jMNmFD1JnD*ygIVV-U*|(tuWp z8aoMk!s(z->a{frKQ`MuUpVoJZcco$VzXZ0)ees=sZCRV_6pcqlfTwh%evYZ ztM$Xy);aEi>hJbe&4HP-v!_OOHXl!RcHA8p9%5BrU&~RKAKn4v!Y`DnfB%UKLs`Ex z*gA$d;mJPS_wC-^h@$8(x0hQ>-^y>^!Tqei0iPqCIZtt4km67lwLLtW9Yu6*=6)3U zQE6FFEN3FeC=xz5uy{eh{&mUOWQ5}J`@1AW7DyHgkqTo6PJEHYV&D>vpw8L2z;vW3fK7QueeHNEJ4bA`{{&8{1jKK^F z4bSs8qktkE3BGoELH{BLiH5*A+VRn{wG@dr{z4%-cTjT8)G%ed_SV9mjv=P3(AKi& zfGn`|@YutYv6qT+$E^Sr?FpM&qjPA|9qxL~2Sy@G*sQicy7rjy&ms5z&zos6O&#U( z64bx^Z->!C{A$O)L+JD?55LJgsFyM+BZFFFEwGJico!P^?aTm^&3;7YamULx$b6iU zhMB?e)jfZl{#LyLCyfU-##>mIBsqX1;>j@a*(374s%;hu9GET!Ubs(kLR##`45TnH z#Kk#h4P)V%3;)^1_k;g~#oDb&l3Y4~^%}bTlvB#p4sJ|zKfuW3&olgoLJ29*7|h%) zWv(*;GtH!nLyZ3%*vi8it~&P;BqLvL;P@|h;TXL$8u<}MuAKkdKrhRY zIOWEjuI<0z5MzuCKsh>QDUwOK40fdLS`FG1qDwZh)9zZ#Fs@+bkh{G6*@S@!3}=O zNU*hA5KLyKARo{V{IyHs;}3pn7bYsNmZfq?b~s7jC%Y;7V5~ZNU|!yW>5yh1y+)1` zl*yAM@B|sX5EC0kLzw7IAj+kQKMcByoPv&d1AkG3BO=_~l=$}r>YJ3b)hcSsH&Bpf zCrKO*ETo4}j4SoeWM`XRIG0N}1K%p(Dd zk|!Svt*NFxq?(!@@iD&m-Zl+w$F!l?oD*thmt0Q6^pnE8P;EB}QQ!8BSpb zqRI=H%iYYFg)k%EQs(t_t%bVl5I~xGMEZj<8`2u*b@(BTp65hTW+sz9B_Mv&kaDI*x~yRfRF;KI*y3YUAxB`K5I@USJJvW*B3 z(!)&u+0vt}xj*u4FftsJF^s(NVFzZ7;Y3&Z{tFPBJ-1=XCuad-Yj;CLXHLR=1+gE4Qw+$Js~A?;-&m>K zvn~Sslx5;PB?a1}UKO%B<|x~45wH`l_o$sT&@X+Q#%E*4DkDTo8{4RGhD%GEP5RYG zBSkbwloN%6!8s^dq=A@C#aFC1k|rjDT6iYzT$)uHqLrRZjIyY<{o2K97X{2;fGh=) zbf;g`{QmOmrHhZ5by9SWeCaY)g8@x?I($vI^ zp^6v&gnv=yuXN7%h=u}0tqSQxD=C8=xx4H*$a=5 zU{7Ej;_RG+5!xXQojuH5XC^U1+U(}sDqln3QGi*V_HD;ccPF$gO z*Iiq}BF7h|{drmNaGGrWnb|s*(gnLR!VM(1Ng;##Ems?mI%fy5C6t*|CiBTs%*?rX z5D=ziwx(0e>n~o5Xvh;*!^=!JhoXl#H?!2hCZl3L4Rm|n=(GP6@_XBx?7z2!FQ;~8 z%0S3!Ww{bIc5fJ#GDD{X_W210cSqJVvEN6I&c-~9CNJG(tDsX&zs5C zEX%?Wx%Nx;%_Wxd75M55t@8MkGzto>^7N7vG7he$!X44Rc-jfA^86|nvjWcd;>sEokFXlR{1x*)mwH1NJI0hgc9lA z@Iu0C2|?k=Y$*YTAaI1!XS8WIXEpH!9-5UGl9-UF27qj}-OfOTwgsUB(9)5`neIaz zCgr#Gz7+u*6mHp0H$8WRvIu$r zB~^H>SV!z3OFI_2;?oTE^z;O;wQ=DkhL(lMs#3}sZ%PzMR8;FLL3x#>=zizD*JBQ2 zPg&>SF9+?d=hA$x^?WpIw^yChdlK@S_eQXQ?*SXqV{14!#8|1Ofa4Zee(DYY5X;Gbo>P(5@U*Q`N8es=TWf3v(e1xw943i|?n{O$Us59d8!sJQeutnW zA)FL$b;uhFa;Ar6+W;2oWvOT(I&;0K&GAPK1Gd7SLhu!(>9@bEqlUod2{4+j$ zA&)Hj?ikIF3)4W^V=q}egbyyNfCaeJ9{z*_cPl{@d<-hUt~jDV#vp<&BI|bIy(TZm#;PEvFlqG;kdjPD3C$Wx2TMkC(H~t+ zy<}AW_`;X_J?A@i#3Yj^;*AeCXweM99Eelq+BwECrmR5kdfnFaLCnDx z@y@@hkb!M{b229!jArY#x`%b&VTW&|atzTDZJ_KtZT%*b5jr=Ilns8GA?$j%&vO!@ z`S*%2H*Gx49%{sSREfJig2qI*5QY}`3=aqIkLI(VQ(z$$emo}gGS!&XhT|(@DI+XE z;P>5_fbC2O1SqEghv-0MDifnT=J$0%aI>Ue0!%~6kg;JFk2?N4D*5cYnYY=6#FWJkh2h3^XD~hd?L3RA~d9zBhYMspu2Uou!7m7@S7ZoaFzUH4;YGM zxG89W7l%B)EavpOJA?FjQKNg!TJGj}aid~)2Y`bH3yPhoSztyTg*Tl59 zmld+cbm_kM;pwUc;OILaY)jsyuT+cPPg2Tk3!C1agEd!sFF*BaHUg(7Syg{N#MV(l z2znQy1kaUmCqJ(yjxckpe6!E0Q{qQKSn1Tz`Nc$i?Pb7*`iujMTou zIoq;(g3TY!ZRH$Pnxb~sDwJA{;ux+ldtHHw`CguU{&sYFYB-wQ_M7{+H$s)f+8Mu8 zyfbc%)}YHHB>Lfo|FRB5;{in79b$wx%_M;>?9Q&sLiATV%z5hzViO>DHT|567+MFW z#XF>bEP%ky4Yb-Uq+*$*^$y5uU$BL+P;`rCQNJ4?#6Q`x)nP|K1_OZg<30J>W3TtO zFp8{-`5e(`Qh;T|%aV5~FV-y}-_!mp%6jV9#C_ywG}1U%&_dk^OT^7^sa-MxQK&8D zVV6N72PkQ&E@x6{G=}9E19_ncRL8c6oFc?RPy~4aGD-_3TrP|*1f60@))x(+p3rWwf3((HP-i2 zHRW|_o70f4w0$2H!Za-HG3y7qlL=sfX)%Ipa%o1DEEC30yPN)>L-xVB{I>SLJ^XJ! z>HIdowh;b4-H+wDyI1l2S64Rnzh8$VmzR_3eRH|HerE4qV!t1@pXLu2>HT7EZa+`? zu>`4Z&=W@i=D@sA>7(>0o4=yVXDc0kP&)dEnXMD?+Z|VH$;=LARHubc`D&WYJ@b0& zWdcETKr)t>J#Kwj%9`uCvCt$lB(V=5<_Mos*D|5OPu1rLq?W!hCY7MpL`!bckj_d#pa*k$wNcq?z_DHf^dE0vw8S8 zrR>V+9ID`qKiydTF#a6JzxOA1oF9=DvC6i4odnmxi)yhZ`%d6;NOkP$*HmgDbysOZPM?vVkT?%NI&imun( z9D_F_;ah+e_P?fh+by9?cixbU5ADwn%3`MFbsoEQKexvf)zNX=lKh3K~eps|)gnE+Dd>UUFD@-cynZti_i&9WPhy7qT~uViC(53wo=KS6pLCzqg2f889?DzpWmUXoy%hD&^Xf+&?7ZRn0Xs2l7_BE zRCYkx<{YTZcx!f;KZ+s9OhnborF}^PJlN3?vK2ZYFKGSQT{5nPVefu)f>x-AA>=s!cXXa;&y}r=OC7%!U&z0s*1eg%pAa_tm1&zNxL!8 zV4c-IWh}%BD$UxzOt0g|oD1jotQHA9g?Z0z2-qYC@W7(^p!E=9?f#OVKRZ1HV1J`Q zZu->jUI^_az7dn(WDip>oN}h5?!k;7lp2Fr0=9Hu?DQgMo$oJN=yh4`&!*>#w*2g9 z$I)PKLQF}!tl;*Q%Bn@Rz(kiXp{1I27zOGNDBr2=I}Yc$!q}p!P5;0$YG_f+l!Y>J zqH5o{=%p-?S7K%+!~~FIxKB-|JqV##vsHMIL|YV1AE^{np!EOo;5s;F8xE)k)no+E zCg0hX1TMgiljEka5|Ts`&iKCh(>_Dq#T*e=#}J|<^)%lM%@9w4oV2&rqf#+x!&0v6 zJSiBiPG6TUC4)J5hDOdJ_RH$^>UPVzny|k4i*V>Im$BtKBSH4{D&dPc!&r<=bTro@ z#&rL#vmZ<%w)-jbA34D+|Wuf(Y$n*>|R~J34*lBE{7DSas|rov|gzqkPAFgK8$` zNpS$72KfGdmoD3)i-%rBLxw+J822C(igg&rxEBeU{8ntmoaHE(!8e+y(`^RDM}8JZ zGA{6#hOxaL+D2ui5+t!_cjnCrUbmau%e~TDX_?JLZ6;G;bdfP4rWC-rif;H*d5gpC zDS%HT>-5)I*?!=n;Q1H?;MwG-m@zF4Z51858K0x0U)Sogw%)W2wl1fG{{%4ug*Zv7 zam+qdMd;?`#=}i`-K7A+y1-ofN^rEW_c!2I4KI488ij)(*XA5jtn>rXn;Lc^YiG#w zd*$yiYsE@!2`80f6K5Q2^^nc|nMk!lx_Q;@NWb3CFpZi&G*yXLA5z^zS+%w4SI?^* z7atYnsY|KqdKFXJm4b5)mO3)cyAS1#oik5S+E47IjX+&MyXbg=4xm;6+w|)UT!KbvxpH;hUc94=u!hh0CeLO17PJiPqu~`NIs#g;iZ2rh zHh>96fyKyN+w%a8RDsr0nxW_^vagaUXuPg-xzuM&_9wMu(Xi>QjR8CZrnIi|VPCug6{fLS@U0c5Jbo9u_;m(*c%FP&((cZ6|Wg15NygpNRD!C?^q za$htFsv7|6f|2?Xg6QvFs?o+1 z^u*^8p{I9zg+9m5ok0(;&^@1)O7F%sB>f#EBM@XW%dk<(M`h$7-dm#`y90%zmfOXn{ddsnB3~N*91iRFvR;4Vzo7JQ)!~S~?ux4HA zQkzoLs-#8Rq9(QdZ);WRysuqp!edJw(^tD{t}di%G}~pi6{{m=Z?Kt^93tK_-_J4{Y%?2xgi;VPx;_~q&c1K8 zaQ?oYTBnq(W+~ml1H1Rrce&j@093htjG6Tqqw>Is5J<7;n2DL5%cUA%fz#m{E&+Sp zY3OAhI^T?z0!wCr@EuHn@?mRPyS}8sb~FDCm|WjT;@-i^;|I#4T`JZBFZF?3RpLVa zbhnX(SLWHCU$#@Y}u;KQ{k*6GHB~nx$c)~I`$^C_4$XOaZ2!!Qb3Q=>SGUAnx({0PbhT^YtOu()|8dSxb<|Qs+q?NOtRe|LLHU z0>%E*K@Y$?x4W=9l$YM$XpF~<*%ITW%#LeG$2BHgSHc8Cv_*t$0o%4oL3++1CEfk} zkj2xxQ|!kcBEpgSrN1;O>0B6aQD)jml{~mTVcD*p=I*@fF3ORHzo^UdjkE~uTDyKw7CZvF3ZKZ`dsx7r$j#)PxEHk)dmVGnnJ9eFmkGjXB z%*#sDn?=^i^{*z=b8uB}QRTl{{a3qL`LGt0_}mCcVjbNgK@7i4sUnnyg%@y zUC*`|t75auC9j*PWfmpu7Y`tsl>OHS`n3Q7Gvr!yiMD#BzH~;N*}8!| z#mcSl)R3HqkK%^TSn${!8@yOn1MH(D%riHJ%YQK*2Xz&#EG#8HN-fo#JB z!Nwh^{>vd}fxtQ=!{II3`t8V4ILf$mmrdadE5Qj9l8Pwils$nb9H7|%d2UE|>h8|t zIE+uPaagKUYB0cI+Z!HxHyU$~DF<97n#%)SsNuf3#Z(GxT;l7*YvFEjO@F8Xhu=!$ z2c}_o_o^Uy`yC`MD9j1IK4!VP0Iz4EZ&MxY0LE}&@wpXOLTmn5SOK=;>)B~4du<^h zzx7Ah^fi`b21qil<-`GmmR`blu%bAbR{+f{>fl`*3GoW4w9wXv_Yi31wug5TZP-0Q z{9#oAq}%&Y0I;DXys)MS)Xh3@#hZFb9v~%lA0O-x8Rtd6E_2+zhE`r?) zo<98;C)5lL8oZ>!vIkXv8gK0^81Z?JWZ&IPh2+nQl!N_POLCXmL{(e!p_~n4xf8dK zPX_|qb$Sw864u0uqYr=;((Q;!2ES_Wazm)sM>AGVCbr)yrdbj9xDW5>gl)=p*fc4R z10zyFs&;6PV+olgJ_qS~@p`$S*t(4~klo+v!jigDFrkYQv|N&_8C>mPY!G+71yN*J z8K?_>o>3>kx&mS5?{CKEKN~`sE>jL=FU9gaIm?ToZJCHHl6Ol-=b%^2^tEqL&1Z? zUtz0=W--#p@G^uo8;EjDL5HAOhOLmBmksbT5Cfxxv9PVRAzQ?iZ{P2#xdw_-Jbg%u zSB1J(f>n$1rC@ILWvO(zI+gWEyypUTl4O6shr_GG#MF@SvrMbi_Kj%yYDU6a-x|>H zR}O~y0^bna#1zpOZ@jhUZPlStpt_C&n*bD&V5c_8xFML*@}+2fDPrbvn0aa&YfZ$oxJm&D6GXy18Q+f+3UdUv@30xTJK+v;W zcNq!YX?e^U$CE&>OzKo~C3m@o4J?!Ib{YJ}42(@F(A@%oHR=RInR0V?TY!9sq9m$r z4OwDVy7ERek^-$7pE;^S)u%V>yH&TE%-?aSErG@e%GRZAN0U`z8OV?pMF@CKI+qSz zIoi9qVcg@;p_)zdCPrnukw0P#=C44tPX_w6RUP?R^79600Ygp#p~6M}b3#ZXKt)OS zIhaCuR*ZQX#9^o&j?CZ$3zG;10=a3Nl&BF&!8yZ_95P%LOKO8*dFqFODD`aXcwNH* zayDp%xwEjAM_B?HTOpzt6iQLY{s`H%@D{yimofKYPbWdP*8nTdJe|TI?7~ORIFdvH z-D?)o!U&H$Tg1d3cPHf#TSDZWH;k*M63`sI!)yRVJ+zFrStYX*jp9Y$kt9E0#jr(21#9J&zhQ)Ru^|tO*bW3z%hl-@WSL}s6f?_Mi;ONry8fVg9OYDHhgnmTcn`5}B*x15l0Y4xBKKeSgT^#ToN0aQJ`&H&Qofi8 z0-Ix=rm-p6D@uRI90JCO`ukD8u`bC54ksUbXz$51K#-_>zO{z3b{Kk%b`H_umTiGA z+U&H$HR0sYhh(Zw546tg?~Gk2l`h)g(EELzsUVqljopZqo3a|8rCZ=T1joAhQN4lX z(gJ^J>|UC^S%%Dyko;HqjwX$nX&18yS#2@Sjh2LRCZz`7I8sq0gQff{h0sQunfs>5 zL<>k>I5As+)$LxfFxQlc$U+D;J)A<6p@|R+(J97EsqDbRo}Q4yc!*O~I$55?hD0OQ zlAainwcy4O{$`*)2a$2FT}qnJUF!z$OIw;zfK4yu4JIQ5jR7K&DiImLO(|?Wv>!`t zUt&`4hgKxnfvtA}v)JZi#)`%&y51NpH9<=jHL<__MX%SduwqVh#Zbz>ajLwgBQl&Kyd|%9$4O;Q-=TGYCTY!7}EjQbZN@SCZ}>6>%ZP%ha-F z8oKJGNqyN(?PUY2$eM3?BG`GZF{`Jl)w+Xb_GHi^zrWf-CPO8M#@WWosV@)|6RLYU z1ht&S_99z_Cg4@U7J${ZyxH|;=Gxh?cw$LLG`BzPv({(r)^ihBQA$dai{#QZpwEh5Qa8bUJj{tcgr&YO7 zdwa~dSz;O5O=1p{>K7xx)=!D6frV{xFO}q( zMd2tEtzA}f!sEmk(d5z5|5(x;|NU>Ei;Lg={`~m;<3Z-Lae4mE4lYk)!RYjP*Zkfu z(?9$3^ZP&S7Qd7T3DA+v_Aj^F>aGrb$>Ox+T!KUJ240wAnl(RxYc>DA%I+XFeZeip zQF>HN0<&^(cf!qB;&c0AAY5;byS`$#Xl^2eNpt)Uaji{g5X==|ITeY(OmdyiRq^11 zcTtbXWIPwL*N_lp;+!$}$_NT)8W{ycz>{I-;}_S;=g-|mk$^xmfuMne|K{`G`hJ)U z!52@TurlNvNfrg{hzLKuKLWHtv*A|wwJzyr5P&HUhOxhA#QaAk4AmVeF@KMkD{r>C5@Q z_ViY_Vi#OmS~p0rG{DNXYo)pch-ga=)8!j;aEp0kfxC;*Fgl5(eqA=x-}waE!FTfA z#00!*XRNlV3`W$jC{-S(&e?#E3I{fAzKc7Zhx+%M7oz-aXdc3#G&f2w)$8)yC(1m7 znm2^1m=PUG%{f#?u_3m-Dlk)MOb{4eQ^?Y~x5k<43(xyUKn($hdp6CIHpPB5vm5Osn^ng$DN>o?Glx+8$FI+86h*+@m~QSzaa z6eV&KJC*f4rPjue-^0y|7cSG3&7iGgVbQMkc2uH_2KPC}S@r4-yt&0617FjE)Y7ST z|18`}*npkg`lRte|!mY zvrXRvnToVVJDs!^#8ZTw1(}P~s_J1>m8op#G9Em7&Q$1J4g3g~W1nSN3wnx5MW!>933&JyilsgDHZ%w3KI$4-VJB)IWPh1Ph2$tJ`z5F=bu z9JaeAzI@d&DzBzS46D)p6h>Ku`TcUa*9xt=)9JCfI|ObTuqQ6YVhI6c;F)zuP_KwL zn?V_?%?MBrUT0%@z?xCj0}Rck!%Q!ao%Ft_3za}CKR*@RVf@Ro5@V2TPq19n3r`DNmxt_qJ!d_h@q5VB{|g9Gi|cbH>>q|1rv2^Zo6Le z729;1F^KDjwAKbp|5RBvjWe3DU#esunlR{cUi#{KD{M*dUO$RCT1yfeDRw0QbOrQUXyNb`!(S-c-)Y+90On)Dog96ci?873iP2Y%2B=<{}--3Me4r(+kFG zbTV!L$}mk3VxI{6C@6O(BbdAvN_&tSU3~Xhcp&02I9(tnX zVIFh>L#7$9jm6qJ*kHK4)Q0(m980KGZknR0#^KX4#pkC48kOfHXCvqN~X<(Vgl zvJQr=norGzpOPjqz33&v5)yp=X zpyryn#5IRnBFy_;w(M9Mt;@+y`XQNSw?^7otrTj9bxYgJMYncnkK}1pbLkqkt~>-> z2%o{FeNAdKOnxek0G?A;ld=Ir18$W!c%S%N9OtD5*WWE+ZZh-gs~h z>F;*y`PTZ%JDpbJQMCN|Z2j|Dn*Y3A|9?KEr`Fw{t!^ma?4Dkq{u}M^$G@I;S9j|_ z_~~E#ukb5B`SSNZmcR1iCf2XBt)HhG-;ej({Poj8!L!dd`E3%_pXJ&eUK`fE{HF8j z?XRap-0T~UARO#n^EJBIt97x~tD{Q$pB-!)q#Z{a7|4Y#gAAGEuu9!%oj0F(F|>z`>}!*RAJ6MSz2^3UmmFl5FCCOK^YwiW4&BK} zB%}JnU=Iy;3<&3PPM~li;uN`hkmz6zJ$G>JHERvg6wZeYUn#-7Tyd_XhxMNEL-r-@ z`RZ3`W;xT4){to0>*`d`ShraDWIW;X-5_484Rx)?nQ4~KFvdYh zv+UlEwaA>#up(`{ZcGo#PdQ-C(6Siq*7-XatZ?aLvTdhe>P@Kv6~af*=c`|!XaH6; z3dmwYypX^ri$wGbDHk2~VLo}4j0d~T4DTfDMG(6ZfKV~1@G7xOBkOaN8ql7Kh!!M{ zvKAhR0k|JONP+QOX0!x-XpwpjFAo_<`nU{P#k%2va)1E zDwVEYmxO_v`qf?4963Wzy?$NMFj|R*KYm=kDsoZ&I`~)}>ZJcIVsON2_(rJu2+}V8 zx6*rpThBN-wX(6WtCF_Z^PNdwCoh)|xdDmIcBw73@h(ieh&py1M2(tdj-IKDv%@8~ zL`rZluyfyf)I-s#EGMTQ$DSFv8fQ~T3KU%|Jd!iyQ8|_b`VfdwgqR31HPwQX&cy$} z@@@-qObHMJWL}5G=-tK&6ANk{Oj$kW!o#IjoL_chUKZpK-w)e9S0i~-Ku@THnf(XM``NcB%+1`rca0i94T|X3>YMVP|BH-k)lL=SEs-YTRq#=UT5v>k$Oixz4&zQT%{@^?v_54XT;Ljp^#Y;nBEz z3H4(iIv+KSLalFl!n(42i|`Smr{=wvstwN@EXumW=9@-iGh{BHePc+|&afU>weWE7d zFKM)#CDBftUa@WZVYSKZx~IaYwm;>BkaH@zuSoqypfL6*G?C&%QMd8QXpSHvsZrYe z99Bf(*HfA=mfail|8(Abi}5BFm6w z{e9u*l_n!%Qq#^#RjFVe>h&73Mg92%;F1D9-+hhB$rqAohU_>(u0TzHyv5}vt;1Tl zO`;wcAa2LMn{rJ`tECQXn7(WF#&Y(l&Y^bKS;&vw0FT9K-R>>PMx## zjM(Ws(7fJfc}NyDL`@$R;Wh9)&2Q=%85iE7cVMxRJ;Wh}zWqzlr?dIIx6IO2@8l$w zS(cCwerwIO9)#gv!%h8}QELnlO^maeJ=F=L&XD{z4+n%BJgfQa%cs-sC!c2eIU&#h zBg_J2w>!@?8S<=-)fVNgp70H@*Z^6Tow2vt-xJ;A$%^i2swhH%4^0?DXRZ_^RApZ)~KyQ>QY$UpbV%mt>tk zx28$r-Rp%DSa=G#5~KduY=YhWBX3+%?C$d?pBO*f@h2DlBeH*diP)TQLn&mBxo!`C zT$kp&)Hgob)(5J8G(AzRGY|EY`4)_%JqK%Lj!d%Z)o`2)X)DL^*g*H?>W`H0UTXF_ z-Hsn)vv;Z#3y~Ok13ejJzgxX;`&s!t4ersqI>PfnFcjiDu&QkqtccPpiUVM z`0~t&rIJyt5Hv#2~QE8zaC-H!Zc&c*Tpx5ER&<>mJ3m;#97W{d`u=ZG0BtP3gjJ$)?e z9?z^tZ|x-0<~w2`Q|i}q+FIrv&MU3}tmwwh3dXr0AXj0BL5Ru>oRy__Oz^|I_f@PWW|yJ(KU|*UbOZ z(A@lQBOblJo?ic3$ldQV^Y{__`?CEyf4o{B2z!0~ebL`7NNr=AA{jUj_NhYafd)l> z`|1l_wODs{dX1T+NMSAT z@>u2Z!O*m95*=vh4a;e0wek&S%ctk@NOU9#r@W^D;nEX4R3dVt+q*N*^xE$DBy81# z8xSNnRB=;GqsWG#l8B$VVk&w^hv)9{jZ-!;Uw`_?GqR(wrd{iN=JGZ@{|O7-j_9%L zk6*nwp>CKh+2=)fdD_(r)BLxnSM~2L=k#Uy!>4DW>}MRmPR=XSRw&ov3fJ6w z%{F~i?H>sHLg4y0>$Pz(-bkW6=Dd&uWd~*E_Auo}quwvdc)JvXkeG>|t%Clfyr*Lt z69iz6vpe2*3ku2(34|TxzU|vBcykycgt3xeWsfVak%zriD*w(!=}@Ull;?_dgp}>% z%bvVM(Cg)HvAfE%liA1E9Amb!+-S455T&{4;Y;$`DE3(iglZh{MIc^!i6XYKrvZAS z%8%-M4z+~mG`d$M#x5*i#;<|rrOw$Z&rvNAho#>5=&jC(_lQiBW(d_L(5^(m7uBv} zL~=w~=G`2rXj*rZ>#~W=+Tf0l{&|2&n!3~h1FjiAU`kA&Z(*|+hm5uvax91lR>(+n zWvM63Zs^s>|AAOD5$|o*H)&@Esi`?S7~4V{qrX_a-rcWR*(xAp27n?`Iml%0xz6d3 zMI1pf=Fa0j~fBC#v+s7 z!YFpaW4SGb?Ef-ufEYHOeI#pP=CjYYy+Cd*0eTb)qniw%b4SNLgYNuGsS+lD)`n>f zoxqWxWe^Va46|8lAVO3@k4}g5+2-9mbt0NFd_=;z?yyj;Vz}85Cxaxv5Fae3ItXO) zA0_H^EkW~!! zJtK7Fla9!AqhXQR#|c>+x+N(bU}?hDZOMP}V^y14F#0qY7E!^sozu6yE~~|DgXxz3 z7XZCLLccyW?wChl(~C$d#U8&U*)1h^dv`p$p=>%(ggDUDA@(4s^WJ~Je-Adsmdtj| z1J!Y^pJ23*wR-PC25W8P{r8xyk zu=h4Giw7=AO0;+o9OkqaBY0ojdw<*|k<$lR^+7sHzl5Xu=??uA0H1N0?h$VEZBZj6 z+^AMmOgHxqFq%>wDErOJe&U?1W$jMOM_^VIaJQ4o$5s#Jl0f5xT+=z>xjbhVl;twy z=%FHLFE>%~@0a?s8`$;fCG_mYJm@yB^}FZN#|SHK^1k6!e|*1ub+kdKfCY z)y*X+-@Gg-oehAhG7ku8pbaGQLIBv?cD+{7X>9|27L>cISYBDq<1D5V&Cj*tm$z)S zSC>6(2Dw<@6oZH!&MvZTEh@=k2VeldVkHoE1A&#rAk3faV_z!O3O)bw{?dyE+Rz1)*}#n1nGqv!Xy4%E{LqR$PL)qMjVE@pnO z;q{A`|47mD`#Plc31rc8visbq3cd{5%e`ck`1oH_bo?F*@d+d2_rI3-08#OOk1_Fk zU#nc{Qf2=ul@AdM|0|A!zXBHfN5TIBG4NLy*Q)XF*U|4+jD6oPF4WV+y7tZr{6ytu?aGVd4fpZcO|8 z#0L+I_x<9!1drlg0bK&))jvtJ z`tVyofsyL_$EoiVrM}mK=^df|>xxg`R{~loHvJciOy5&(`7%-IR}(^4j!6H+@#t6F zeO8V|zm7!zSo5$#xYYkSG3ZxC-)iyazxL?!{ewoY7I}WfxbrJcR)5{`=_AgsIJDKG z&97t4cRZ^{nqM`}{Ay9=zi5p4RhUKJ`11Xu%dZeyzJFx-6<6yjQRUY$$kESmgExauECeziFAt3;9S88Cf?2=Xh~)cPC3?;kt97b5N(H@;8Q`1{3-Ux8pB zI9~ipR>{EPt3-WcNaG2;8%W>$y~|Fs@+_l^tS8?L_Q|9%nS`-M;cs!t5U z2eLXle$c=_LGj-oG&&Hv2bu$hv>IM-Syvdy5;Ob2bd2z3*MH5-Oem@DTf3-VIPM<) z^&#H%6)>OH%|4i`_TpOM%RVJUwb&Pxm!?{sC$#-!PM{gNOH8nO5?7I}O(o1>AgOFMIsr%I`=P3?#RkIbq%Ixz=FXkAD-B0-=Pz9} zQIBR_|M4-I3vvYj7&2KMgYT;?l}XJEb80{O#Ku`Y9chyuL6ZbeA%qoy@KrL)iH;pm zvse&!D7CCpsicYE@?!!8=wzuQoMZ&Y3pB%OM>NnqHi7iEJ!ved?X1tum5PU*--HusNBAz^1sL01|P;EDDIuX@QUB$UZ?dMiNn_C_L7h8JW*jjx{0~gh0qqCKz zmx5%sB=$0!m{bqujgVO8K#6K^NhOIP%B%(e!Vja(P56-}d4?17GvZ9svp7aS|FWT5 zC9#Rls$YKkG(d#KXz=;-H|uA$#|Y#DoYHCrHcJyiCsebs=m$|24;Ofz1oyGOzrX+D z=m`Gb-`}tP|Hs4qqi+t5j{bP?;>EN5XV1RbKYX@-aQF?{f7FqiCl?ZD-|XMJuj=4_ zCy!b~bb^K-Afw$d%3}2o#90`8{=DG@?ngMKkgow2pp9>Qd$6Gwv5sD0_2x4&p$yjV z#+*nTV~N#@2j^SllM^Lkh;f|q*wUA2SuqS|4}uK4P(*6N7R19+WZ`3!Gy4UKdb#wb zghAnPPLr5q0JR;{?f&rjaDM}#1dmB#x-n}alF88gIs7=#P&sB*{ot|>9wW*o85T0j zA*QolOdALRrgiiawAsAuh8mJhG(^84Mw!A2Izpd6ZwM0|7_1M+s0nMV%3ezuAK-mL zh5T{(+Z!rmi4#{QN^^J0rg?(1@>kWah`8DsTo7?J5x16KZ`kwKV|06<8;WLRj_pRo zQ^HOz&p$jHm0nlXpi=S*T6e?Th{F~xq(~3B*(l_XdP71}qKb0xYXztY6J9zA)$d4b z#-?F`=;0;_r~}bU44|W{3h(~*Ey*Ng;+Qf>R;^oe(K&!8OC8pMDb-Fb-6G?5Mj&lK z&b$_MzRE|BRc@ucO2F<0$!R(FKuxXz?VhBwWoVajhfFJ5UcDM!`#0pNDDqp_RU`F*NU1rOlmG)(4u6dpNc(UCT0Xi(rmp zyCKy{_SHjQ=k1neltnbf$q>EMm*!HO;kmv62;*8<;zK8AC?*oqq~=_^4YK?rO(@P5 z*MwmvYr{;`xxf{$6-^)sZ6F#iyG%76@VBZnEKeX?e?z{)X5CdUoK9rFF4b!{JvZMgs=YsC zZppYTJ1!-L;_^kd35*1Zvd(ym9lB{pGLR(zH6Z0EE;w?~79rmZaBvbb&xPiSFtQck zY*B&hd00oKj6mGFn%Qc<(Gx`c^_P0GP;LXXkA2#A8yM|J?b7g%-s~gI=)A-{`gL0y zhj?j>c6qB2^2|YT*|^A>vD>s`Ir~Bb809?+O4|fd_E-<-#I#h{Q|lI7%MPXUHYVh1 zMY3z7s}<;fZM<1O0Z)JX&zQ29vS|-9P>22J`N2`u{&V!~=*8Op^AyjQw*OdiT3dmh z(hBraBfZTSWQw%fgxut{S%${0uctN;nIWLDcBqzoS{#roG^(v0E=Q_DDUXEi|K!coW!uKC@tw)bsAtqGC7!I zhNoJQqf9ZpL4*fN7&}H=pFW}C6-kJarV4}h=g)heJ_TuClRQau#`+=p{CNOp18h1_ z{ciPCEWaNfK8a#kQ|I+8Hr=eD^BwGn0JL|=Q5bL^O5&m!{NW_>hn~SUL|3^PhV(E5^k+TB@pc1VEBzC`@ddUf@H__$zyAtLIxS!5@CuG>vTT{4!h`g1B9j6e8) z47(hG)=O$RZfV=4szNY3#VH=sgx32ul@VE6$q)YG3ZTd@p@YW75P6*n^EWHqbDP&; zydCT6$rG93(dg`z?jgX(>3z9|flYX@nT^DiEXJ~MJh}>YDN7z?a+UQU%f-|)SI$%FD<*MPUafatas_hW6qo{>sk1Q0K_|e6@^=2q!UJ?t7 zr_o3D$v~=G&|Q%ZBB(mOu64w#f&a89Um1dF$zBeegWS>3WLuo?0eZ_D^YjcrNq@(Z zrt7Y{z)u;KO-*#(z*MMJD#q)VK^Qr6#objB`m2(F(Ce2lec-%kr^-!U6KX=@#CJ!8 zPx8hz66I{UIYXn;G$wpXBb*>5q}kB@=Gd-)U0>;TE7(%1KF*sgd=mAN8hp60j4{*U z_sh<{z$plhW<~WTTHaHdW%(H0##wk7Qw6B{72Y2y<=e!v%Ub((78W zqz@ObmHv#z2_JWbF6a}PsGIPYaQCH%AN7k75gfk3l57EanN5NJ& zvUm$ap{a=9qGtamDraW$!4|H=or81e@nwRg+A}YB?B(Y%HU!C$(R<4c*A06Y6}UZ-f8oMU zNNCmgT|E)xCFk0!>K*`{OB;Cylt6_eSi#;BMISCYL&%0?qZurrva>=Rik@=s(7rn- zQN(j5yOv8p&z-$09e0#ZCiG*F#Prq`cLKHkr4z~HG$kx9GVL1WM{ClOqbXrv|I#v) zT3PCg$u#ADyTE9a8Nm?!FVm9h|9}7ee-%*w?B&1{<;b;nJLG4u7c z;f*Uc+;l=CUxhSDHec zLI0*nEp$xsMDNRFoKL6F7@x>HoDnp}N+wBg&Y~HjLcrO^!{fRe->4@$Det>W6;Z4d zpgBk4NDsf+CDRX?d%pO+SN-$31HTF(No|&d9Yd2C*;I)w~GxQRxLY`yE1Rh zxC@ha%S876>byh0C>@WCs+H}wqW(03Tr2Qkb5MolBBc>dl7(A5|FB0~|7*T5)l4nL zzyJ3TME;0pWOzqe%!*A zdiv&Eb)oo<>f#^x*QHeoSqKJ$f8``w{IIq4^Do0s`pjGXyNfod&}768v?w3-rD*{&0&@Q_{s41506^QrdUdnv19b#c1~N12Z?0ep#lfXwB511 zTLi7H*m29ey5$I{Rl2DC7&BpxnY*Nmwh~PrTv7caI>a2H$Erm^zHc;j9Cy? z3Hpom6*JD@NWcmZaIggjfQ1ZEYW6(+@Io))Q=HI~hc* zzpQ2MrU4Y|x5mV5EY#HcKe)5Gx&-;V2;1B$5G&Z8?wwqo8#HGGyiv@-qQ=jOzT%-z z#{OD&l+i+ywDBI0If^{4KOHF>c`Bi;ti{6JM|3u=2D#Q$*%~c`By$^mVaw*&oTmwm zsPq!bxSOL;*=k_1cLUOfp|-&)FdBK*Bjh=QKsG2J3O@qGmi36iEXIji0vhRVM==sg zT$1A;imvV1v63Yu*2{4X=TQSx#!gKEAMjp8Fvrubuo&m6jDPlG25!R$*-%MPOmc{X z6Kkd9!-aEr1GPbyvGtS;!sk>0fnGViO>MSPy-lDx)>)imU!E+0^qD)=rX6>K;5_y%&*y0%T1E~vrx#!lyyIWg!y%0qkB^V$eS)d4*XplO0z(&(3yXeF2x zxKtIvc`ciF=@qL9&83!fnDXTfE&6|zU9RE{ollppzri_>hy?+8zFU|VFcfE&54Z4`%gh0p@LK?|EU zEsEy-S`fNWD{Xi|8PA36Z3D-x})Ay9mDP<2hYORgFnR=QuGgG-7DnY!v4?8$=DJgX10iFesDrY&+>OODoo9Z`SFNArPu^@zP$=o~MK zD>HRnHzLF%+5i}Qxja|`_A0F?{dPz@U$><5V6tbobn`Tl%|i{SRhs$AC7Fl9ft=AS zzQmbaoYyPo1wM?K1`J?fXuB>q?jqB8s-2<@OISetSc8O8Rjr^oZR*fUjkUQH=9mf3 z5N$b(2}z#wz#FpTN#Z77@58^teYja_?~>S?rS*Gl(qe`)5{Da%wnl!1uIw!#Tcd7A;EPwtk4&+E@@P)jZ6Ii{XIxIzJtEq2mJda82v--5&v+x|;Tq{rZ9%DHU~74Jz5LM^wuF5Vx?G#e)*^b%a}QHliJ3Ra z@TC>=(Bgc{$EENE9Vg~*m%<%*tl2pr*+jI|7IS{RI&>VIm?vZ+QO>-}_lAssfTlzu z46&{fQqvx|+PLrMmpYJ{yI7Nt8S&kC&HEzdIpeV_rUN#>nzV^H{Ejr^2X7df3Auza zubXYkV)7B~@3@4|RMc1s!Y(;iQSI&=;bnZRa%nj*N=6N2_2Ds^BR6$RH|x6?#i(}PO3TrY7Z^z$5Rke zDRRbv;>#t6`1WD8UHR3E?QM>9qM8@#_6by=Y6hkJQFd$0Ia7!Oq(OdE>^g;w2F- z>hCs}_1aN;5CiL6rq;0*Bn5a&=?gecx~Pw&(BTo(6|vyK;}taf_qW6<=!jI%6{nzM zZeu!`K;Qv$OCtevx4ndWuz7i4ELpO(5HSq#K&1~49+P9k04anwu zk0`*nW@kRo%&|4{$~R2>wYP^Zhw6}MrekautR1t3w*pP*QEu>$-jfNnwghd0cF|JF z4Bt|oAu5hb#fk$KZyIx!5Fzvtp&_w_!E=M7Oq)HXECV(aGF#glh@i2G`6c%T6%r}f z$3cUr?^a_%Z_H~Gl|=2!x7U{!S`NOOskK`=pY2?^C@hkP69rmhATNz>RITR?(XM8H zJT)u1K7zApSqCw>C7B((Rf-Z8;65oH@cm^Y0igrXVe0!}jw#e3HsMeY(oL^I5$1o2yv!Exa(it;QY zOeV(3Dz03YzNcg6bvo}iaUY5rHB$y87d}@YkLq~U(wXnPk`Rbr>V;RJa;~MyIl&?~ zHdrs3Fh)0w-!U}hJl2y3W*@za@q|VTIBiMXwdKaoB{fpf2hOOl_ufmrgV%ymuE@V~ z!X)}|0X+j)EH_KWg7xf`%$(lxBGLUNJ=$Qcl*0Tyt$>3>h==oDuCy|Dpe?D3UK>l{bsBM5DL=* z-Ild0LScEHk%UMPan6Vh>D~YMqNv+gKy|aq9y!M!FEiS7T?MnnyGavN-A8hRfH2Nw zGp`1wG!Jw9k#Sv`y zoLL{)ViJ34kZtF{&6=Zs9Q+VzIO;)bR6Dz-s##z4mx@xJL70L}ZOi9By8nR-vf%=P z^klQK%lO#jvR6fPQQlJ8`I%*`nHz@7@n9qituLB0>1C)rcIzDe!C`SgnQj&8YcsbA zSmG$MR8SnZ9#0ZB$W3O{Jym=F-XjA|u>+GIa?iFnfEMeOq7Hu8>|Gz^S+D2c**{jq zZXOotny(j8r#z2+QcG z3a4oTiV4?3sIKe{x}2fO@}4>b6n*>7TfV7(1st^S^xTV3bMA6+cd(52wUu;W9_vQ8 z6riV+AH60-&o#K5O-Qte665&{G5MA#O7-Ic^^p`S%19Q)UDi?~vXVh%80as6BS~+` zAf_4QN?+`m9tXuRbb8Q%%lWl8<97qe&573_$F}TZ5G8a8qhXG8HK;C&lC?N$M6wB> z>qSB;M^CCX&UYCO+HAfxL)uz4{aTx^QNIiRT^^l9fLx7^zU>~{XjWoYi;1s^VoqP70CMXqN{eX$q2xzlnLwoE)I+FjDzmi^(PfNT|_ zZ@a7(w4t{4jzUg^(u_-@l*4vIWO(AOz`)njo`mV@7|gxS8N*P>4^c$`~KjK^e4*bY~^@t~^)EvIYK zV_SbH*ykW#g9irEiqTWG1qabIWBlnu7!E~-ti zkk=Vz0)V)tfilw@ETq0*2QD9O5Yjb8Vy*BgD$`tQIRtWHY;)IBa~6{{DAs8FUI7)&d$%SI7NW!uF+>*O3`Nd~ILRadCV{vUSr z3C;33W+)>#h68+4+4^3n5xO9-W1ef%M}hO9@2@e(3pk6Ir*$^IK15FNFe7C={xGb;+_? z_~#m)jBVi{D}x~H8o`-Kl$eXNzf{X9d5!#wWX$%6Dv~xp+?&tP8bLU1%3_X&71%Ri z&as}oR%UUXW6OXz6lnne2Z-~;!a#fakV&U+#^)vPK=iYL-TU1SZO@P0Y^zaJnwW;t z!o%y@HRKPh^DJk31jyMVZv+T|Pk(?q*PKEsg)7+152PuQLmT@Krm8UKIu%PY^tFfJ zE{kb|A;KCKveIVaXp~7+I3Qbplcz3Lc@I)kOjtzWwKSV>ozZL=oO8~yX>-)?vhJp;WyH|akjaekcG~p45S)MLrrfGA2kQ*rhtEW$GF{JtqR0WGjf7&FoODkgQ zd6vn{mMz7Xx~v_SV28IR>Wtz24*e5oVr0T3VJXQB!y}%!^UFPnn_Ua7TE&%6OfG!M zvWbz4$aA7{4ksB%-9%y{B5(H_56EE>W=aNGH~WEgwu(jAki z$R~i0U_K2pyI!E>0PROper?2YDL~(QIFKFdJ%tLD%r%`cvkc9mw&+XV*ATleBmaSRpV;elMSqp=R;rl*vOoF*9MX(kW0dEqHCB+qek zqjYi;Y1wq;lo>AY4JF9l02TZl-Z`Q!ShVM4K#@~g*qGqJr8b~dx@cv!FcQN|d@wOw zE0#>jgnZ)}FF=vSU>qMO;KSV|;nDI%g7C zZi|d*dcRBWcj=#VmnKroUgtt^F?;3it>BQ|bt!+*Sdl1t>0EU23$roMm}I&eWLT}Z zC@ZT|FC9nBu(-$zpGm>4b(NEel#5NT_dn#?Ch027U62IN!ZN{&hiE0*CN2az3)K)Q zWI)_T<|;!)FU9xRkZbMm=n6#gEFsPv=zokTwP|&7EnhRG?Wi}_$#48}Q+_fXl5;u3 zE2I}ePOzcj3$K(iOPk_c+=X^}vw`(OUTeW!myjYdx%J%ay_Mx*lo4;~*pJb3)o!J|iCA3S;TaP;uuSEIv+ zkDeTUMMj@`@aB^%O|!2?H}0!CxIf6p>{mV|!?$pe8Ae%b{saD@gO48{&;_^K`-sp5 zFMNWA7vHEMm;09o4^Utr!h=&x3h&+rDbv(xm6%Jmx}4OIi)luc&hiLOZM!Ik*8}Xu z2r3~YUWBcfidd$t%U)&(;lc>WK|}}BOr}R<`@;t^e2sXlLlAEZ8Zq+mo|M7qjnDQPBKzhya|49TF zM#mzL$j6Tl%+>b@&x4Y)h|(F=Y_>ciKeNePO7vg2!hgGCC`!zo6%pi$b2p;j=ORwn z5qUQI?mPdrRY=0~8JE!ZW|L@X8Q6BWEA7G(X<0g9`32SUBeIV?aHn;_k=N{!vnziz z+TRD{@*w!9n-NgetFv0S3q)~DM~2lh^B1`R3D^)EbcBxpfn5!O%Z2QaWTsinyuD+;9R%1lgV}QL9In`da7n!`f4QQh-CEx?URF9TzUkE~0ZivrHMFtM zuxN;)f&GWyboK8%4zvvMp;ve@VTlwowMvjX46JZ*Yy1~nok+Cu`R54F76FyxhB*=v_jU%mU=&i@&jefQmWTR}rxyT1-shEv^>n+z#f z4&IG8oc;xihAV!?*nPRu=3SG(C#~AG(;$Z>&o$S7SabdU&v^=YanTs2xQLifj*IuP zni*}GNmtjjtF)75j@qZQ@(zjJmcgG3QEp`1oTc7|CKpURJv({(a9sMj#T^e;o(sK$ zO5UikB8$PF!8ciN+Y3~<(q*&k+iz&JZkwSapcT$6w!`wA&DbJis)*i0RD9S~L*i1z z+cye(MuK^ACLo*~Tl2PN3k}Y#ZyB1^(X^k^CCM1<)?5TFpyho?P9-=APGu3UHRIZ; zr;$w4TyVYI5Asy2{g_>{WMA>wfM(I0YX&FozEL26Sa>{8!!-VjzeaD@+|*aD@Nnd| zaM_%>E)OwL=ldXu*r1*?v=L60^GJfe`&1l@V2M4O+2=-ndM#UA0p zQ{}d*1ZTw91}J&pm}Ou9^B_;;WJ)H|8g$_|r$0ESq>z^-002PB({zS*V6Y0ud&GIv3@~;F;lQCc&jS=hUKBs^1x%-^{0J2aU z5K(!MwElXP*O(c;71|%!a5f}YOzB*$V&t|EA!N*sGs;0dk$DY9SNWiMSt;+Aq0}@X zG&NTg*!<|LYold@w`f=*YQY4&fyS9l-9v$rGH4WTIj+cPkED#+6hF2}aA&vAs?Z9H zVK*C^sIb{M5}tDHvNXJWb^aV3)2jn01OOay?=SKRi*$nRk^%VR%3Qx+EB;<)(VT(h zf=h8KxM|c<2yPyQ^Nq!sSdn4H=@$AC=Sq{5YMUFtzfYM~sUnIo z;e83rjN`$hNF+0K28k_b3H1~h1%F$u610ZTL66|_+K0J6BHp62JvQ#%8vYnr$HnXo zD7{Tc0}0d2Vh52|Nz7Dz*j!4l$9XnmP5FRQdi_TD#6m}8)Hq+SL#o;tk79U{$R(f~ zI41b4OA@S7G-8BZa|PFns`l!=fk4L+>?iIegCe^v5jHf!O zswD^y3up!)Qt%=k%PXNGnn3oMx8S`Nc#vm8xafGWJ zATcbUMSwEaG2E`q3P?js0i>;^KnDRmf@}Q_ZEU0k+KTjqw<7%@u1L6)niGhXrR;ft zd{rdd@$ny+%+3NiM{^eEiBat*@{*M>*;{92c!SJYfnhisx>c+a5smN5EREDd0OcZ>LpQ**;PT`3%Z>wNhWhV zH1kCze~@?dJaP^r2<&H({2q?}_nvj?yK=j2%mU6)z&2f!VrjhRNmdqIO4Cd$>*M2< zUevM+KFcJATaW3{vniIq6?Ppl7L$XAqyJsU%^`UOStpZ#!H}e5VpNI?o&Xkj*HET; zrspi%BTOjg8fs{*(CK?{-i9<#(gUATJ9u;X(yC9- zWW&9j2b*PO5}k94N?Vq~ zjh@EKy&hEfJvWs$>E>if>@jWjtgr8Z9y=_k33ZQbb~!y$EDyOO*m?P&GoEf+TLyx&c7#v_`LTyP!e z&gHS-4aHl&+zR)mwqR)oQts`kd%Moq)a(G4;mw93nSIJ=G%u>#tjEk@W1r%Qf*rfs z6Q-}sg?EcGr3^6KUzqG^o3o9cX?TlINh|y1%_)1E9_T-2LBeOQ!$-`0d{d%KxKnLG@r( zdyajG67YAM#v%nd4MjSqquF_ez}Ze`LMqLpUN(WEbVZ`Z;VuSfou3AhL-q(KQb$M3-7#9 zEOS5JJO#CFsiRcTXGcjluGV5b4}rYsb&WX;Xbtd0N#=smoNR}b96tX_c}{ODv3_|m zzIlDp;~rE_hFfjG9b4v~VQ!J8fq-qr6xPdyh0k&u?!9}o`S)~btJzxSJot|xTuUOE zvEdaa8ygCy_um7ySxT4I{n+e^rOd5W)O*yC_*e#)+mA_azb#Nulg3mRFFUy*M#l7+Gby zcu#*{+09^i9t{4Gvuyd@_V&A9haWJe4Ka|m%6LLsM`g64J+cMbv!iS4h%Auw=bjCw zz{lTk4j*-vFOv4Tx$UgdTP^I;H1IQ6UGqIeL5HH(-F3Cw z+H~)|`|K#d(?+D~@o(u6}ndmuD&N*cGywa9;_!*_{Ipow|1Oz;l;ph z9IS1~aWzA2dN99x!WRi`eFv#VIwXkfi@Y|K!=x6sb;!eRTJvCk1xIK7+MyPzPEJY2 z(7g;et^DJsi@fj&eaH_oBNkD6&+cN3hTU_SLh;Y;6Q}Qtk@ZXpotcdq7}c8NNM`B@->G#{^?Cc{JB&wHkurzwu8^3B&Gi&GqXk*K&zXT6LW=; zig0k0R>i?L!_lL`i}UdwIUF5)J2wkY~46fo|NGHrQ{!gA^&zqvZn6QL46 zEjX3s?Oy?^v|`I$Di;~QMDG+lRP1rmF2j0GMJbtJWA4M6;fzZatD$biBXih6%>no+ z$JUX(t7cHWa(JbIQU!7bFIv=kw&EFsirT5!rNdJ$WH$UB+=paFwh`fBdx$^p5%?X= z^;pPMjakG~@9wIG_E~@FtNXyF0y82Y)N4>B-&phs1^3t?d49=+yTO@;T*G_raX(Nk zh13-sZ0k`=rqwfgNT#8yZu<=1uJX|54l(P{B^#ka-OtSl)Iv&I z#Y@|xUGrrAs~ocK-Y9o_g#S@Auh7BS zoim{yKPB(Y8T8&iBS98XfQ7@@NVLe?3;EmAeSnM%(r4I5bDOiohf_L-LRfLIxdM#M z@yU-)zEXu@RZdJHXDm(VpJK?pm22_mPz;Cn6Ht8a-hxyo`0jP}RbBmll?GGxnJt5# zea+sR5AUxI@VOK7Vd+q4yI+)c*QdN{bQD+#9PJZ+y%KC1h1cn1aCvFXR)!LN`X2;ST{@w-w^n*G#O#`kc3p>tA@vKre_(5slU#n7ln5^WT|+#ZYZM z)Dv5Ta$tTgTw=CaINoB(Fe$(7gmArQ#{-0BOy`+^{O4IFvu^M3E~}S)TyyKY^}bz! zi7Z#F-q?H?se8UVIWziE#*{)xHjMLh?v}*@E2C2xIbU)Z?jCYi2q$jJw#SJp~JmY&GD<{yZ9KQ(Mn2}O{pnn4)Fp48v@6f zHG=PZIF0oQZvP~q?Ohmstzqpwg4+9pwD(vFF`rH$KHUZa^yJcUrJ7I5NZ4Y|QkKyK zCw3*kK&p=5&Yll)i+YskMv7nIEx-x)zgYi1$3(9<|67XkcPzN!j#@KB`b&%M@9$CBCvf=-30dy# z?bg$?Y^{j?yN&1XKYts<^8YJE@~;=i-#3c?3)v84-3b0Q;`cX=-oKCCzmMJT6}#Ur za({!k{SBk`Z~b&xGdQ+a|2_Jas=cqye%dwRf$d-u6K1aica4K~Ts>$z0@XLXHnYkO z>#4&ADLM*|EoTgao%%dDMg4}evDtwUF0LPrDN+3jK!6P!?AupOI5b@E8U%B@i1pSa zOo*d8V#xd0%-o7t!z8gi4(c>4i1XkaSw$<*WKJE%p&c$2%fK*f6M0EH7vv3_a(A~c z=O3D|IlbgEBU~MoiWToL!Ib7AVM^gEqg{4O%kvihoi5u+SyyT)Xhr=C01>!}nIsPe z+H=-QylGIE{q9Zph5g!sG?+8%^8D-+^~bBZ+3TgJ-(EYN^anQZ$E7{@*1a2qb%Wu$ z-5-vvX6K9gg^MjCzQZNULadG%*EAuD&ji(`jGO{4_XJTd(uEXEXa#(nQ!ocR{EI~< zBeN*^G^mcP+w4SB$`e&K^@CTC)fh-Lmr}t4husxHw5!T}vfF4*#f%Yo$uf9(+#^wd zk`1q&UbujR>@E4Bo-fk%C-H4jt7iIODfXW?(Ba^bf@^Pb3ra#xQH`6kU~7t+Sjwo% zt$j6sNv7mN$SXl+QpPxuV1mKZ5Hq_>sA7plEn&?+m#$@Ity%rsJ$B9Zh{oi2G~y6;YH6wv*= zRH=j;@6X%%!yT0y4$}r*mv1bL!}i6LNJf1+W`-+KW9BB(MzwYkt?7aKw^vCnF=fCpZf4&oWdVzoabLSm<{%g-h zc6a~wzZyyU6p1R7nu8N)^b>2?H|4!P{<|;kGkA~xj?SkMxnN5>p?e_spFA2c5y`l4 zwL^g5@-yR*yx=0gwl)r*kRX;(o)+o11)0k$kR?o$d;#5J!U6M}bqj9GAxL_l?sq&h zH$$_Bug$lG$KFULo`F=em$FFj*qAnTh4Ay1>b1@p;O-n?1-QxJkkTS zFx#?og$ok5IZWuspfVmjCOat?YPW?a&0^&;eSWQ(P(4qrx2Hw%T6ZN@{A`f~;{Zmm zxB=hLktd*|8Kiz1=IwZUTF`bA*PgEEgkG@;os^KiHm5}4|L6GCOZ#l85s?f_t-iaj!JQ66UoY?e{=WU5FfykiPFNO1U)*#e)fY2=?bC)w z)+d~^9-hYQ`x#?-H*KFBYP7|@wL5UG%Ukt^E>V~1nE&4Aq_*CAp=U!ws%DoDX4vV9 zk};+C>4NWDhzsYH;+<0P1}!smiT+FFXZ|}ggR9p+TW79$&IZ;=tmX$~)yfYo6OaeF z0F0Te!+UM;-PF>mM zAWHZOR~z+*E_Rpiv9)|^WVBUtTyZUZhJQPVI%(6TX|yF+uNl(z8hO^sqjL;EON|9- zwlNRI0y!ev+b}gp`}_OhE4bSKQ1Zc#Kkk=&_tpM~(%(iQ`nc~#r}j_%Ij-LJc zowWbKQ3Wk+Z#P-yJH&XK2pIXhm*MlA%D@}D?Sw>}d z^2&Z4Lxs|cmlMUZOF&Jf8aDdMCNH($ynG`mP)F$!de3}8Pl>hi5km`)SV2s!)Y)+N z`+f`Ge__XOugpeNKEvn+8`Ea}XRJT4(Z7(kO?Gxdl|Ij?P~6=gd+qQSRB4O}0>2+W z2<@A4$yd!0folTa&ZLIm;L3}mkG9K2%(7(3#Vlymn}tuN-aAN0jb?2S6~bcNnkIlO z-=JX`KCIeS;2?`4w$N>{O3tCt9Qy;);$|D0kd!Iag7#6~8f2cQR6y=lcucgF-J39E zt#w$V6LTGh@p_&Q!*}GAF2RnOF6vTY_M|>zR5dHVD>?qLxYxq{3~nn}XaT8&3-XMn zEO|zieRZ%Ja|Bans7L#}e@T%UOu7!9$`zmq8`;QWLdh(r85Nqb*tD_24fn!&BaSF` z$uh1R?bDUJ3lwwhz1 ziD@V;JX)(=LwlIeZ%WRyob3@HXOFxQAOtq1t2xJSL+ai_DupZ9%nxLhkV6~F44P)J z!cVDKlA*6X1oySTiUtc=X)|%uC?SP|pnccT7c0O@1CVcWJF z+jcUsjfrjBm|(@WZQHhO+qRR5CbqTnJnviI-rugee)X?a)m`_h?&CPmD+(~VS9Oow z&LrCxV;BV&9JP*AnolHrd8MlFZipetB!L=45C+y+8XhpTFMboYMUMnaJl@&;Agu?_{kv@|-5 zGww|vt&y@b*bOiTklW>YCh9WG1%#-_QT4J5wWDcX>?(}MJZ=gsOC4v-q-jP0%(c^S zuAzfnr?&>PZ@EvP)Y33r58NGKkG4JF)lgH6-ZgoMTzY^hhfc=>1CAY zqAnN{31tvgBgmAQ|Kv%TY{?2vB+rVV3~ISir?_-X8^W7viz(&=mv4LuJ;K4cT@E8` ztd-x{!a10z9?Y;_?6jV~= zo7__CnHMtLI+j-Q{Ql&#`}O*4E&LVowgsPG5^099mxfk?Lxm0Q`{YIs&~+yg=}+YC zQbJn`bBHGyO4d&oG=$Q1bIPz3v!o7H%`X4s+M!S!%qBDc=i_}5D3=*b z!^)8fz?yMj+p^@=wP42&`E(}TS=i@c?=h;r>5g8519giAacK2->T2T@yTsvdB!@`3 zM*rU52_5$vShEA2-`RB1>+zc*VS3Vbi^+S+$PpliDkHS+9U7!vujZ8~qzct)%}+1x z>ZFswt4>PgtmBxVbdW?*djfK@+`@OPFOx>5p(7*|>04*dvYR*l4y|H9A-dY(u+zdB z0ZEFA`Rq4jh?NjZZxo2P3K^Jo`RU5&L(7?i{gfE=eE7q*h0Jr-OB1TrK*1eyd5q-Zx|M2{k zsNPAd-Xqci_S*tOo%@44_oa=CgBdqdg3rrKA&AN_j4^T=qTzqB{aX`50#9N1Ckqq{ z#kG&OAAaN79YpWP%^!iZu<^Zv(b_Bia~~_8USQoD|IH|<+4}1_XfzN{jq$p;h5aVD z0$Kuk^9-kl|1Y(l_(sg-@p*Vuhm0lg_P#kBADkZy)sIFXj78}Aiio-j0B&DkeYbEr z=&1;N5A>S4+E-@wf~{vCq>P;Q1=?}Bxjg{w*mG&bNAB1Izu3I_i_3QC@O`%jY@;tj z{x_+{$dM{A`<=)ngDV<)NqM2}|HbxbsGaQp!S+)Uh`&fftToq>>t(dJ(x&DHgX6UV z!w^c+Wn#ykLJ^H$aCU`4h#WCk4G#}SKM@I`FclLI1sE@s% zUxUF`SKE2g7-bP-!aheqg$#~88G%mO2EQqgb+FhHc!&x4`4nI=@bly7@y(@7RT|gt z!akHO!3%P^bVF$@H#K8t#WJ!whW}(gHZQ zvnJ>E^ZW|II@)z+Z2=S}sS3?IZ(v#XN%3pLr_}Vssh<7VahaMM15&F&=6dEC^iodz z*~z89T^wWhF&!d-KCI8I4ITQ278?^=5l4$_xe3~~VC?$F6;|~fGDs1C7G4m}=v@6# zlsi6>cwgX#*~m?3&@`+dPuH{SMMqSC`=e&C?96dcobv7@WS-oB4i01lYJjb#Awf5v zk&#RT$p5+c+ip?mCPWE(+0h4JF!Fdv$Q2{g8B)jcaP3A}mgb2v%R2TyIuN3v^Nlx8 zE%{8*Yc|xrSP3+m&9H$&H`~t05n&K_Ei*=c|E+c2WaAi3rXkB>r_*6SffIYv_Je<5 zxSeu}<*Ut&orNs~V%!>$crU0hX#9hW2^0-K!ho6BC(;$CLzIJBfp=Vz;ZU7b8IkV) z%N-)Zb+ze0I7n$riz6qzs@x#Vwu*n&j&0aenUhW*(kl z&dfoj~K*j21eJ3$`;^>UtVjJug(A331cKdexI6L}^UC2PTs!;eXuT1V# zUr{|z7_;+73Otv&IJAW=rQ9{NR}CbhJ=)o|maUIn#oU0gr)KemQgdt#C0e3CLyyss zUAfXWbMpatJwSY=;2aT<@4H3Jt)6#dn;!`2^pEX;8Lr|Ss}>qNce)Sm=o+!p04)vW zSKz=vM4J#x1Yb6tANIJ#~D19bz+Rk+`}vbz(Huk*(llqbs~JE~lC)&M?KwQN3>4I6f=YG1Y6 zHs$x(8LYu4b7*Sc+3}mzwG}VqYE@AZThLpzOTbOzQfxD9 zR7^Uqgi}~nX!tsgS^WoJBdqYKPj4SmWeC*PFDeE1miii8wC%IRt^cD*n)3wrasuP? z&@ouPNkqtJ-5%|Hn0!m<-;uZRz{zLT<@a^Z<@v|%(YLRi-OIoEKf~YO^Miwfp5Nb{ zFJ3m^zP)2t+27ay9sch7Z}&9EmYw@ubaUtTXI#wE?v;A}G26|{W#4zbVH-SNorq7f ztIzQ3|BiI9?O*wemOYP|p&B*)T*X#T?ixC0-QU5*hKGpy=S@xQ-rs-|Jz3wk}ZnkbvPe<<5|urLn&4}{aTQsl6H)7uH|aJw2b67O8U_QnDu zGnfb=ZZCB~njgVLY2HNQB28m?U`-4YF=di;g=_#LjK_W?X!;GKJM7PM$Kx!{(P<2s z3lUfJ-7G{&wEF&KgEp0@@!$Hszhf}@HKn1 zU(4+um41SH<3uyX20CnN!LNY-gz27eK^R5AzY)B6cjreQ$;rD#qTXjq;D2B8xK}Uc z>11w?xSs#bk|jcY0)U*R#FW}pf2J8^Y(Dvv0H(a<)mY6mN`hOZVAlJake&An&~E3W zDt?$s7f&(HpnW}Wln^Oh!kW9jR?g`s2jaWCT6e~qUdQ40H3~D-?d7j6xPN$+N!;`EiIj4sfVh`*S$^}gS7+5Y)U_f zldA8}6c+;MYALg8Io7Ak2C@=dlMa%`TW8C&L;5of%@=R_;%|*&|G14tlmWQmsrPsE z<6a8x7Qy>vdWRS9n`KXKOmKthWc+{3aSJljz>+BcwuHa3%f12WTkFm))w~Hz*``AA z&j9M(Ov;C46qt+9Q7_L)3Yn&stz5U#)78^U#!> z06b4MX8m2l2zdJqPW#w;|BxBd!3wP#>MKAP0O z8$yCZR=H7*-3#`rOWOemzq!E1gL_AZ4g=__Em9VO*;4j}vEi4Q$5=a@db|_K{;aC` z2ahw|!JldESFy~{3&(0Puul!>yxs2;a!#f|ol*bw`^3+2*QbcL0(M+Sz1BWeZ0v#;uQL^3%{h;O>0%5t`=le$G zEs~O40zz>6rbWhsJdP^mo25fQ{bdDSp$BqF4Plm6-%sQZG@P%&{Mg_+*}QKnq6rtm3E}SCP=lU^pyKQ)w{UvtYFYT}+DO3d_Lh3h;Ptu2D-GgOx1h}nPdf}4cug+RW@c`|S} z>*{JCQOZ@%w40L*=)1aR`ZGyJjUX&uDN zS*W>We(Q?ck$jMCS8vzq5_(ZR3Ys}!C70)eCu?+ccdaU=8L-z>roLYGgsI_|FW``& zcwM}rzJk;#nG;E=4dQN8(pkB5k*Wl%`U)zBm9l0Ama`7%_Ie4Y)2*Z>-{+#?VnPQ|IU@>RZN)k$R&ygo`)B!M>T!!6=Rt6Jp}DC;f$FE{s;)wbxAE`Ixc=k< zL#^&DXMHf-U{|`_zSUZ8F1*#$gB5=5wSVR3$8$HkJf9YJcg`9FH+R#l z)L%*e9-KpbHb)!R`PZ{)1s~y|O!B{K(CPw`{+q=YNPzDjR#u)fjq4xY5uSoX_nFCf z76mBH&<{D}G~2kcjWq_6AQclN|F+R){`?-b{nk_XCe($krMTZf?cO&<(%ICCL_c)i z7~(3a;EbE|HvAtqXeTAEKunZ*be}=Sk{(d@cTsimWE^cLF5-njpcW(?mA%o3El`)g zd_~7gS^Gw00ztK$)r^Q1WOrhVY&c6LoG!Y3We?U>))YQbG?26aHaZ6~!bFUmI8J1r zR5dy{?ne~blA;}h|A%RnKynwJpzJNm62%@XDddPeUCljInicqUFTjpwiC$J@0ZIyh zQXWW(%x>xidQ+xnwVUudA;=&6HR$d1Xh6z6`lR3K`D=zTowgddZ7+E$%N%P<#$|^x zrJb--zSHMqtB-1iR|?|uneuXEUDGLgkc@#+!_fzH0~D&B$V~(5t&Qu?(`POU3H zCBp_st-Qz1>V%@hve;I=*_S!`=8B*{{P=%lA?HW?%!h7A`M3X-g}h#WWTEW;%0kB! zg#VR=D%7M>pXU3I0HT%k>oje1vHCIN*GgzRnHCaXwNrxYnGTTs7#>KX}JU<^`XSzE^MX>ZuUcsK2IoAcGvaE@BTiVfH2 zy5D(u>Dr6HpBKwIpl+3%Pt+1KA%N;>4BO-;zPf^}Npw2Pi!0+FySaI-O<*)AFIDSZ zus*+EsOOBKVwn<7a`)}%xK+8KRbfsT4Z$C{+&!mk^`OA|9)SdK7WzHD zj>z0u093f<_-|I7`pxwrkp;zT5+5eUxlYvweJ`I*SuCfUXI*TT3=kwMR;odgg2yMeyjoF!N$oPTy-WX>xdYa->ot8>5~52ft@4?1#us{cK$fzcLGa!dY#N9rwXk+r+a=C8Jn=zdw3-b43`~D~+TkvDh0w)_YQ;{U+jx zx8pu%qXmlYXo5np4s_gDsbGNigc%+TNX6W+MGhQq+(OS@vKCxMb+r*wHG0Zw)slNh z7qV!oIVE7f&!#DC0b}m(*#;0##~%DV^OO;KDE6)Oju))j%hQr+j-MrV$}QF?HVN~Q zmbOMR5n0c@5S8&P)iiyY9x1D#F--w%k7$wN;S-E`M5-XwSf(Vslh0zM6X~L8&3bIw zq))W;W24gWoNCnonJ;Y1U-a{MLhXi=S`M)L^v8T(6S&HuTH-^Z=HJAdk&h2>^%r~3 zGc(HcT^(+jsg3M;Z6Wy_{Ylb%P4?vuY}zvWH|Q=( zjxRgIzj6QgX+i!Q*q&@u>sOQkEk-oPpnkns@OzF=vQQzFpGF|earo7^|I8`hck6>o zve_E?a!=sDdz+36s|b}H=_ZAGE>#+`vTbu($?Z)SmW&AXsDpGDk@;{>~B4=G)$XYOa9V)XEDm^a2Zi4+CLM_!rltYNd>crUMWi1|otatJ;4J4bb}~J7 zMFON+onTMP@xPc@2jxo+o>w8R)lffFK(C5FKLuHP<%dcBkG;jQf%egG%+EMfGrDu{ zV7e>u_86fgE*xn27AM9Cw$j~Bmi=`%E+pwKm>UCFL?0%SrJI{)2V%Hyz!b^T z{0fMKdy*ce6A%pwyP+QgFW>9@xK+g%=}EZDUj$Ag^M-Xdl~m=;jQi(ywB`Lz<0>D% zSnz5&gPmQHj%(y+nl`{&50LaJW^>N9Y{j#B#>Q-Rriyf^^y+qL6YBLD&QjqVOqGKC zY-%cvoyaehY)8AMY7(y+s^bGfqzzaeeU$%5T)=D5x+Qf2raux_+t`o9H7k_6zAHb2 z1h)yPbd1_RUb_kk8;XsIGrz zE8V`~W#4Fz7F!KrFfgVbtVq~0*LvVNB5Ozv$r;a>4b_-@g$r$L!>7R(0`Xy%wzZln z6A4TgGZRo_RQc+fk^JmHPncjX977p5LM5b{f_zb4&u>BARk^8BWuT9G#c)fzn>MB8 z12@!`w8kV8*8X+9aJQri$c15?+I)$*3<$=qjyBX{qSs}tT6Z-U+wM4I*_N?1CPd6! z#*FYk6NNI=oXdWvQQ@9d49|W03779KkV^1KL}PY;G6J>f-L6~~wmGH{DL>&LzHPd~ zb1+_d{8TyoDm~a*))4t|CE+v)%b#OYl<(|}H~JGt+Z$RJ76^69uV0sNHBM6ulJTT% z%sFiQ*zU;&sH#tDHZg&ZVF!FPCuJSrF^8IeC0!8+n0L2tBk`Q-!*iK??-e;4B=+P* z3$y#nXrVHmlG{l>8~kUw`xD-T$*iH0oIulxvxSMW74Qo|9DV+J0M@r=bc zr`zX8mb@<>bjLzA~rjzbOl6UL+rfk?m zQKpN7oZM|r!1mv%NAWVX68>X=33Ac7rRqOpXf0cj-eo$>>dIu)Ng{dAu&}(EBu;(yWIJ{#Z0g6d6h4i4A6PZUO!S4xjDwy}@ zQS`7;5zpse98WiFR^X@G9Nd_TcltM>7O=laOob9#OXpbPj&3jdPK9XMc#N^yqb!MP z1e>WOtwyc+tU1?c4JQe`{_Lc12Wd%sKB48JzI6yi4RXPU%MVyFprd8$q!*jwmpep%@2^dP>r!QFM98+obF%T?=7V<%8 z`IEv%xIlH%cEg&zzpDW&wcbzae{-&VZqCef&hKsNe|OwZB7NQ3cKU99mcAd7`6ZG)em3S{5s_#!t-Wa%xZ7**FD9(JOTy1ln=+xR zat;U0z1K_ZoA3j4X_BdesCS$-U6#c7pok4e!2LFEJV5YWu{8G1h7le%!#Q}Jpug@1 z@7ouv#Dbq4&uJRCGWODL{8jc0c=tfGgWuS%=|Iw7lXa=fVzhGa)3FXG_|7u_g5F@@ z?oAM`HKo1R3F>2w}WXC@w~lK$frk`xoARi>=N zN!=JNm>);dxUsY|hQl3d2idb>>M+Jv2ZGqF75X9McJ+y6RYpgC*#F@pf$G0$?$5B4 zAMm;SL*!*!`!WekWeJG3G}jmSHBT}(CZK@+Z8@v^0l6#IVZhwr>1dbIYKetMe*j(l zO-_ayf5OjW(pG3JNHFoQRp*2XHw%a|UhT&nKx}=w@-!ZBQw|prTBcMpi}(dLXj+Y{A%sxAnZK z?QFqT;FPj(j}*B_ei*1Eo>iA{eOS!c6T8g*{LlL0HqakyD5IMK z>7WO*i+irsH?5W;VX8a~H3eL7 zy_IeLEHZ2N$$U8S7Jtfoc5mQO7`DDEbA@|aU{e5&6Ue9x&F@C$nud6J`8Y5T%N&Ysjc~{RDY2$>|a00HN9q=RKgWH zZEZ6IJ8kHAwYKfkFX|=I(y|vTnqbOW?<=O17p5To-%PqH#^$G=zRwFIk<5_s4`x>P zJ&TQ|#G3;r{Cx?>fctLqw+ehfPf914GBQ*;gPivbD_X3OB9@^4Tf9*5@jEs*3Za+F z?cv{fAcZ_Z3<2MVh11Kwz1vm&_<8)O?@Ar>3~#m$d;R79PeDFF{yi0TPq5YJf3bF- z7|YAcEwHX#CqoRB?v2nlzMfZMh|ZNh0Z(6ch+YqZS3zADuS9wY)AEv)^pw7G8mFirX~i$5Qky@Paylv&dxZ48)o62^W&n1<=KUr^5yYmtpvR54d z7t$)IkTQ=I8fGI;zNYmNK!?xcQAzIU-r=67n>ra!(@}J;~J!WqHtV^7*+=QmLdyH&Ho} zdBM_XWQQsMxVckUlIJK(ir>WPCGC42?S#gk3hzvv#^XJI8-b?_I5}2{8RO|*fWpwR zd~-*9ZvlmuIMarr(*dH}1160{x@yQ{j{Y%*Iq5U!WmewcAtbhu|4UnyQ$t5G;k{Fs z9@vinrj=d^4%Iq099n+4{&S!~7=Eo`p@$-IrmQC8EEQ`MrVaZgI9SJzMvjyh+|FVY zBRI!J0MHmrTI$PyG^!gy#l3KbQs?A}))YWyD6iZM3U%6Kd`ks}`a(dJ8Z?HGdksEm zTs9g>SfmEnCTEe8fv`hDNqb3R&}DqE&Y>if+tWiSlK_-EYxT0FX6GN%oqsP{_HHH$ zXtr;EG}=#fes~gubSdaa zo+Rln_3@2p1J;a5L?rwsyGlLZ{Z>%$&pLC5w(9-neSI5W)mOjrjYUL6yuS8zy?woS z?ls`t)(7eRCvA{--n0!CXn48WZ+Dz|9TeFj{bz3Iqyrmb@Y0bN4$|9KysMXFXBT-h zspIh~tY1y%z5r|Kq7qyghhs!AMe+fBdZT{bsQ(}ok2^M(xhrp79jkD^Htcu?QvQSW z=T*{i@T=_CiT?Xh>KV<)wrwT$dJ zIw!m!+&P0qbq#X1yxC=~(@$jOn+p$@nTVfTgO8Bu-&TJPAFoa49lNM+(>AH)aY;!M zS>E?HvlkkFsk8h)Z^CJ9io6Dc0Rrn812FRfXhR5@aCUz5nSFFu#@SP)0gF6>PFIvx1yLt?rQ|b2+?M2w*i5 z;d@Bod4Q4lRD#@K*P&83@X=O|0nKN6Y(SM7|3Vgh(c`Yx&F{sq+J3Emt?aeUbCFF4 zWYYh(kdp5|?>YQ~1}->23l*TT5(QRhdfj z=zY5FToB1!bS+Nc^!iLaJd9eaZ6+0+QutlK&2MENtdXW>`R9UZ>4a^0VzjPV4lDz# z;Pt&L?P;=Qd#xGsJZyBWl<@2P@|BRV3W&-^UIbBXGj)* zp{7~@;tCc8R@8?>znB@|?6iWqhDUUoaLnu>9?EBDT**m(kkZT3m+lB4Pp!ul{#%_MeLu3A80P;mGeaI(a&R1%?g#L6n!CVx)7iMQ& zwUVo^t?d2I$Ze2fF{FBkUkFOMibq|Xy?5S4pOtmGz3%nL?>c0SOc^by+T2pu?hihB zdd98x)z2!e@e1MoCj2ONk9e8W$5`y>HCFi<;1NIKF#V<2s<)2HC0=Z{ILr~^QQz(A zSfne0!1Ya}#ez1plP<~ns)Sx8>*Tx3z)=9hUZ6iDOOO-yjf+&t0y#lC?eywq$%C|{ zL;vl9saCRDbV)#w&Y_s*x}+;|I-L- z7E5qk3M{J5XAQS=YLGB$b@l>7K*pG1SMr*%6$F^2khaM3p_X*(v{5r9!M|zRm_{j} z)XON-ht1ZaUWLb>^^)09Tv%0F$6ZB;Dq;O?QT`aP3FB?x9c4IXo?RmN!?m$3Q8XTD zH_Vslo~=JQ0oS8d4KAIv8f_O$g2q=sIZvho zAL~I_!)9f{WyB;B6an1zsk2~=UsLWGj9S z_mO4QQDUE|WygURVoSx<8Ks9YP|$qI%#$n8o=|wAtp_j-oqnW0<+myGr}qTglb+t4 z95|_H5T)g_NvVgP8f$_Fl=6sZ+$>xWBN|;V3SR@IO;SF^ARed++>LiDU}Y`{#@gmm z^JkM+Rm_+lPo|?_eqVgGvR9)h1gY76S&1Suk?jcogmg-Ooz#(<&zjb-oZ0?&x9986 zm^w00kYdDrWQkuKRvE41_u{=5JRS9n<*0+$F01Z%y4b&qgj7tvQ=QW&1=z^)CsQ&6T9)U%Fp`0zEE*K> z`LzAggZ=jY_@)#)k~eAzq?Csh_0f@GV60G6m08b+|51@5PbJ3#8i^yhJu>X`Sqtkw z7wYJZo?3a06CdYkyENuKO#2VN{?|qVdDD&svO{1U^^7Omd4nf5@cF-Oq`RS?wGi#~ z1i3aNoE==q`m5ohQW(rFB83=5r{H+uOVkq3y$0gOlVKxy=ZMFLA8n#8bA}xzUt0qR z-Ig|GvFP|DXu2b&ED(E>jxq_=uG62OcQfF@!NYe{V2;UgKf;queD+-%6aa-!WJ|hc z3d>a&Bd~bxVWSCqy4Vn8anvjvAyBF$N~fL_TO-WWK{OQr7n2N7qtcv{QO8T2)yMDU z8rYd?n(pHimyj*dnH$>JjwD5Jrks09$~fK=(T|N@u3u5_4m(ffbVF6=ST((0zT|8J zU>4u)>4i|nSqIWsy#T!Gqmr<-hA^})ajoAI8Y{gsr`!xMR)9>kFNJ>(e(CS|;>Lpi z1$#q)g4rGZUnQyCvHnL%8sYiksaRp#955d=XoMowlrlndR-xs8Enuqxm3T5c6_EeY zl8$#HXsmm7!_?iCuUeUXcfjK6bDgM8yb5*K&otBr;^a;Z4Z2&JWZcoWMw4XHYLth# z(6VzgEZ?T2A73(*)7yP+@#s8TwXa=oKD>_+(^joUl4o!N#VoOtC2+LAQ**xf7}PA? zVhP_(*NgGr?7leJuH^A?GKPa<^^ZJ=9g%a#Wu6@ntE!=HZm}K|jD?@Q<8CKQPrwo< z7&OFoauD*fX$Z5Fr+W%6@ z!MAi@%5en;wb_{Z5`142kk$pbSM9z92=tU%9K}HdBJAm!%Kj37A0^Bw(@purY|){b zV=Cqfpyg9SGbKP*!UDcJZ~>Iy{9_ir!>b)U3$xN?Dt2^kYZh<8V*B2LNv}_V-v-G4 zmcGNj#u=Zivx;AV3K*PL0Ff@Tb`cd*cB~F5MHcQ-R0dnr#+5Ze#?$-SVef!O#c?=V zVg_D3*aAT%&bX1-p+~HnZq^_&dg_3Q+#ZhT;A+-{%`!(8#;w*Jw3`fXLX{c?w&E0?JaQUTX^G&rQF>^F1SRWhO@`N%;V)(veYB> zwIJ7Nj3Unm%O7aME0GycksKJ;tN|~pfjvN+q1#-e2KIM+ID^lR<_fxP6*t9mxB4{D?X&KMCE>KsUXUbCE_n-lu^qFL$RG6 z<1{XedpqmnYjD-~HSn`i$la>!UNPM;%F|@ee4_!6s350fn}73u@Mrf2<~CLIR&(l& z2~7KDLayd}TO;=Qfm5jr6p;<-kzke$2=UGL7AllrV@Rd!OsYjs4!1Eid)CHFen9(|7R4ZEgh@0?3X#C{x2dRT2(I0+n2M7LRFgA64=0`M80E z{Au7vCS;3xo?`qTN!_(LndNn>J6T9T<4J<tnM9*Z9qcwvGbPb5W-wP~%S5 z!%L#;2#Qtt0v}iSR$23p)8((nRk|C{QBRUKbs7qvCe_N!Q#bL;4s8G9{cC8Ri4kx+ zUD1X1p;Vn}n}`8U={!O?4or#f)8SbhT(YXUZrz(j@s+=(sNuLZr9NGnj%}4cnR!RU zX*)HJ+40*5HAOe8okvPKy}wk-6-*_?&R(_B@JSA!B~P8;sued8De3_x!J_S5Bshra z3dR~4@3$mjX#8%h9o`sEGa@Ul?^{v`b=nhKs<#P}Z3}zUj{PZgN+p3E%jEHKN%S~p zD)5lJ3>ybh%`uTJ+*wkX*09zu;q)8mFt`jGa=>lVku9B=&IFjb@|O)P3(L>d8@|5+dOleF9|=E^C4QlZ{07sIp+Nz)b2X%6nJrw zPeR(>cSdG$IWy37wr1$b|WGo%Z?RSEAf*)GT}`(4i)&^p+@PUGIDT^uqd2PV%7OKRL;W zH3}VJ&zay$p2>9rV27tMTwoysqmB#`?sG%#Bi1;neVC9Nn#P->xsXKQ5(B6s`QZdO z@5^69!4NT8e53<1%H+u~cr3uS=ci;x&|*IF4vldn88l*M?E74WVItQt%#A{fX!aQt z#^Ow3AwnZoVT%fJ`7X$;@p5j4!dONC){h`@B7l2GTzbhg^=EWnn7VxKhM|P>rF_YI z1|fS8ZO9Y{>wfPlvW|}+y;KePB=s=Pp!>lwf=J;dc(*js2Yg=pzl1T$iAE$!>*8Yb z98&2_x5%t8wd^4oJrKosG>*6&77eB;F?$hKO$yJ{_Qde@a~&vpKyB6&FmQ^l#Y*Hz zgvh+KY0fYM&@y&Sa!IFP$TEzxxaN49)8rOocx2YFNC!o(rLM?s0h~;cj#Wj`Cy-$9 z4DQ%lqk=3n$gg}d%_fxS7X%5@`u=z!h@oY@jn1XkWh*>*;ot0sTDfrNZAqr#j(Wu3 zMltxA`^2kvY|0xk9!BFG1mqs2onvuXli1WCJ5VRAPRf%Z`#9axA#~7Rv0K#-RFKBS zv{A_0IuvIQk*5dPi)Zi$;@#~TAXVm`T(yl4O|!w`VH(*HTpU~f31!LMHdLmzKyoK2 z48e=>ed^~SGbg~iwIR=!tsFuJMIc$ewRe=Nb?QoOyb}iWsGNR_o%}8tT z1dhXhIfUk^a2ZsK5_{&DmMs95X|>TIrY*h*{3s^A$(paYkOI|X2&hOZGvMyuw%4wq zM_EdKzXW#l>tyPT%Z^WbyLaz>ODr(H$~7#$GAjPO#bzB@nfWAPyECK_d}#}dESCmN z-t4(B99|^peJkYRI|X;oT2yG7$)}=~^c_E_0x!+wseLiP_Jy&fjez^upcYNdRV6D2F>h`pA zbDNm5t{*@7I>ut2C-!Am{Z5`Fe|LBHGqu$*XRZ^P_L9u`WF-Igt4&Xvpbc2XNPS!i zp#7^P;NB3V1(MUX*dVd` zjhj#%I8UjH>)#?CiN{t|1r1ynbEkyP43u%{YV5CX15-9ztfXcw`E@wk!2BU7=t0q+Tz^g!+u{2prR7>SuTP3foO50#JXEP`I@)asHYEebbn zp?S#uj_V-aMnq0sX9|TK$z2MvfDuJaqv=;bX*V;Tqw_rIm+5(_ z!)?erjVmCX`LXJmEwTbNZZj_q~)rDF=cu~_5L6Oy5!+Xx!x zks^6=)>*##{)O<3k3j6aJ_Bbbv9ee{GDsmMI;=lE<0!Rk66tl$7b|&vln;J_zR0cm zA8RSB=^@6)Y;opoj>KkpOs`zMGVium_&&;xSX&&>bojZfM-Ewvv(Db!+}zJ$hhfIy z8)H=}^8pbLwwl)k$Fe^u=lwr>Woz}LJ#`uNgG^{pqvEeMg1T^Uk1gl{Fo!m;EAD}v zC5mWMswJ&}UN-t=sIZ!|`@BFu9A8yIiTVwwo#T0_KhYU`Be*P{!~DgoD*@D{MH{ux zXb_A3r`mGiE-Vo5hNk?0)OYHf3oRy|KS35#dC~|r9elSY%fwS~Sq#TLZ29nTz!rOb z0pEYA0twHWkJyUd0Ry^^?Bsc$c@3nWD6Fg4I%)lQHWAUxs`BkT#j6asc9m*o@BQj! zbFCf(G!m&yZGV|aROm!mXN%(6iFG_s-J=`s4{r}b&$y997#FP!h_v>vIa6EJRFJojfstZDPeVC&GR z-24ROb2O!=O~hXj;#CC^-6F{;E-||W{m5kgko9g zZ8C`eCr%%+;B1v{pEm6=v*26zn8$?*Pgk=(pdEuls{Ffb+RAxT0`-Y zk=UwBHLO1z4IUpn{Q8^6^=!AB#IZ-@jdxiI6fi{z|i1ABv7-4lXr4W_} zrVxAHnb~w(O3#g?T$#^<(P%Vyc=%|v0>tm8R4}7-W^5>6P`?>@Ho;-t+T2zb%kXxvgHPckWvTQ(?fS!PVaiD}i9<4m z|C4eBt`K?`vOG=M6^T$yk?7V**tO2U?*rYo6vo&Z*8Msvy{&R4D zEK_Nb@eH&kdjzAnwOq1s;aqPkqIklDPL@PxxriLjI~bs>Reoh6Ay9w-V3|Fab?O6Q9SrY%Cv= zqS3+%Udpu$0d&A(vNh$I(hyg@H6%ZnKlaFkSpa*>h&}(1J7M~YF+tuPj1C`>0eLd| z_SZuX+y;zkc$KsrYy_8vR;c9DH&4Xvi18!RUT7qx%hVWi_vpKA_mh@0X0v z=2q_f7~#wF!Fp3x+eCE};W`VBS0;4Eow3tGY}hGy`udDSG@7#^`Em8Z{Yr{$;9Zfu z)neVQHqI59utZ+jbhv1Tue(Sdelz%{{eXf=5N4=DCn0CiZyHB?YdiLvo;S&sExpE8 zt(&>Sn@|2>__`&hx<C>BW(E9(xEF^VahaP|XAYL>v` zgTukMn=gR|Ps0tCz_ao9WY4(0%Y(W!#$<8u4>HX03vZ;RKQ`3bjM;2JnXiG+CRYc}`kK{u01Tw6! z2mq8S=@5jZL7I*QfM) zycBCcan#lBd~34Co<^GxrtQ~8UJB{0sId{OG`bM->i=W!TbCQRm4ttPdJ24*t@1h9 zAtm2uy_Fx1tt8$V+bYZB)Slfc2PPp2$0Wc2q-;%g_Sv^^Bf*t5D4yUTM(kp8LJ5f( z^zPT*2A4EaG;h>Kq%+88KqZ4S8apz%^~}d0q<#`0wTe8-RE$l;#TS^*il?irq3KER zN@nHMnjLQM9q#QP)Z>@bMf* zCo~~VCI6dq>zkEG)D{{cjKn-c+lDQKD$i3k!}CxY1BNiV^+fA6>u})g9PDiG?X7kr zd&2aqrkky;&A5npIDUYFvqrq>o_TYgePU-vnNAtvVjkoRy`yPP9usNqFFAOP4S9|0 zg5U6ThM1XM$?+Q--$IjbK|mj}sy@=SeqtMRuf?rtXh z1bQbXPkseliW{r&mx(%?oBDsbP zgC0SKNc>weMI$&xr)a`pjXEIjk#k-5v4wRL8pJ}UzB`o8#Mw%eaZ<89)uUkqJrnRn z)(t5`V3tggT;W+HW80rb8T@A+HQC>pPtC)_gR3o7DVz3v>h))F81z-JsJ_h3=u8vr zqkb6n#dW%lEf#$(=qYgYCoH0{)Ni1xaOsgCN=og@BTG}{v7i<55?tg zrTgs?>Z!d3t)Lzik)Vk;aTWRKuPyqSLxyR>1s8<4in*SC1%5Nc@EwrAv!HOv?hwMq z5v_7h&Li<$RjY9l{lk%tN)h$>AB8NyX(r9g?QW?D=Ueb!@89t!I?KU(-cPedsi=sK zNAR2Mnck5d$06v!(V+}^)@RmBmJP_oRFDquGqD5_@sJEz28r(km>?&nG~iD5QqM}i zOc~2hjb*#MSQjgBv~@0~*s(&q$***5Jv+2ft>^AoYU194j~p>~tJGbcbF2ES;)Q6Z zW|)m zh9>y2DxG8=`4yiOS{pE-;ePp^lOEe zb8Zlqb_wFq)wdF&Jz~IbutLvIYL8q5FG_fd{O!N{7*XLHT;|B;>4AJl8X`4yH}`&9l=Fm{%y!3dwuz z%4Yj2r&)m9GHlZ7PA{N|pLX~Bu`jufzd2%jfoI^2Bn5>E=GFG(;lLC{N>hCkJ3|_(Y zml|IlxFJ+Q{Tj%ZI{cp@#j^HR2LKU#Q4&)}L;GA|{z6Qe0X$` zR*}a0k7g8Upp+Q`H|MF*Vx{!A7LCd@!_~=U^01^8i_2HO01q>yGhNwX(~YHU6hII8 zPlPds)v1^Z>JVA00G#?Xi|%T3>?P)}O};%;7tTmVqf*Dz8*TobJ#rLy<jzE8I*2}ez1_1YY<-(JwMH$#3B)TQhc zRfdnqOXB((BdI@F+0;shg?rR2QRI8HFl+W6rJDFT}tOJrSobkQKd`i+@*BxQaanEOX<8(N@oFrVE^H&!{$m?OV#s~ zD|ba1)hSh&WZHVuZhP0}UHa*+d`YEw{_lwTYJZLw=uwaqrleU0@a6fx2m6DaK{5aL z-p)an|NAA%tL6W$A}8)b=vyz``n=zQUST9C7Wr<@tn&yY#JrJJo2LlhcLy($BE0S7 z-*vM_id(+q)<)Dn(^ZFN=4G8iO7E(A)k(c8aj8zJeD3b5ijA^&n*`gc(WmCtt{PEZ zc#EhHI0~fuNoIE$Q4?j`r^@wK@@wGY{7i^%#&1kUrdOc|Kuqru(PAfN;111TFzM2A zcWJr1wA`De<*r)8GBJ0kGfl|FYH0%0V%AGV-FKNqN*SJFqI63F6Hu;y9hObCX1DPc zkPs`gl8DjAg_dbmTVesoD4EJHpQ}K#5)c{VhDh5o?8`;i^vbn*_Lj^bQ2FVe)nL80 z>y7TTEAgssEpj_FPj51eVy)`SXPw}>dzac-YenemB)YD&UmD4Oca+9FW-xL*hU8L% z0becmnX*Fu8yxH&7UaL(gZ;x!{(FgH3wWt4H%1;qafRge*I$j~mPrx>;sYVMeE#gH z>~_qlB%^A9YYky)sgTwW=^QyTjF@0-7DwO*v6uePh74wArfEZ!qtCayBidEx!es>i zOi=IH@!x3u`w)eKrHPxbdAqFA{~R3d7S{jv?(S~4{$HZx6+98o6gsC8>Ejmn0TSXi zRyz$NN)U;UfNBtc`*+-dky3;>5%nFcG(RyGE$N)RttnlMIG~0g1%*7n{ghEvj;k<& z=3_7*eyAABffx$_W_9aP6!_qvAV55ANHv2h4Xd4jy;B3ri;Cqn_pcyxR+JhfyAWsWV@-=7JMQL48kA(sCkGIu2`B!$Jyirv9) zm*eZ(vr)0(Ul=Wz#7i5tD>NwzJM#Gm#5R71m2~){e*R|D^!4HL z*V_-no8gBw=PRJo4`_~ps)>64@#o>y#qfGKzCHQyaeO_zx;?!-KR&x?&_||~)~3d% zR0fl_x{-PB<)=l!7(?ye(nftSuYua{v`<(mO^4_yCy_NseS!iJ4CPQ!6)31rd~EO|H$t+p8ZC7e35oA zQ-3{BcAsk?rCue)@EnO3Us}s1z+B)drvJh1B_p<*u{rT;ac@4`nLKjhoR|ZcY?HVm?u%Zow!J zD9OlP-z!O8iATTS09~>Zc~RM0xf+)CRlPJ+H>V~NSxsLROQ&gH70YGi(DEy(75=}O z{D-1|E^m$28y^7= zMxX4@@;BX%5eGI9CasOC++7Cc#?qr|Lf%WI#ujNu%K44yue0jrsHtuY5zX8etRot9 zWPPz_Z$`LEP44XDwcL@ZrrLQn(YYZOUr~bIh_qz`5-!2+1QhzNsn}0AvecTJOygP; z*|N-DVd5jXjN}e^aZq3{%(0uY+eg3#ZGHJaKv2Ld0nNP#QOvN%9f36m`ab(f=JgRr z{L#CCmC#r!0T7gPIu(cJPnL)6Px&P>!P6Vauwrk}W5lr7WntikR`i0;pWhz89~*nB z-=qlDv>kZQ^B;=VhW-@&gA&xV5#&$NCrVIWEOwmvPlM&!i{pQMyc*t)KmI&ExjGwN zpIu(uo|SYMW%-{=j{H4ZROkRCv&oaY^wQX9__Fex7Zg?FyB=N~UtG5{vKSFa;@2P3 z$%nIHTVqm2EMLr+#>11V;dOiCQuSVKY%i%-8(p5Z*OfUYU9zkzsrPKZKdBIXeH~w! zOVY?+rS)6&VM}_z72UjuX0ZHbZRMc#P9ZwazNnsZj6ljPj3f;Iwzs!i(q=uNyBVeT zjf8zvS2Sx+y(XS>>Z2pDmrF&eDyu1%f~UQ-u!kJ0X{QOjM~waxd2!yY zav1=5XF6cJQfjPTiw=t1226a6h=-(y%u&BDjZ%+KW!>SUijY(I1U*Jr`??zf*gYtv zlTh1t)fn5;|25M8+TyVgzSte~*3bm6u>aW^?C%xr|8@tR{`WP0WFD;l8I)WIdPqH;sp%s^;kMJ-DLu?aY0HA}yI?Sdq&sdFy3jt;b;yp`_sGvz&3 z{@$Z9PLMsXBU=Q9WaFf2C+vP0Ln$^Rm_BiAs4SNYR+(+Go+)z1A@(TgFpR zNXM!<_Xa+#k*Q%!uX5 zz3bah8Na;rU|lFylWb#va=>hcg33is{e}`isk!`~*nq$!dFyIb%dqsSaxiq)2-zjoECt!vm&!)i}U zr&+bjTKYc@pTYlQFgV=bDf#~&3_AVaOO!(V$2=vQNRWjabnnqnTaYVPG+6T|O{7EWwZXpfIsN^w;IVLilRC$&?heN4m|?|9IeFd8bO zwyLwY|1*w zg%vJ6Is$8O0xqSj`ZG>^_ASuOa)NnQ{ZAwPA4kE2<0(PDgE>zSTkjfRmHvNsf4iXn z+c`Y!?0;XR*!sVs3N2Onok^s(rrax$Q@aW@D^BlZEW0@Ze|3oss!PN5pD8Ffv>v={=R9*IQ6wnOR2Nrw?b1nzp#$D zUdGO#hPb|+OTF*f)Zl5fwW+Z|k)}F(gYTAxTHl{Kql1pN^3HlIuJg(Sl=Jla76_>5 zVA;`6+h!|uMATWXbmY{g?Me-ueXZsz4mcft7@pS}-+mX2!bsAiRj zXGJ|Of92laeQo5iOmcheo00FMG`jyQ-c7G*0}7NmZrVCb=s2uCz`B*TUL?D8KjGN*2E5Q z@}A&J*1tPLL5Qb>vJLm*RqKC$cR#=Ww+{}syY>Gf`Q37@wga0MmfpDG>^j>07{10AoByk}0yDL*n<|0D`8H zcL0Bj7@FWm>P$It+Ab|)m5D3nu=bnyl$1!E7_XeEMFr)iy{6!Ta8i zZXAl=l;LUb$N%lU0XL9gns9J-I^;c9Cz$BD*hjFhsx$h}o;&9r^-;g~+Q@BCmaKn| z`8?g&9FO@=3jVTs{qJud6z#tUhlA~I{l7%X=l{j%F-Amk{^h7u36E)L@=BhfiOdyM zu=pvPvMY*wP3)7VK7`WRz?jYqe4B2rbp?Gmn7FNtLK2;&5mQ~gAoCXTU zXi6E*1QTl+$R}#ZBMpUo6kr~|&prO2!ju6J1qp+J1+|hM%}|&o@TCzV$D^~G-Erjk&!x)pB{Egy8YqzLfs0~sOJwe#87VD z3bT~49Ab4oXaU3pXA^+JC|=~Z1BZ$(@}S^z+vs6LqC4UFpjA SQ2s9f0RR7=)fH&~3I+g1WVRgu literal 0 HcmV?d00001 diff --git a/bootstrap/helm/cluster-api-provider-azure/deps.yaml b/bootstrap/helm/cluster-api-provider-azure/deps.yaml new file mode 100644 index 000000000..267470167 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/deps.yaml @@ -0,0 +1,7 @@ +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + application: true + description: installs the cluster api provider azure +spec: + dependencies: [] diff --git a/bootstrap/helm/cluster-api-provider-azure/scripts/Makefile b/bootstrap/helm/cluster-api-provider-azure/scripts/Makefile new file mode 100644 index 000000000..dc82a1047 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/scripts/Makefile @@ -0,0 +1,24 @@ +AZURE_VERSION=v1.9.14 + +azure: +# Clean current CRDs + rm -rf ../templates/*-crd.yaml + mkdir tmp + wget https://github.com/pluralsh/cluster-api-provider-azure/releases/download/${AZURE_VERSION}/infrastructure-components.yaml +# This rewrites the data to stringData in the secret + yq 'select(.kind == "Secret") | .stringData += .data | del(.data)' infrastructure-components.yaml > tmp.yaml +# This removes the Secret from the yaml + yq 'del( select(.kind == "Secret"))' infrastructure-components.yaml > tmp2.yaml + +# This combines the yaml files back together + yq eval-all tmp.yaml tmp2.yaml > infrastructure-components.yaml + + cat infrastructure-components.yaml | helmify -generate-defaults -image-pull-secrets tmp/cluster-api-provider-azure + rm infrastructure-components.yaml tmp.yaml tmp2.yaml + yq -i ".appVersion=\"${AZURE_VERSION}\"" ../Chart.yaml + +# This removes the Azure credentials from the values.yaml since it is being set by managerBootstrapCredentials.credentials instead + yq -i "del(.configVariables.azureClientIdB64) | del(.configVariables.azureClientSecretB64) | del(.configVariables.azureSubscriptionIdB64) | del(.configVariables.azureTenantIdB64)" tmp/cluster-api-provider-azure/values.yaml + + mv tmp/cluster-api-provider-azure/templates/*-crd.yaml ../templates/ + rm -rf tmp/ diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/_helpers.tpl b/bootstrap/helm/cluster-api-provider-azure/templates/_helpers.tpl new file mode 100644 index 000000000..7862cb276 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cluster-api-provider-azure-plural.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cluster-api-provider-azure-plural.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cluster-api-provider-azure-plural.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cluster-api-provider-azure-plural.labels" -}} +helm.sh/chart: {{ include "cluster-api-provider-azure-plural.chart" . }} +{{ include "cluster-api-provider-azure-plural.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cluster-api-provider-azure-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cluster-api-provider-azure-plural.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cluster-api-provider-azure-plural.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cluster-api-provider-azure-plural.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azurecluster-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azurecluster-crd.yaml new file mode 100644 index 000000000..774ba1e96 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azurecluster-crd.yaml @@ -0,0 +1,1089 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureclusters.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureCluster + listKind: AzureClusterList + plural: azureclusters + singular: azurecluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this AzureCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].message + name: Message + priority: 1 + type: string + - jsonPath: .spec.resourceGroup + name: Resource Group + priority: 1 + type: string + - jsonPath: .spec.subscriptionID + name: SubscriptionID + priority: 1 + type: string + - jsonPath: .spec.location + name: Location + priority: 1 + type: string + - description: Control Plane Endpoint + jsonPath: .spec.controlPlaneEndpoint.host + name: Endpoint + priority: 1 + type: string + - description: Time duration since creation of this AzureCluster + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureCluster is the Schema for the azureclusters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterSpec defines the desired state of AzureCluster. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure resources managed by the Azure provider, in addition to the ones added by default. + type: object + azureEnvironment: + description: 'AzureEnvironment is the name of the AzureCloud to be used. The default value that would be used by most users is "AzurePublicCloud", other values are: - ChinaCloud: "AzureChinaCloud" - GermanCloud: "AzureGermanCloud" - PublicCloud: "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"' + type: string + bastionSpec: + description: BastionSpec encapsulates all things related to the Bastions in the cluster. + properties: + azureBastion: + description: AzureBastion specifies how the Azure Bastion cloud component should be configured. + properties: + enableTunneling: + default: false + description: EnableTunneling enables the native client support feature for the Azure Bastion Host. Defaults to false. + type: boolean + name: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + sku: + default: Basic + description: BastionHostSkuName configures the tier of the Azure Bastion Host. Can be either Basic or Standard. Defaults to Basic. + enum: + - Basic + - Standard + type: string + subnet: + description: SubnetSpec configures an Azure subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID is the Azure resource ID of the subnet. READ-ONLY + type: string + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + id: + description: ID is the Azure resource ID of the NAT gateway. READ-ONLY + type: string + ip: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + name: + type: string + required: + - name + type: object + privateEndpoints: + description: PrivateEndpoints defines a list of private endpoints that should be attached to this subnet. + items: + description: PrivateEndpointSpec configures an Azure Private Endpoint. + properties: + applicationSecurityGroups: + description: ApplicationSecurityGroups specifies the Application security group in which the private endpoint IP configuration is included. + items: + type: string + type: array + customNetworkInterfaceName: + description: CustomNetworkInterfaceName specifies the network interface name associated with the private endpoint. + type: string + location: + description: Location specifies the region to create the private endpoint. + type: string + manualApproval: + description: ManualApproval specifies if the connection approval needs to be done manually or not. Set it true when the network admin does not have access to approve connections to the remote resource. Defaults to false. + type: boolean + name: + description: Name specifies the name of the private endpoint. + type: string + privateIPAddresses: + description: PrivateIPAddresses specifies the IP addresses for the network interface associated with the private endpoint. They have to be part of the subnet where the private endpoint is linked. + items: + type: string + type: array + privateLinkServiceConnections: + description: PrivateLinkServiceConnections specifies Private Link Service Connections of the private endpoint. + items: + description: PrivateLinkServiceConnection defines the specification for a private link service connection associated with a private endpoint. + properties: + groupIDs: + description: GroupIDs specifies the ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. + items: + type: string + type: array + name: + description: Name specifies the name of the private link service. + type: string + privateLinkServiceID: + description: PrivateLinkServiceID specifies the resource ID of the private link service. + type: string + requestMessage: + description: RequestMessage specifies a message passed to the owner of the remote resource with the private endpoint connection request. + maxLength: 140 + type: string + type: object + type: array + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + enum: + - node + - control-plane + - bastion + type: string + routeTable: + description: RouteTable defines the route table that should be attached to this subnet. + properties: + id: + description: ID is the Azure resource ID of the route table. READ-ONLY + type: string + name: + type: string + required: + - name + type: object + securityGroup: + description: SecurityGroup defines the NSG (network security group) that should be attached to this subnet. + properties: + id: + description: ID is the Azure resource ID of the security group. READ-ONLY + type: string + name: + type: string + securityRules: + description: SecurityRules is a slice of Azure security rules for security groups. + items: + description: SecurityRule defines an Azure security rule for security groups. + properties: + description: + description: A description for this rule. Restricted to 140 chars. + type: string + destination: + description: Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts specifies the destination port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + direction: + description: Direction indicates whether the rule applies to inbound, or outbound traffic. "Inbound" or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the network security group. + type: string + priority: + description: Priority is a number between 100 and 4096. Each rule should have a unique value for priority. Rules are processed in priority order, with lower numbers processed before higher numbers. Once traffic matches a rule, processing stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol type. "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + required: + - name + type: object + serviceEndpoints: + description: ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets. + items: + description: ServiceEndpointSpec configures an Azure Service Endpoint. + properties: + locations: + items: + type: string + type: array + service: + type: string + required: + - locations + - service + type: object + type: array + x-kubernetes-list-map-keys: + - service + x-kubernetes-list-type: map + required: + - name + - role + type: object + type: object + type: object + cloudProviderConfigOverrides: + description: 'CloudProviderConfigOverrides is an optional set of configuration values that can be overridden in azure cloud provider config. This is only a subset of options that are available in azure cloud provider config. Some values for the cloud provider config are inferred from other parts of cluster api provider azure spec, and may not be available for overrides. See: https://cloud-provider-azure.sigs.k8s.io/install/configs Note: All cloud provider config values can be customized by creating the secret beforehand. CloudProviderConfigOverrides is only used when the secret is managed by the Azure Provider.' + properties: + backOffs: + description: BackOffConfig indicates the back-off config options. + properties: + cloudProviderBackoff: + type: boolean + cloudProviderBackoffDuration: + type: integer + cloudProviderBackoffExponent: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffJitter: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffRetries: + type: integer + type: object + rateLimits: + items: + description: 'RateLimitSpec represents the rate limit configuration for a particular kind of resource. Eg. loadBalancerRateLimit is used to configure rate limits for load balancers. This eventually gets converted to CloudProviderRateLimitConfig that cloud-provider-azure expects. See: https://github.com/kubernetes-sigs/cloud-provider-azure/blob/d585c2031925b39c925624302f22f8856e29e352/pkg/provider/azure_ratelimit.go#L25 We cannot use CloudProviderRateLimitConfig directly because floating point values are not supported in controller-tools. See: https://github.com/kubernetes-sigs/controller-tools/issues/245' + properties: + config: + description: RateLimitConfig indicates the rate limit config options. + properties: + cloudProviderRateLimit: + type: boolean + cloudProviderRateLimitBucket: + type: integer + cloudProviderRateLimitBucketWrite: + type: integer + cloudProviderRateLimitQPS: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderRateLimitQPSWrite: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + name: + description: Name is the name of the rate limit spec. + enum: + - defaultRateLimit + - routeRateLimit + - subnetsRateLimit + - interfaceRateLimit + - routeTableRateLimit + - loadBalancerRateLimit + - publicIPAddressRateLimit + - securityGroupRateLimit + - virtualMachineRateLimit + - storageAccountRateLimit + - diskRateLimit + - snapshotRateLimit + - virtualMachineScaleSetRateLimit + - virtualMachineSizesRateLimit + - availabilitySetRateLimit + type: string + required: + - name + type: object + type: array + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. It is not recommended to set this when creating an AzureCluster as CAPZ will set this for you. However, if it is set, CAPZ will not change it. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + extendedLocation: + description: ExtendedLocation is an optional set of ExtendedLocation properties for clusters on Azure public MEC. + properties: + name: + description: Name defines the name for the extended location. + type: string + type: + description: Type defines the type for the extended location. + enum: + - EdgeZone + type: string + required: + - name + - type + type: object + identityRef: + description: IdentityRef is a reference to an AzureIdentity to be used when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + location: + type: string + networkSpec: + description: NetworkSpec encapsulates all things related to Azure network. + properties: + apiServerLB: + description: APIServerLB is the configuration for the control-plane load balancer. + properties: + backendPool: + description: BackendPool describes the backend pool of the load balancer. + properties: + name: + description: Name specifies the name of backend pool for the load balancer. If not specified, the default name will be set, depending on the load balancer role. + type: string + type: object + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend IP addresses for the load balancer. + format: int32 + type: integer + id: + description: ID is the Azure resource ID of the load balancer. READ-ONLY + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + controlPlaneOutboundLB: + description: ControlPlaneOutboundLB is the configuration for the control-plane outbound load balancer. This is different from APIServerLB, and is used only in private clusters (optionally) for enabling outbound traffic. + properties: + backendPool: + description: BackendPool describes the backend pool of the load balancer. + properties: + name: + description: Name specifies the name of backend pool for the load balancer. If not specified, the default name will be set, depending on the load balancer role. + type: string + type: object + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend IP addresses for the load balancer. + format: int32 + type: integer + id: + description: ID is the Azure resource ID of the load balancer. READ-ONLY + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + nodeOutboundLB: + description: NodeOutboundLB is the configuration for the node outbound load balancer. + properties: + backendPool: + description: BackendPool describes the backend pool of the load balancer. + properties: + name: + description: Name specifies the name of backend pool for the load balancer. If not specified, the default name will be set, depending on the load balancer role. + type: string + type: object + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend IP addresses for the load balancer. + format: int32 + type: integer + id: + description: ID is the Azure resource ID of the load balancer. READ-ONLY + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + privateDNSZoneName: + description: PrivateDNSZoneName defines the zone name for the Azure Private DNS. + type: string + subnets: + description: Subnets is the configuration for the control-plane subnet and the node subnet. + items: + description: SubnetSpec configures an Azure subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID is the Azure resource ID of the subnet. READ-ONLY + type: string + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + id: + description: ID is the Azure resource ID of the NAT gateway. READ-ONLY + type: string + ip: + description: PublicIPSpec defines the inputs to create an Azure public IP address. + properties: + dnsName: + type: string + ipTags: + items: + description: IPTag contains the IpTag associated with the object. + properties: + tag: + description: 'Tag specifies the value of the IP tag associated with the public IP. Example: SQL.' + type: string + type: + description: 'Type specifies the IP tag type. Example: FirstPartyUsage.' + type: string + required: + - tag + - type + type: object + type: array + name: + type: string + required: + - name + type: object + name: + type: string + required: + - name + type: object + privateEndpoints: + description: PrivateEndpoints defines a list of private endpoints that should be attached to this subnet. + items: + description: PrivateEndpointSpec configures an Azure Private Endpoint. + properties: + applicationSecurityGroups: + description: ApplicationSecurityGroups specifies the Application security group in which the private endpoint IP configuration is included. + items: + type: string + type: array + customNetworkInterfaceName: + description: CustomNetworkInterfaceName specifies the network interface name associated with the private endpoint. + type: string + location: + description: Location specifies the region to create the private endpoint. + type: string + manualApproval: + description: ManualApproval specifies if the connection approval needs to be done manually or not. Set it true when the network admin does not have access to approve connections to the remote resource. Defaults to false. + type: boolean + name: + description: Name specifies the name of the private endpoint. + type: string + privateIPAddresses: + description: PrivateIPAddresses specifies the IP addresses for the network interface associated with the private endpoint. They have to be part of the subnet where the private endpoint is linked. + items: + type: string + type: array + privateLinkServiceConnections: + description: PrivateLinkServiceConnections specifies Private Link Service Connections of the private endpoint. + items: + description: PrivateLinkServiceConnection defines the specification for a private link service connection associated with a private endpoint. + properties: + groupIDs: + description: GroupIDs specifies the ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. + items: + type: string + type: array + name: + description: Name specifies the name of the private link service. + type: string + privateLinkServiceID: + description: PrivateLinkServiceID specifies the resource ID of the private link service. + type: string + requestMessage: + description: RequestMessage specifies a message passed to the owner of the remote resource with the private endpoint connection request. + maxLength: 140 + type: string + type: object + type: array + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + enum: + - node + - control-plane + - bastion + type: string + routeTable: + description: RouteTable defines the route table that should be attached to this subnet. + properties: + id: + description: ID is the Azure resource ID of the route table. READ-ONLY + type: string + name: + type: string + required: + - name + type: object + securityGroup: + description: SecurityGroup defines the NSG (network security group) that should be attached to this subnet. + properties: + id: + description: ID is the Azure resource ID of the security group. READ-ONLY + type: string + name: + type: string + securityRules: + description: SecurityRules is a slice of Azure security rules for security groups. + items: + description: SecurityRule defines an Azure security rule for security groups. + properties: + description: + description: A description for this rule. Restricted to 140 chars. + type: string + destination: + description: Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts specifies the destination port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + direction: + description: Direction indicates whether the rule applies to inbound, or outbound traffic. "Inbound" or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the network security group. + type: string + priority: + description: Priority is a number between 100 and 4096. Each rule should have a unique value for priority. Rules are processed in priority order, with lower numbers processed before higher numbers. Once traffic matches a rule, processing stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol type. "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + required: + - name + type: object + serviceEndpoints: + description: ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets. + items: + description: ServiceEndpointSpec configures an Azure Service Endpoint. + properties: + locations: + items: + type: string + type: array + service: + type: string + required: + - locations + - service + type: object + type: array + x-kubernetes-list-map-keys: + - service + x-kubernetes-list-type: map + required: + - name + - role + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + vnet: + description: Vnet is the configuration for the Azure virtual network. + properties: + cidrBlocks: + description: CIDRBlocks defines the virtual network's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID is the Azure resource ID of the virtual network. READ-ONLY + type: string + name: + description: Name defines a name for the virtual network resource. + type: string + peerings: + description: Peerings defines a list of peerings of the newly created virtual network with existing virtual networks. + items: + description: VnetPeeringSpec specifies an existing remote virtual network to peer with the AzureCluster's virtual network. + properties: + forwardPeeringProperties: + description: ForwardPeeringProperties specifies VnetPeeringProperties for peering from the cluster's virtual network to the remote virtual network. + properties: + allowForwardedTraffic: + description: AllowForwardedTraffic specifies whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. + type: boolean + allowGatewayTransit: + description: AllowGatewayTransit specifies if gateway links can be used in remote virtual networking to link to this virtual network. + type: boolean + allowVirtualNetworkAccess: + description: AllowVirtualNetworkAccess specifies whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. + type: boolean + useRemoteGateways: + description: UseRemoteGateways specifies if remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also set to true, the virtual network will use the gateways of the remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. + type: boolean + type: object + remoteVnetName: + description: RemoteVnetName defines name of the remote virtual network. + type: string + resourceGroup: + description: ResourceGroup is the resource group name of the remote virtual network. + type: string + reversePeeringProperties: + description: ReversePeeringProperties specifies VnetPeeringProperties for peering from the remote virtual network to the cluster's virtual network. + properties: + allowForwardedTraffic: + description: AllowForwardedTraffic specifies whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. + type: boolean + allowGatewayTransit: + description: AllowGatewayTransit specifies if gateway links can be used in remote virtual networking to link to this virtual network. + type: boolean + allowVirtualNetworkAccess: + description: AllowVirtualNetworkAccess specifies whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. + type: boolean + useRemoteGateways: + description: UseRemoteGateways specifies if remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also set to true, the virtual network will use the gateways of the remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. + type: boolean + type: object + required: + - remoteVnetName + type: object + type: array + resourceGroup: + description: ResourceGroup is the name of the resource group of the existing virtual network or the resource group where a managed virtual network should be created. + type: string + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing the resource. + type: object + required: + - name + type: object + type: object + resourceGroup: + type: string + subscriptionID: + type: string + required: + - location + type: object + status: + description: AzureClusterStatus defines the observed state of AzureCluster. + properties: + conditions: + description: Conditions defines current service state of the AzureCluster. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure domains. It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain is suitable for use by control plane machines. + type: boolean + type: object + description: 'FailureDomains specifies the list of unique failure domains for the location/region of the cluster. A FailureDomain maps to Availability Zone with an Azure Region (if the region support them). An Availability Zone is a separate data center within a region and they can be used to ensure the cluster is more resilient to failure. See: https://learn.microsoft.com/azure/reliability/availability-zones-overview This list will be used by Cluster API to try and spread the machines across the failure domains.' + type: object + longRunningOperationStates: + description: LongRunningOperationStates saves the states for Azure long-running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azureclusteridentity-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azureclusteridentity-crd.yaml new file mode 100644 index 000000000..77777cf56 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azureclusteridentity-crd.yaml @@ -0,0 +1,183 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureclusteridentities.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureClusterIdentity + listKind: AzureClusterIdentityList + plural: azureclusteridentities + singular: azureclusteridentity + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Type of Azure Identity + jsonPath: .spec.type + name: Type + type: string + - description: Time duration since creation of this AzureClusterIdentity + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureClusterIdentity is the Schema for the azureclustersidentities API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity. + properties: + allowedNamespaces: + description: AllowedNamespaces is used to identify the namespaces the clusters are allowed to use the identity from. Namespaces can be selected either using an array of namespaces or with label selector. An empty allowedNamespaces object indicates that AzureClusters can use this identity from any namespace. If this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided) A namespace should be either in the NamespaceList or match with Selector to use the identity. + nullable: true + properties: + list: + description: A nil or empty list indicates that AzureCluster cannot use the identity from any namespace. + items: + type: string + nullable: true + type: array + selector: + description: "Selector is a selector of namespaces that AzureCluster can use this Identity from. This is a standard Kubernetes LabelSelector, a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. \n A nil or empty selector indicates that AzureCluster cannot use this AzureClusterIdentity from any namespace." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + clientID: + description: ClientID is the service principal client ID. Both User Assigned MSI and SP can use this field. + type: string + clientSecret: + description: ClientSecret is a secret reference which should contain either a Service Principal password or certificate secret. + properties: + name: + description: name is unique within a namespace to reference a secret resource. + type: string + namespace: + description: namespace defines the space within which the secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + resourceID: + description: ResourceID is the Azure resource ID for the User Assigned MSI resource. Only applicable when type is UserAssignedMSI. + type: string + tenantID: + description: TenantID is the service principal primary tenant id. + type: string + type: + description: Type is the type of Azure Identity used. ServicePrincipal, ServicePrincipalCertificate, UserAssignedMSI or ManualServicePrincipal. + enum: + - ServicePrincipal + - UserAssignedMSI + - ManualServicePrincipal + - ServicePrincipalCertificate + - WorkloadIdentity + type: string + required: + - clientID + - tenantID + - type + type: object + status: + description: AzureClusterIdentityStatus defines the observed state of AzureClusterIdentity. + properties: + conditions: + description: Conditions defines current service state of the AzureClusterIdentity. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azureclustertemplate-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azureclustertemplate-crd.yaml new file mode 100644 index 000000000..012c267f2 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azureclustertemplate-crd.yaml @@ -0,0 +1,659 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureclustertemplates.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureClusterTemplate + listKind: AzureClusterTemplateList + plural: azureclustertemplates + singular: azureclustertemplate + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: AzureClusterTemplate is the Schema for the azureclustertemplates API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterTemplateSpec defines the desired state of AzureClusterTemplate. + properties: + template: + description: AzureClusterTemplateResource describes the data needed to create an AzureCluster from a template. + properties: + spec: + description: AzureClusterTemplateResourceSpec specifies an Azure cluster template resource. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure resources managed by the Azure provider, in addition to the ones added by default. + type: object + azureEnvironment: + description: 'AzureEnvironment is the name of the AzureCloud to be used. The default value that would be used by most users is "AzurePublicCloud", other values are: - ChinaCloud: "AzureChinaCloud" - GermanCloud: "AzureGermanCloud" - PublicCloud: "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"' + type: string + bastionSpec: + description: BastionSpec encapsulates all things related to the Bastions in the cluster. + properties: + azureBastion: + description: AzureBastionTemplateSpec specifies a template for an Azure Bastion host. + properties: + subnet: + description: SubnetTemplateSpec specifies a template for a subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + name: + type: string + required: + - name + type: object + privateEndpoints: + description: PrivateEndpoints defines a list of private endpoints that should be attached to this subnet. + items: + description: PrivateEndpointSpec configures an Azure Private Endpoint. + properties: + applicationSecurityGroups: + description: ApplicationSecurityGroups specifies the Application security group in which the private endpoint IP configuration is included. + items: + type: string + type: array + customNetworkInterfaceName: + description: CustomNetworkInterfaceName specifies the network interface name associated with the private endpoint. + type: string + location: + description: Location specifies the region to create the private endpoint. + type: string + manualApproval: + description: ManualApproval specifies if the connection approval needs to be done manually or not. Set it true when the network admin does not have access to approve connections to the remote resource. Defaults to false. + type: boolean + name: + description: Name specifies the name of the private endpoint. + type: string + privateIPAddresses: + description: PrivateIPAddresses specifies the IP addresses for the network interface associated with the private endpoint. They have to be part of the subnet where the private endpoint is linked. + items: + type: string + type: array + privateLinkServiceConnections: + description: PrivateLinkServiceConnections specifies Private Link Service Connections of the private endpoint. + items: + description: PrivateLinkServiceConnection defines the specification for a private link service connection associated with a private endpoint. + properties: + groupIDs: + description: GroupIDs specifies the ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. + items: + type: string + type: array + name: + description: Name specifies the name of the private link service. + type: string + privateLinkServiceID: + description: PrivateLinkServiceID specifies the resource ID of the private link service. + type: string + requestMessage: + description: RequestMessage specifies a message passed to the owner of the remote resource with the private endpoint connection request. + maxLength: 140 + type: string + type: object + type: array + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + enum: + - node + - control-plane + - bastion + type: string + securityGroup: + description: SecurityGroup defines the NSG (network security group) that should be attached to this subnet. + properties: + securityRules: + description: SecurityRules is a slice of Azure security rules for security groups. + items: + description: SecurityRule defines an Azure security rule for security groups. + properties: + description: + description: A description for this rule. Restricted to 140 chars. + type: string + destination: + description: Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts specifies the destination port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + direction: + description: Direction indicates whether the rule applies to inbound, or outbound traffic. "Inbound" or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the network security group. + type: string + priority: + description: Priority is a number between 100 and 4096. Each rule should have a unique value for priority. Rules are processed in priority order, with lower numbers processed before higher numbers. Once traffic matches a rule, processing stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol type. "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + type: object + serviceEndpoints: + description: ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets. + items: + description: ServiceEndpointSpec configures an Azure Service Endpoint. + properties: + locations: + items: + type: string + type: array + service: + type: string + required: + - locations + - service + type: object + type: array + x-kubernetes-list-map-keys: + - service + x-kubernetes-list-type: map + required: + - name + - role + type: object + type: object + type: object + cloudProviderConfigOverrides: + description: 'CloudProviderConfigOverrides is an optional set of configuration values that can be overridden in azure cloud provider config. This is only a subset of options that are available in azure cloud provider config. Some values for the cloud provider config are inferred from other parts of cluster api provider azure spec, and may not be available for overrides. See: https://cloud-provider-azure.sigs.k8s.io/install/configs Note: All cloud provider config values can be customized by creating the secret beforehand. CloudProviderConfigOverrides is only used when the secret is managed by the Azure Provider.' + properties: + backOffs: + description: BackOffConfig indicates the back-off config options. + properties: + cloudProviderBackoff: + type: boolean + cloudProviderBackoffDuration: + type: integer + cloudProviderBackoffExponent: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffJitter: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffRetries: + type: integer + type: object + rateLimits: + items: + description: 'RateLimitSpec represents the rate limit configuration for a particular kind of resource. Eg. loadBalancerRateLimit is used to configure rate limits for load balancers. This eventually gets converted to CloudProviderRateLimitConfig that cloud-provider-azure expects. See: https://github.com/kubernetes-sigs/cloud-provider-azure/blob/d585c2031925b39c925624302f22f8856e29e352/pkg/provider/azure_ratelimit.go#L25 We cannot use CloudProviderRateLimitConfig directly because floating point values are not supported in controller-tools. See: https://github.com/kubernetes-sigs/controller-tools/issues/245' + properties: + config: + description: RateLimitConfig indicates the rate limit config options. + properties: + cloudProviderRateLimit: + type: boolean + cloudProviderRateLimitBucket: + type: integer + cloudProviderRateLimitBucketWrite: + type: integer + cloudProviderRateLimitQPS: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderRateLimitQPSWrite: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + name: + description: Name is the name of the rate limit spec. + enum: + - defaultRateLimit + - routeRateLimit + - subnetsRateLimit + - interfaceRateLimit + - routeTableRateLimit + - loadBalancerRateLimit + - publicIPAddressRateLimit + - securityGroupRateLimit + - virtualMachineRateLimit + - storageAccountRateLimit + - diskRateLimit + - snapshotRateLimit + - virtualMachineScaleSetRateLimit + - virtualMachineSizesRateLimit + - availabilitySetRateLimit + type: string + required: + - name + type: object + type: array + type: object + extendedLocation: + description: ExtendedLocation is an optional set of ExtendedLocation properties for clusters on Azure public MEC. + properties: + name: + description: Name defines the name for the extended location. + type: string + type: + description: Type defines the type for the extended location. + enum: + - EdgeZone + type: string + required: + - name + - type + type: object + identityRef: + description: IdentityRef is a reference to an AzureIdentity to be used when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + location: + type: string + networkSpec: + description: NetworkSpec encapsulates all things related to Azure network. + properties: + apiServerLB: + description: APIServerLB is the configuration for the control-plane load balancer. + properties: + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + controlPlaneOutboundLB: + description: ControlPlaneOutboundLB is the configuration for the control-plane outbound load balancer. This is different from APIServerLB, and is used only in private clusters (optionally) for enabling outbound traffic. + properties: + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + nodeOutboundLB: + description: NodeOutboundLB is the configuration for the node outbound load balancer. + properties: + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for the TCP idle connection. + format: int32 + type: integer + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + privateDNSZoneName: + description: PrivateDNSZoneName defines the zone name for the Azure Private DNS. + type: string + subnets: + description: Subnets is the configuration for the control-plane subnet and the node subnet. + items: + description: SubnetTemplateSpec specifies a template for a subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + name: + type: string + required: + - name + type: object + privateEndpoints: + description: PrivateEndpoints defines a list of private endpoints that should be attached to this subnet. + items: + description: PrivateEndpointSpec configures an Azure Private Endpoint. + properties: + applicationSecurityGroups: + description: ApplicationSecurityGroups specifies the Application security group in which the private endpoint IP configuration is included. + items: + type: string + type: array + customNetworkInterfaceName: + description: CustomNetworkInterfaceName specifies the network interface name associated with the private endpoint. + type: string + location: + description: Location specifies the region to create the private endpoint. + type: string + manualApproval: + description: ManualApproval specifies if the connection approval needs to be done manually or not. Set it true when the network admin does not have access to approve connections to the remote resource. Defaults to false. + type: boolean + name: + description: Name specifies the name of the private endpoint. + type: string + privateIPAddresses: + description: PrivateIPAddresses specifies the IP addresses for the network interface associated with the private endpoint. They have to be part of the subnet where the private endpoint is linked. + items: + type: string + type: array + privateLinkServiceConnections: + description: PrivateLinkServiceConnections specifies Private Link Service Connections of the private endpoint. + items: + description: PrivateLinkServiceConnection defines the specification for a private link service connection associated with a private endpoint. + properties: + groupIDs: + description: GroupIDs specifies the ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. + items: + type: string + type: array + name: + description: Name specifies the name of the private link service. + type: string + privateLinkServiceID: + description: PrivateLinkServiceID specifies the resource ID of the private link service. + type: string + requestMessage: + description: RequestMessage specifies a message passed to the owner of the remote resource with the private endpoint connection request. + maxLength: 140 + type: string + type: object + type: array + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + enum: + - node + - control-plane + - bastion + type: string + securityGroup: + description: SecurityGroup defines the NSG (network security group) that should be attached to this subnet. + properties: + securityRules: + description: SecurityRules is a slice of Azure security rules for security groups. + items: + description: SecurityRule defines an Azure security rule for security groups. + properties: + description: + description: A description for this rule. Restricted to 140 chars. + type: string + destination: + description: Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts specifies the destination port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + direction: + description: Direction indicates whether the rule applies to inbound, or outbound traffic. "Inbound" or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the network security group. + type: string + priority: + description: Priority is a number between 100 and 4096. Each rule should have a unique value for priority. Rules are processed in priority order, with lower numbers processed before higher numbers. Once traffic matches a rule, processing stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol type. "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + type: object + serviceEndpoints: + description: ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets. + items: + description: ServiceEndpointSpec configures an Azure Service Endpoint. + properties: + locations: + items: + type: string + type: array + service: + type: string + required: + - locations + - service + type: object + type: array + x-kubernetes-list-map-keys: + - service + x-kubernetes-list-type: map + required: + - name + - role + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + vnet: + description: Vnet is the configuration for the Azure virtual network. + properties: + cidrBlocks: + description: CIDRBlocks defines the virtual network's address space, specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + peerings: + description: Peerings defines a list of peerings of the newly created virtual network with existing virtual networks. + items: + description: VnetPeeringClassSpec specifies a virtual network peering class. + properties: + forwardPeeringProperties: + description: ForwardPeeringProperties specifies VnetPeeringProperties for peering from the cluster's virtual network to the remote virtual network. + properties: + allowForwardedTraffic: + description: AllowForwardedTraffic specifies whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. + type: boolean + allowGatewayTransit: + description: AllowGatewayTransit specifies if gateway links can be used in remote virtual networking to link to this virtual network. + type: boolean + allowVirtualNetworkAccess: + description: AllowVirtualNetworkAccess specifies whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. + type: boolean + useRemoteGateways: + description: UseRemoteGateways specifies if remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also set to true, the virtual network will use the gateways of the remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. + type: boolean + type: object + remoteVnetName: + description: RemoteVnetName defines name of the remote virtual network. + type: string + resourceGroup: + description: ResourceGroup is the resource group name of the remote virtual network. + type: string + reversePeeringProperties: + description: ReversePeeringProperties specifies VnetPeeringProperties for peering from the remote virtual network to the cluster's virtual network. + properties: + allowForwardedTraffic: + description: AllowForwardedTraffic specifies whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. + type: boolean + allowGatewayTransit: + description: AllowGatewayTransit specifies if gateway links can be used in remote virtual networking to link to this virtual network. + type: boolean + allowVirtualNetworkAccess: + description: AllowVirtualNetworkAccess specifies whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. + type: boolean + useRemoteGateways: + description: UseRemoteGateways specifies if remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also set to true, the virtual network will use the gateways of the remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. + type: boolean + type: object + required: + - remoteVnetName + type: object + type: array + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing the resource. + type: object + type: object + type: object + subscriptionID: + type: string + required: + - location + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azureidentity-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azureidentity-crd.yaml new file mode 100644 index 000000000..f228c0275 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azureidentity-crd.yaml @@ -0,0 +1,96 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureidentities.aadpodidentity.k8s.io + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: aadpodidentity.k8s.io + names: + kind: AzureIdentity + listKind: AzureIdentityList + plural: azureidentities + singular: azureidentity + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzureIdentity is the specification of the identity data structure. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureIdentitySpec describes the credential specifications of an identity on Azure. + properties: + adEndpoint: + type: string + adResourceID: + description: For service principal. Option param for specifying the AD details. + type: string + auxiliaryTenantIDs: + description: Service principal auxiliary tenant ids + items: + type: string + nullable: true + type: array + clientID: + description: Both User Assigned MSI and SP can use this field. + type: string + clientPassword: + description: Used for service principal + properties: + name: + description: Name is unique within a namespace to reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret name must be unique. + type: string + type: object + metadata: + type: object + replicas: + format: int32 + nullable: true + type: integer + resourceID: + description: User assigned MSI resource id. + type: string + tenantID: + description: Service principal primary tenant id. + type: string + type: + description: UserAssignedMSI or Service Principal + type: integer + type: object + status: + description: AzureIdentityStatus contains the replica status of the resource. + properties: + availableReplicas: + format: int32 + type: integer + metadata: + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azureidentitybinding-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azureidentitybinding-crd.yaml new file mode 100644 index 000000000..7e9570d8a --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azureidentitybinding-crd.yaml @@ -0,0 +1,66 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureidentitybindings.aadpodidentity.k8s.io + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: aadpodidentity.k8s.io + names: + kind: AzureIdentityBinding + listKind: AzureIdentityBindingList + plural: azureidentitybindings + singular: azureidentitybinding + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. + properties: + azureIdentity: + type: string + metadata: + type: object + selector: + type: string + weight: + description: Weight is used to figure out which of the matching identities would be selected. + type: integer + type: object + status: + description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. + properties: + availableReplicas: + format: int32 + type: integer + metadata: + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremachine-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachine-crd.yaml new file mode 100644 index 000000000..243ee0903 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachine-crd.yaml @@ -0,0 +1,625 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachines.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachine + listKind: AzureMachineList + plural: azuremachines + singular: azuremachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].message + name: Message + priority: 1 + type: string + - description: Azure VM provisioning state + jsonPath: .status.vmState + name: State + type: string + - description: Cluster to which this AzureMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: Machine object to which this AzureMachine belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="Machine")].name + name: Machine + priority: 1 + type: string + - description: Azure VM ID + jsonPath: .spec.providerID + name: VM ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.vmSize + name: VM Size + priority: 1 + type: string + - description: Time duration since creation of this AzureMachine + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureMachine is the Schema for the azuremachines API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineSpec defines the desired state of AzureMachine. + properties: + acceleratedNetworking: + description: 'Deprecated: AcceleratedNetworking should be set in the networkInterfaces field.' + type: boolean + additionalCapabilities: + description: AdditionalCapabilities specifies additional capabilities enabled or disabled on the virtual machine. + properties: + ultraSSDEnabled: + description: UltraSSDEnabled enables or disables Azure UltraSSD capability for the virtual machine. Defaults to true if Ultra SSD data disks are specified, otherwise it doesn't set the capability on the VM. + type: boolean + type: object + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the Azure provider. If both the AzureCluster and the AzureMachine specify the same tag name with different values, the AzureMachine's value takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create dynamic public ips for machines where this value is true. + type: boolean + dataDisks: + description: DataDisk specifies the parameters that are used to add one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are used to add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + diagnostics: + description: Diagnostics specifies the diagnostics settings for a virtual machine. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + boot: + description: Boot configures the boot diagnostics settings for the virtual machine. This allows to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + storageAccountType: + description: StorageAccountType determines if the storage account for storing the diagnostics data should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). + enum: + - Managed + - UserManaged + - Disabled + type: string + userManaged: + description: UserManaged provides a reference to the user-managed storage account. + properties: + storageAccountURI: + description: 'StorageAccountURI is the URI of the user-managed storage account. The URI typically will be `https://.blob.core.windows.net/` but may differ if you are using Azure DNS zone endpoints. You can find the correct endpoint by looking for the Blob Primary Endpoint in the endpoints tab in the Azure console or with the CLI by issuing `az storage account list --query=''[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}''`.' + maxLength: 1024 + pattern: ^https:// + type: string + required: + - storageAccountURI + type: object + required: + - storageAccountType + type: object + type: object + dnsServers: + description: DNSServers adds a list of DNS Server IP addresses to the VM NICs. + items: + type: string + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure which is required for some CNI's to send traffic from a pods on one machine to another. This is required for IpV6 with Calico in combination with User Defined Routes (set by the Azure Cloud Controller manager). Default is false for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. This relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the virtual machine. The type 'SystemAssigned' is an implicitly created identity. The generated identity will be assigned a Subscription contributor role. The type 'UserAssigned' is a standalone Azure resource provided by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image to use during VM creation. If image details are omitted the image will default the Azure Marketplace "capi" offer, which is based on Ubuntu. + properties: + computeGallery: + description: ComputeGallery specifies an image to use from the Azure Compute Gallery + properties: + gallery: + description: Gallery specifies the name of the compute image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + plan: + description: Plan contains plan information. + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + required: + - offer + - publisher + - sku + type: object + resourceGroup: + description: ResourceGroup specifies the resource group containing the private compute gallery. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the private compute gallery. + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - version + type: object + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published by a third party publisher and a Plan will be generated for it. + type: boolean + version: + description: Version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: 'SharedGallery specifies an image to use from an Azure Shared Image Gallery Deprecated: use ComputeGallery instead.' + properties: + gallery: + description: Gallery specifies the name of the shared image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that created the image. This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + networkInterfaces: + description: NetworkInterfaces specifies a list of network interface configurations. If left unspecified, the VM will get a single network interface with a single IPConfig in the subnet specified in the cluster's node subnet field. The primary interface will be the first networkInterface specified (index 0) in the list. + items: + description: NetworkInterface defines a network interface. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated networking. If omitted, it will be set based on whether the requested VMSize supports accelerated networking. If AcceleratedNetworking is set to true with a VMSize that does not support it, Azure will return an error. + type: boolean + privateIPConfigs: + description: PrivateIPConfigs specifies the number of private IP addresses to attach to the interface. Defaults to 1 if not specified. + type: integer + subnetName: + description: SubnetName specifies the subnet in which the new network interface will be placed. + type: string + type: object + type: array + osDisk: + description: OSDisk specifies the parameters for the operating system disk of the machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" See https://learn.microsoft.com/azure/virtual-machines/ephemeral-os-disks for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the OS disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified by the cloud provider. + type: string + roleAssignmentName: + description: 'Deprecated: RoleAssignmentName should be set in the systemAssignedIdentityRole field.' + type: string + securityProfile: + description: SecurityProfile specifies the Security profile settings for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled. + type: boolean + securityType: + description: 'SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set.' + enum: + - ConfidentialVM + - TrustedLaunch + type: string + uefiSettings: + description: UefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine. + properties: + secureBootEnabled: + description: SecureBootEnabled specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + vTpmEnabled: + description: VTpmEnabled specifies whether vTPM should be enabled on the virtual machine. When true it enables the virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to Enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + type: object + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine should use a Spot VM + properties: + evictionPolicy: + description: EvictionPolicy defines the behavior of the virtual machine when it is evicted. It can be either Delete or Deallocate. + enum: + - Deallocate + - Delete + type: string + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + description: SSHPublicKey is the SSH public key string, base64-encoded to add to a Virtual Machine. Linux only. Refer to documentation on how to set up SSH access on Windows instances. + type: string + subnetName: + description: 'Deprecated: SubnetName should be set in the networkInterfaces field.' + type: string + systemAssignedIdentityRole: + description: SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. + properties: + definitionID: + description: 'DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles' + type: string + name: + description: Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. If not specified, a random UUID will be generated. + type: string + scope: + description: Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. If not specified, the scope will be the subscription. + type: string + type: object + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure identities provided by the user The lifecycle of a user-assigned identity is managed separately from the lifecycle of the AzureMachine. See https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmExtensions: + description: VMExtensions specifies a list of extensions to be added to the virtual machine. + items: + description: VMExtension specifies the parameters for a custom VM extension. + properties: + name: + description: Name is the name of the extension. + type: string + protectedSettings: + additionalProperties: + type: string + description: ProtectedSettings is a JSON formatted protected settings for the extension. + type: object + publisher: + description: Publisher is the name of the extension handler publisher. + type: string + settings: + additionalProperties: + type: string + description: Settings is a JSON formatted public settings for the extension. + type: object + version: + description: Version specifies the version of the script handler. + type: string + required: + - name + - publisher + - version + type: object + type: array + vmSize: + type: string + required: + - osDisk + - vmSize + type: object + status: + description: AzureMachineStatus defines the observed state of AzureMachine. + properties: + addresses: + description: Addresses contains the Azure instance associated addresses. + items: + description: NodeAddress contains information for the node's address. + properties: + address: + description: The node address. + type: string + type: + description: Node address type, one of Hostname, ExternalIP or InternalIP. + type: string + required: + - address + - type + type: object + type: array + conditions: + description: Conditions defines current service state of the AzureMachine. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureMessage: + description: "ErrorMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption. \n This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. \n Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output." + type: string + failureReason: + description: "ErrorReason will be set in the event that there is a terminal problem reconciling the Machine and will contain a succinct value suitable for machine interpretation. \n This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. \n Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output." + type: string + longRunningOperationStates: + description: LongRunningOperationStates saves the states for Azure long-running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + ready: + description: Ready is true when the provider resource is ready. + type: boolean + vmState: + description: VMState is the provisioning state of the Azure virtual machine. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepool-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepool-crd.yaml new file mode 100644 index 000000000..d2c215a4c --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepool-crd.yaml @@ -0,0 +1,814 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinepools.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachinePool + listKind: AzureMachinePoolList + plural: azuremachinepools + shortNames: + - amp + singular: azuremachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: AzureMachinePool replicas count + jsonPath: .status.replicas + name: Replicas + type: string + - description: AzureMachinePool replicas count + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VMSS provisioning state + jsonPath: .status.provisioningState + name: State + type: string + - description: Cluster to which this AzureMachinePool belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: MachinePool object to which this AzureMachinePool belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="MachinePool")].name + name: MachinePool + priority: 1 + type: string + - description: Azure VMSS ID + jsonPath: .spec.providerID + name: VMSS ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.template.vmSize + name: VM Size + priority: 1 + type: string + - description: Time duration since creation of this AzureMachinePool + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureMachinePool is the Schema for the azuremachinepools API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachinePoolSpec defines the desired state of AzureMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the Azure provider. If both the AzureCluster and the AzureMachine specify the same tag name with different values, the AzureMachine's value takes precedence. + type: object + identity: + default: None + description: Identity is the type of identity used for the Virtual Machine Scale Set. The type 'SystemAssigned' is an implicitly created identity. The generated identity will be assigned a Subscription contributor role. The type 'UserAssigned' is a standalone Azure resource provided by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + location: + description: Location is the Azure region location e.g. westus2 + type: string + nodeDrainTimeout: + description: 'NodeDrainTimeout is the total amount of time that the controller will spend on draining a node. The default value is 0, meaning that the node can be drained without any time limitations. NOTE: NodeDrainTimeout is different from `kubectl drain --timeout`' + type: string + orchestrationMode: + default: Uniform + description: OrchestrationMode specifies the orchestration mode for the Virtual Machine Scale Set + enum: + - Flexible + - Uniform + type: string + providerID: + description: ProviderID is the identification ID of the Virtual Machine Scale Set + type: string + providerIDList: + description: ProviderIDList are the identification IDs of machine instances provided by the provider. This field must match the provider IDs as seen on the node objects corresponding to a machine pool's machine instances. + items: + type: string + type: array + roleAssignmentName: + description: 'Deprecated: RoleAssignmentName should be set in the systemAssignedIdentityRole field.' + type: string + strategy: + default: + rollingUpdate: + deletePolicy: Oldest + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + description: The deployment strategy to use to replace existing AzureMachinePoolMachines with new ones. + properties: + rollingUpdate: + description: Rolling update config params. Present only if MachineDeploymentStrategyType = RollingUpdate. + properties: + deletePolicy: + default: Oldest + description: DeletePolicy defines the policy used by the MachineDeployment to identify nodes to delete when downscaling. Valid values are "Random, "Newest", "Oldest" When no value is supplied, the default is Oldest + enum: + - Random + - Newest + - Oldest + type: string + maxSurge: + anyOf: + - type: integer + - type: string + default: 1 + description: 'The maximum number of machines that can be scheduled above the desired number of machines. Value can be an absolute number (ex: 5) or a percentage of desired machines (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 1. Example: when this is set to 30%, the new MachineSet can be scaled up immediately when the rolling update starts, such that the total number of old and new machines do not exceed 130% of desired machines. Once old machines have been killed, new MachineSet can be scaled up further, ensuring that total number of machines running at any time during the update is at most 130% of desired machines.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + default: 0 + description: 'The maximum number of machines that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired machines (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 0. Example: when this is set to 30%, the old MachineSet can be scaled down to 70% of desired machines immediately when the rolling update starts. Once new machines are ready, old MachineSet can be scaled down further, followed by scaling up the new MachineSet, ensuring that the total number of machines available at all times during the update is at least 70% of desired machines.' + x-kubernetes-int-or-string: true + type: object + type: + default: RollingUpdate + description: Type of deployment. Currently the only supported strategy is RollingUpdate + enum: + - RollingUpdate + type: string + type: object + systemAssignedIdentityRole: + description: SystemAssignedIdentityRole defines the role and scope to assign to the system assigned identity. + properties: + definitionID: + description: 'DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles' + type: string + name: + description: Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. If not specified, a random UUID will be generated. + type: string + scope: + description: Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. If not specified, the scope will be the subscription. + type: string + type: object + template: + description: Template contains the details used to build a replica virtual machine within the Machine Pool + properties: + acceleratedNetworking: + description: 'Deprecated: AcceleratedNetworking should be set in the networkInterfaces field.' + type: boolean + dataDisks: + description: DataDisks specifies the list of data disks to be created for a Virtual Machine + items: + description: DataDisk specifies the parameters that are used to add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + diagnostics: + description: Diagnostics specifies the diagnostics settings for a virtual machine. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + boot: + description: Boot configures the boot diagnostics settings for the virtual machine. This allows to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + storageAccountType: + description: StorageAccountType determines if the storage account for storing the diagnostics data should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). + enum: + - Managed + - UserManaged + - Disabled + type: string + userManaged: + description: UserManaged provides a reference to the user-managed storage account. + properties: + storageAccountURI: + description: 'StorageAccountURI is the URI of the user-managed storage account. The URI typically will be `https://.blob.core.windows.net/` but may differ if you are using Azure DNS zone endpoints. You can find the correct endpoint by looking for the Blob Primary Endpoint in the endpoints tab in the Azure console or with the CLI by issuing `az storage account list --query=''[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}''`.' + maxLength: 1024 + pattern: ^https:// + type: string + required: + - storageAccountURI + type: object + required: + - storageAccountType + type: object + type: object + image: + description: Image is used to provide details of an image to use during VM creation. If image details are omitted the image will default the Azure Marketplace "capi" offer, which is based on Ubuntu. + properties: + computeGallery: + description: ComputeGallery specifies an image to use from the Azure Compute Gallery + properties: + gallery: + description: Gallery specifies the name of the compute image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + plan: + description: Plan contains plan information. + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + required: + - offer + - publisher + - sku + type: object + resourceGroup: + description: ResourceGroup specifies the resource group containing the private compute gallery. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the private compute gallery. + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - version + type: object + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published by a third party publisher and a Plan will be generated for it. + type: boolean + version: + description: Version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: 'SharedGallery specifies an image to use from an Azure Shared Image Gallery Deprecated: use ComputeGallery instead.' + properties: + gallery: + description: Gallery specifies the name of the shared image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that created the image. This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + networkInterfaces: + description: NetworkInterfaces specifies a list of network interface configurations. If left unspecified, the VM will get a single network interface with a single IPConfig in the subnet specified in the cluster's node subnet field. The primary interface will be the first networkInterface specified (index 0) in the list. + items: + description: NetworkInterface defines a network interface. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated networking. If omitted, it will be set based on whether the requested VMSize supports accelerated networking. If AcceleratedNetworking is set to true with a VMSize that does not support it, Azure will return an error. + type: boolean + privateIPConfigs: + description: PrivateIPConfigs specifies the number of private IP addresses to attach to the interface. Defaults to 1 if not specified. + type: integer + subnetName: + description: SubnetName specifies the subnet in which the new network interface will be placed. + type: string + type: object + type: array + osDisk: + description: OSDisk contains the operating system disk information for a Virtual Machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" See https://learn.microsoft.com/azure/virtual-machines/ephemeral-os-disks for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the OS disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + securityProfile: + description: SecurityProfile specifies the Security profile settings for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled. + type: boolean + securityType: + description: 'SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set.' + enum: + - ConfidentialVM + - TrustedLaunch + type: string + uefiSettings: + description: UefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine. + properties: + secureBootEnabled: + description: SecureBootEnabled specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + vTpmEnabled: + description: VTpmEnabled specifies whether vTPM should be enabled on the virtual machine. When true it enables the virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to Enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + type: object + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine should use a Spot VM + properties: + evictionPolicy: + description: EvictionPolicy defines the behavior of the virtual machine when it is evicted. It can be either Delete or Deallocate. + enum: + - Deallocate + - Delete + type: string + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + description: SSHPublicKey is the SSH public key string, base64-encoded to add to a Virtual Machine. Linux only. Refer to documentation on how to set up SSH access on Windows instances. + type: string + subnetName: + description: 'Deprecated: SubnetName should be set in the networkInterfaces field.' + type: string + terminateNotificationTimeout: + description: TerminateNotificationTimeout enables or disables VMSS scheduled events termination notification with specified timeout allowed values are between 5 and 15 (mins) + type: integer + vmExtensions: + description: VMExtensions specifies a list of extensions to be added to the scale set. + items: + description: VMExtension specifies the parameters for a custom VM extension. + properties: + name: + description: Name is the name of the extension. + type: string + protectedSettings: + additionalProperties: + type: string + description: ProtectedSettings is a JSON formatted protected settings for the extension. + type: object + publisher: + description: Publisher is the name of the extension handler publisher. + type: string + settings: + additionalProperties: + type: string + description: Settings is a JSON formatted public settings for the extension. + type: object + version: + description: Version specifies the version of the script handler. + type: string + required: + - name + - publisher + - version + type: object + type: array + vmSize: + description: VMSize is the size of the Virtual Machine to build. See https://learn.microsoft.com/rest/api/compute/virtualmachines/createorupdate#virtualmachinesizetypes + type: string + required: + - osDisk + - vmSize + type: object + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure identities provided by the user The lifecycle of a user-assigned identity is managed separately from the lifecycle of the AzureMachinePool. See https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + required: + - location + - template + type: object + status: + description: AzureMachinePoolStatus defines the observed state of AzureMachinePool. + properties: + conditions: + description: Conditions defines current service state of the AzureMachinePool. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is a terminal problem reconciling the MachinePool and will contain a more verbose string suitable for logging and human consumption. \n This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachinePool's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. \n Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is a terminal problem reconciling the MachinePool and will contain a succinct value suitable for machine interpretation. \n This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachinePool's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. \n Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output." + type: string + image: + description: Image is the current image used in the AzureMachinePool. When the spec image is nil, this image is populated with the details of the defaulted Azure Marketplace "capi" offer. + properties: + computeGallery: + description: ComputeGallery specifies an image to use from the Azure Compute Gallery + properties: + gallery: + description: Gallery specifies the name of the compute image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + plan: + description: Plan contains plan information. + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + required: + - offer + - publisher + - sku + type: object + resourceGroup: + description: ResourceGroup specifies the resource group containing the private compute gallery. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the private compute gallery. + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - version + type: object + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published by a third party publisher and a Plan will be generated for it. + type: boolean + version: + description: Version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: 'SharedGallery specifies an image to use from an Azure Shared Image Gallery Deprecated: use ComputeGallery instead.' + properties: + gallery: + description: Gallery specifies the name of the shared image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that created the image. This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + instances: + description: Instances is the VM instance status for each VM in the VMSS + items: + description: AzureMachinePoolInstanceStatus provides status information for each instance in the VMSS. + properties: + instanceID: + description: InstanceID is the identification of the Machine Instance within the VMSS + type: string + instanceName: + description: InstanceName is the name of the Machine Instance within the VMSS + type: string + latestModelApplied: + description: LatestModelApplied indicates the instance is running the most up-to-date VMSS model. A VMSS model describes the image version the VM is running. If the instance is not running the latest model, it means the instance may not be running the version of Kubernetes the Machine Pool has specified and needs to be updated. + type: boolean + providerID: + description: ProviderID is the provider identification of the VMSS Instance + type: string + provisioningState: + description: ProvisioningState is the provisioning state of the Azure virtual machine instance. + type: string + version: + description: Version defines the Kubernetes version for the VM Instance + type: string + required: + - latestModelApplied + type: object + type: array + longRunningOperationStates: + description: LongRunningOperationStates saves the state for Azure long-running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + provisioningState: + description: ProvisioningState is the provisioning state of the Azure virtual machine. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + version: + description: Version is the Kubernetes version for the current VMSS model + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepoolmachine-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepoolmachine-crd.yaml new file mode 100644 index 000000000..4d4f81649 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinepoolmachine-crd.yaml @@ -0,0 +1,209 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinepoolmachines.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachinePoolMachine + listKind: AzureMachinePoolMachineList + plural: azuremachinepoolmachines + shortNames: + - ampm + singular: azuremachinepoolmachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Kubernetes version + jsonPath: .status.version + name: Version + type: string + - description: Flag indicating infrastructure is successfully provisioned + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VMSS VM provisioning state + jsonPath: .status.provisioningState + name: State + type: string + - description: Cluster to which this AzureMachinePoolMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: Azure VMSS VM ID + jsonPath: .spec.providerID + name: VMSS VM ID + priority: 1 + type: string + - description: Time duration since creation of this AzureMachinePoolMachine + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureMachinePoolMachine is the Schema for the azuremachinepoolmachines API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachinePoolMachineSpec defines the desired state of AzureMachinePoolMachine. + properties: + instanceID: + description: InstanceID is the identification of the Machine Instance within the VMSS + type: string + providerID: + description: ProviderID is the identification ID of the Virtual Machine Scale Set + type: string + required: + - providerID + type: object + status: + description: AzureMachinePoolMachineStatus defines the observed state of AzureMachinePoolMachine. + properties: + conditions: + description: Conditions defines current service state of the AzureMachinePool. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is a terminal problem reconciling the MachinePool and will contain a more verbose string suitable for logging and human consumption. \n Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is a terminal problem reconciling the MachinePool machine and will contain a succinct value suitable for machine interpretation. \n Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output." + type: string + instanceName: + description: InstanceName is the name of the Machine Instance within the VMSS + type: string + latestModelApplied: + description: LatestModelApplied indicates the instance is running the most up-to-date VMSS model. A VMSS model describes the image version the VM is running. If the instance is not running the latest model, it means the instance may not be running the version of Kubernetes the Machine Pool has specified and needs to be updated. + type: boolean + longRunningOperationStates: + description: LongRunningOperationStates saves the state for Azure long running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + nodeRef: + description: NodeRef will point to the corresponding Node if it exists. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + provisioningState: + description: ProvisioningState is the provisioning state of the Azure virtual machine instance. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + version: + description: Version defines the Kubernetes version for the VM Instance + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinetemplate-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinetemplate-crd.yaml new file mode 100644 index 000000000..b832b1ba1 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremachinetemplate-crd.yaml @@ -0,0 +1,521 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinetemplates.infrastructure.cluster.x-k8s.io + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "cluster-api-provider-azure.fullname" . }}-serving-cert' + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: '{{ include "cluster-api-provider-azure.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachineTemplate + listKind: AzureMachineTemplateList + plural: azuremachinetemplates + singular: azuremachinetemplate + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: AzureMachineTemplate is the Schema for the azuremachinetemplates API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineTemplateSpec defines the desired state of AzureMachineTemplate. + properties: + template: + description: AzureMachineTemplateResource describes the data needed to create an AzureMachine from a template. + properties: + metadata: + description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. This is a copy of customizable fields from metav1.ObjectMeta. \n ObjectMeta is embedded in `Machine.Spec`, `MachineDeployment.Template` and `MachineSet.Template`, which are not top-level Kubernetes objects. Given that metav1.ObjectMeta has lots of special cases and read-only fields which end up in the generated CRD validation, having it as a subset simplifies the API and some issues that can impact user experience. \n During the [upgrade to controller-tools@v2](https://github.com/kubernetes-sigs/cluster-api/pull/1054) for v1alpha2, we noticed a failure would occur running Cluster API test suite against the new CRDs, specifically `spec.metadata.creationTimestamp in body must be of type string: \"null\"`. The investigation showed that `controller-tools@v2` behaves differently than its previous version when handling types from [metav1](k8s.io/apimachinery/pkg/apis/meta/v1) package. \n In more details, we found that embedded (non-top level) types that embedded `metav1.ObjectMeta` had validation properties, including for `creationTimestamp` (metav1.Time). The `metav1.Time` type specifies a custom json marshaller that, when IsZero() is true, returns `null` which breaks validation because the field isn't marked as nullable. \n In future versions, controller-tools@v2 might allow overriding the type and validation for embedded types. When that happens, this hack should be revisited." + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' + type: object + type: object + spec: + description: Spec is the specification of the desired behavior of the machine. + properties: + acceleratedNetworking: + description: 'Deprecated: AcceleratedNetworking should be set in the networkInterfaces field.' + type: boolean + additionalCapabilities: + description: AdditionalCapabilities specifies additional capabilities enabled or disabled on the virtual machine. + properties: + ultraSSDEnabled: + description: UltraSSDEnabled enables or disables Azure UltraSSD capability for the virtual machine. Defaults to true if Ultra SSD data disks are specified, otherwise it doesn't set the capability on the VM. + type: boolean + type: object + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the Azure provider. If both the AzureCluster and the AzureMachine specify the same tag name with different values, the AzureMachine's value takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create dynamic public ips for machines where this value is true. + type: boolean + dataDisks: + description: DataDisk specifies the parameters that are used to add one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are used to add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + diagnostics: + description: Diagnostics specifies the diagnostics settings for a virtual machine. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + boot: + description: Boot configures the boot diagnostics settings for the virtual machine. This allows to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues. If not specified then Boot diagnostics (Managed) will be enabled. + properties: + storageAccountType: + description: StorageAccountType determines if the storage account for storing the diagnostics data should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). + enum: + - Managed + - UserManaged + - Disabled + type: string + userManaged: + description: UserManaged provides a reference to the user-managed storage account. + properties: + storageAccountURI: + description: 'StorageAccountURI is the URI of the user-managed storage account. The URI typically will be `https://.blob.core.windows.net/` but may differ if you are using Azure DNS zone endpoints. You can find the correct endpoint by looking for the Blob Primary Endpoint in the endpoints tab in the Azure console or with the CLI by issuing `az storage account list --query=''[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}''`.' + maxLength: 1024 + pattern: ^https:// + type: string + required: + - storageAccountURI + type: object + required: + - storageAccountType + type: object + type: object + dnsServers: + description: DNSServers adds a list of DNS Server IP addresses to the VM NICs. + items: + type: string + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure which is required for some CNI's to send traffic from a pods on one machine to another. This is required for IpV6 with Calico in combination with User Defined Routes (set by the Azure Cloud Controller manager). Default is false for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. This relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the virtual machine. The type 'SystemAssigned' is an implicitly created identity. The generated identity will be assigned a Subscription contributor role. The type 'UserAssigned' is a standalone Azure resource provided by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image to use during VM creation. If image details are omitted the image will default the Azure Marketplace "capi" offer, which is based on Ubuntu. + properties: + computeGallery: + description: ComputeGallery specifies an image to use from the Azure Compute Gallery + properties: + gallery: + description: Gallery specifies the name of the compute image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + plan: + description: Plan contains plan information. + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + required: + - offer + - publisher + - sku + type: object + resourceGroup: + description: ResourceGroup specifies the resource group containing the private compute gallery. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the private compute gallery. + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - version + type: object + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published by a third party publisher and a Plan will be generated for it. + type: boolean + version: + description: Version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: 'SharedGallery specifies an image to use from an Azure Shared Image Gallery Deprecated: use ComputeGallery instead.' + properties: + gallery: + description: Gallery specifies the name of the shared image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that created the image. This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter This value will be used to add a `Plan` in the API request when creating the VM/VMSS resource. This is needed when the source image from which this SIG image was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace image. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + networkInterfaces: + description: NetworkInterfaces specifies a list of network interface configurations. If left unspecified, the VM will get a single network interface with a single IPConfig in the subnet specified in the cluster's node subnet field. The primary interface will be the first networkInterface specified (index 0) in the list. + items: + description: NetworkInterface defines a network interface. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated networking. If omitted, it will be set based on whether the requested VMSize supports accelerated networking. If AcceleratedNetworking is set to true with a VMSize that does not support it, Azure will return an error. + type: boolean + privateIPConfigs: + description: PrivateIPConfigs specifies the number of private IP addresses to attach to the interface. Defaults to 1 if not specified. + type: integer + subnetName: + description: SubnetName specifies the subnet in which the new network interface will be placed. + type: string + type: object + type: array + osDisk: + description: OSDisk specifies the parameters for the operating system disk of the machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" See https://learn.microsoft.com/azure/virtual-machines/ephemeral-os-disks for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the OS disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityProfile: + description: SecurityProfile specifies the security profile for the managed disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob. + properties: + id: + description: ID defines resourceID for diskEncryptionSet resource. It must be in the same subscription + type: string + type: object + securityEncryptionType: + description: SecurityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled. When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and VirtualizedTrustedPlatformModule should be set to Enabled. It can be set only for Confidential VMs. + enum: + - VMGuestStateOnly + - DiskWithVMGuestState + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified by the cloud provider. + type: string + roleAssignmentName: + description: 'Deprecated: RoleAssignmentName should be set in the systemAssignedIdentityRole field.' + type: string + securityProfile: + description: SecurityProfile specifies the Security profile settings for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled. + type: boolean + securityType: + description: 'SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set.' + enum: + - ConfidentialVM + - TrustedLaunch + type: string + uefiSettings: + description: UefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine. + properties: + secureBootEnabled: + description: SecureBootEnabled specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + vTpmEnabled: + description: VTpmEnabled specifies whether vTPM should be enabled on the virtual machine. When true it enables the virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to Enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + type: boolean + type: object + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine should use a Spot VM + properties: + evictionPolicy: + description: EvictionPolicy defines the behavior of the virtual machine when it is evicted. It can be either Delete or Deallocate. + enum: + - Deallocate + - Delete + type: string + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + description: SSHPublicKey is the SSH public key string, base64-encoded to add to a Virtual Machine. Linux only. Refer to documentation on how to set up SSH access on Windows instances. + type: string + subnetName: + description: 'Deprecated: SubnetName should be set in the networkInterfaces field.' + type: string + systemAssignedIdentityRole: + description: SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. + properties: + definitionID: + description: 'DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles' + type: string + name: + description: Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. If not specified, a random UUID will be generated. + type: string + scope: + description: Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. If not specified, the scope will be the subscription. + type: string + type: object + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure identities provided by the user The lifecycle of a user-assigned identity is managed separately from the lifecycle of the AzureMachine. See https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmExtensions: + description: VMExtensions specifies a list of extensions to be added to the virtual machine. + items: + description: VMExtension specifies the parameters for a custom VM extension. + properties: + name: + description: Name is the name of the extension. + type: string + protectedSettings: + additionalProperties: + type: string + description: ProtectedSettings is a JSON formatted protected settings for the extension. + type: object + publisher: + description: Publisher is the name of the extension handler publisher. + type: string + settings: + additionalProperties: + type: string + description: Settings is a JSON formatted public settings for the extension. + type: object + version: + description: Version specifies the version of the script handler. + type: string + required: + - name + - publisher + - version + type: object + type: array + vmSize: + type: string + required: + - osDisk + - vmSize + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcluster-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcluster-crd.yaml new file mode 100644 index 000000000..e8924440d --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcluster-crd.yaml @@ -0,0 +1,75 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedclusters.infrastructure.cluster.x-k8s.io + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedCluster + listKind: AzureManagedClusterList + plural: azuremanagedclusters + shortNames: + - amc + singular: azuremanagedcluster + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: AzureManagedCluster is the Schema for the azuremanagedclusters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedClusterSpec defines the desired state of AzureManagedCluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. Immutable, populated by the AKS API at create. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + type: object + status: + description: AzureManagedClusterStatus defines the observed state of AzureManagedCluster. + properties: + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcontrolplane-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcontrolplane-crd.yaml new file mode 100644 index 000000000..f126b7e18 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedcontrolplane-crd.yaml @@ -0,0 +1,513 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedControlPlane + listKind: AzureManagedControlPlaneList + plural: azuremanagedcontrolplanes + shortNames: + - amcp + singular: azuremanagedcontrolplane + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: AzureManagedControlPlane is the Schema for the azuremanagedcontrolplanes API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedControlPlaneSpec defines the desired state of AzureManagedControlPlane. + properties: + aadProfile: + description: AadProfile is Azure Active Directory configuration to integrate with AKS for aad authentication. + properties: + adminGroupObjectIDs: + description: AdminGroupObjectIDs - AAD group object IDs that will have admin role of the cluster. + items: + type: string + type: array + managed: + description: Managed - Whether to enable managed AAD. + type: boolean + required: + - adminGroupObjectIDs + - managed + type: object + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure resources managed by the Azure provider, in addition to the ones added by default. + type: object + addonProfiles: + description: AddonProfiles are the profiles of managed cluster add-on. + items: + description: AddonProfile represents a managed cluster add-on. + properties: + config: + additionalProperties: + type: string + description: Config - Key-value pairs for configuring the add-on. + type: object + enabled: + description: Enabled - Whether the add-on is enabled or not. + type: boolean + name: + description: Name - The name of the managed cluster add-on. + type: string + required: + - enabled + - name + type: object + type: array + apiServerAccessProfile: + description: APIServerAccessProfile is the access profile for AKS API server. Immutable except for `authorizedIPRanges`. + properties: + authorizedIPRanges: + description: AuthorizedIPRanges - Authorized IP Ranges to kubernetes API server. + items: + type: string + type: array + enablePrivateCluster: + description: EnablePrivateCluster - Whether to create the cluster as a private cluster or not. + type: boolean + enablePrivateClusterPublicFQDN: + description: EnablePrivateClusterPublicFQDN - Whether to create additional public FQDN for private cluster or not. + type: boolean + privateDNSZone: + description: PrivateDNSZone - Private dns zone mode for private cluster. + enum: + - System + - None + type: string + type: object + autoscalerProfile: + description: AutoscalerProfile is the parameters to be applied to the cluster-autoscaler when enabled + properties: + balanceSimilarNodeGroups: + description: BalanceSimilarNodeGroups - Valid values are 'true' and 'false'. The default is false. + enum: + - "true" + - "false" + type: string + expander: + description: Expander - If not specified, the default is 'random'. See [expanders](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-expanders) for more information. + enum: + - least-waste + - most-pods + - priority + - random + type: string + maxEmptyBulkDelete: + description: MaxEmptyBulkDelete - The default is 10. + type: string + maxGracefulTerminationSec: + description: MaxGracefulTerminationSec - The default is 600. + pattern: ^(\d+)$ + type: string + maxNodeProvisionTime: + description: MaxNodeProvisionTime - The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. + pattern: ^(\d+)m$ + type: string + maxTotalUnreadyPercentage: + description: MaxTotalUnreadyPercentage - The default is 45. The maximum is 100 and the minimum is 0. + maxLength: 3 + minLength: 1 + pattern: ^(\d+)$ + type: string + newPodScaleUpDelay: + description: NewPodScaleUpDelay - For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). + type: string + okTotalUnreadyCount: + description: OkTotalUnreadyCount - This must be an integer. The default is 3. + pattern: ^(\d+)$ + type: string + scaleDownDelayAfterAdd: + description: ScaleDownDelayAfterAdd - The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. + pattern: ^(\d+)m$ + type: string + scaleDownDelayAfterDelete: + description: ScaleDownDelayAfterDelete - The default is the scan-interval. Values must be an integer followed by an 's'. No unit of time other than seconds (s) is supported. + pattern: ^(\d+)s$ + type: string + scaleDownDelayAfterFailure: + description: ScaleDownDelayAfterFailure - The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. + pattern: ^(\d+)m$ + type: string + scaleDownUnneededTime: + description: ScaleDownUnneededTime - The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. + pattern: ^(\d+)m$ + type: string + scaleDownUnreadyTime: + description: ScaleDownUnreadyTime - The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. + pattern: ^(\d+)m$ + type: string + scaleDownUtilizationThreshold: + description: ScaleDownUtilizationThreshold - The default is '0.5'. + type: string + scanInterval: + description: ScanInterval - How often cluster is reevaluated for scale up or down. The default is '10s'. + pattern: ^(\d+)s$ + type: string + skipNodesWithLocalStorage: + description: SkipNodesWithLocalStorage - The default is false. + enum: + - "true" + - "false" + type: string + skipNodesWithSystemPods: + description: SkipNodesWithSystemPods - The default is true. + enum: + - "true" + - "false" + type: string + type: object + azureEnvironment: + description: 'AzureEnvironment is the name of the AzureCloud to be used. The default value that would be used by most users is "AzurePublicCloud", other values are: - ChinaCloud: "AzureChinaCloud" - PublicCloud: "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"' + type: string + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. Immutable, populated by the AKS API at create. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + dnsServiceIP: + description: DNSServiceIP is an IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. Immutable. + type: string + identity: + description: Identity configuration used by the AKS control plane. + properties: + type: + description: Type - The Identity type to use. + enum: + - SystemAssigned + - UserAssigned + type: string + userAssignedIdentityResourceID: + description: UserAssignedIdentityResourceID - Identity ARM resource ID when using user-assigned identity. + type: string + type: object + identityRef: + description: IdentityRef is a reference to a AzureClusterIdentity to be used when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + kubeletUserAssignedIdentity: + description: KubeletUserAssignedIdentity is the user-assigned identity for kubelet. For authentication with Azure Container Registry. + type: string + loadBalancerProfile: + description: LoadBalancerProfile is the profile of the cluster load balancer. + properties: + allocatedOutboundPorts: + description: AllocatedOutboundPorts - Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. + format: int32 + type: integer + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes - Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. + format: int32 + type: integer + managedOutboundIPs: + description: ManagedOutboundIPs - Desired managed outbound IPs for the cluster load balancer. + format: int32 + type: integer + outboundIPPrefixes: + description: OutboundIPPrefixes - Desired outbound IP Prefix resources for the cluster load balancer. + items: + type: string + type: array + outboundIPs: + description: OutboundIPs - Desired outbound IP resources for the cluster load balancer. + items: + type: string + type: array + type: object + loadBalancerSKU: + description: LoadBalancerSKU is the SKU of the loadBalancer to be provisioned. Immutable. + enum: + - Basic + - Standard + type: string + location: + description: 'Location is a string matching one of the canonical Azure region names. Examples: "westus2", "eastus". Immutable.' + type: string + networkPlugin: + description: NetworkPlugin used for building Kubernetes network. Allowed values are "azure", "kubenet". Immutable. + enum: + - azure + - kubenet + type: string + networkPolicy: + description: NetworkPolicy used for building Kubernetes network. Allowed values are "azure", "calico". Immutable. + enum: + - azure + - calico + type: string + nodeResourceGroupName: + description: NodeResourceGroupName is the name of the resource group containing cluster IaaS resources. Will be populated to default in webhook. Immutable. + type: string + outboundType: + description: Outbound configuration used by Nodes. Immutable. + enum: + - loadBalancer + - managedNATGateway + - userAssignedNATGateway + - userDefinedRouting + type: string + resourceGroupName: + description: ResourceGroupName is the name of the Azure resource group for this AKS Cluster. Immutable. + type: string + sku: + description: SKU is the SKU of the AKS to be provisioned. + properties: + tier: + description: Tier - Tier of an AKS cluster. + enum: + - Free + - Paid + type: string + required: + - tier + type: object + sshPublicKey: + description: SSHPublicKey is a string literal containing an ssh public key base64 encoded. Use empty string to autogenerate new key. Use null value to not set key. Immutable. + type: string + subscriptionID: + description: SubscriptionID is the GUID of the Azure subscription to hold this cluster. Immutable. + type: string + version: + description: Version defines the desired Kubernetes version. + minLength: 2 + type: string + virtualNetwork: + description: VirtualNetwork describes the vnet for the AKS cluster. Will be created if it does not exist. Immutable except for `subnet`. + properties: + cidrBlock: + type: string + name: + type: string + resourceGroup: + description: ResourceGroup is the name of the Azure resource group for the VNet and Subnet. + type: string + subnet: + description: Immutable except for `serviceEndpoints`. + properties: + cidrBlock: + type: string + name: + type: string + privateEndpoints: + description: PrivateEndpoints is a slice of Virtual Network private endpoints to create for the subnets. + items: + description: PrivateEndpointSpec configures an Azure Private Endpoint. + properties: + applicationSecurityGroups: + description: ApplicationSecurityGroups specifies the Application security group in which the private endpoint IP configuration is included. + items: + type: string + type: array + customNetworkInterfaceName: + description: CustomNetworkInterfaceName specifies the network interface name associated with the private endpoint. + type: string + location: + description: Location specifies the region to create the private endpoint. + type: string + manualApproval: + description: ManualApproval specifies if the connection approval needs to be done manually or not. Set it true when the network admin does not have access to approve connections to the remote resource. Defaults to false. + type: boolean + name: + description: Name specifies the name of the private endpoint. + type: string + privateIPAddresses: + description: PrivateIPAddresses specifies the IP addresses for the network interface associated with the private endpoint. They have to be part of the subnet where the private endpoint is linked. + items: + type: string + type: array + privateLinkServiceConnections: + description: PrivateLinkServiceConnections specifies Private Link Service Connections of the private endpoint. + items: + description: PrivateLinkServiceConnection defines the specification for a private link service connection associated with a private endpoint. + properties: + groupIDs: + description: GroupIDs specifies the ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. + items: + type: string + type: array + name: + description: Name specifies the name of the private link service. + type: string + privateLinkServiceID: + description: PrivateLinkServiceID specifies the resource ID of the private link service. + type: string + requestMessage: + description: RequestMessage specifies a message passed to the owner of the remote resource with the private endpoint connection request. + maxLength: 140 + type: string + type: object + type: array + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceEndpoints: + description: ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets. + items: + description: ServiceEndpointSpec configures an Azure Service Endpoint. + properties: + locations: + items: + type: string + type: array + service: + type: string + required: + - locations + - service + type: object + type: array + x-kubernetes-list-map-keys: + - service + x-kubernetes-list-type: map + required: + - cidrBlock + - name + type: object + required: + - cidrBlock + - name + type: object + required: + - location + - resourceGroupName + - version + type: object + status: + description: AzureManagedControlPlaneStatus defines the observed state of AzureManagedControlPlane. + properties: + conditions: + description: Conditions defines current service state of the AzureManagedControlPlane. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + initialized: + description: Initialized is true when the control plane is available for initial contact. This may occur before the control plane is fully ready. In the AzureManagedControlPlane implementation, these are identical. + type: boolean + longRunningOperationStates: + description: LongRunningOperationStates saves the states for Azure long-running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedmachinepool-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedmachinepool-crd.yaml new file mode 100644 index 000000000..19774035a --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azuremanagedmachinepool-crd.yaml @@ -0,0 +1,511 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + cluster.x-k8s.io/v1beta1: v1beta1 + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedMachinePool + listKind: AzureManagedMachinePoolList + plural: azuremanagedmachinepools + shortNames: + - ammp + singular: azuremanagedmachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.mode + name: Mode + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: AzureManagedMachinePool is the Schema for the azuremanagedmachinepools API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedMachinePoolSpec defines the desired state of AzureManagedMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure resources managed by the Azure provider, in addition to the ones added by default. + type: object + availabilityZones: + description: AvailabilityZones - Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. Immutable. + items: + type: string + type: array + enableNodePublicIP: + description: EnableNodePublicIP controls whether or not nodes in the pool each have a public IP address. Immutable. + type: boolean + enableUltraSSD: + description: EnableUltraSSD enables the storage type UltraSSD_LRS for the agent pool. Immutable. + type: boolean + kubeletConfig: + description: KubeletConfig specifies the kubelet configurations for nodes. Immutable. + properties: + allowedUnsafeSysctls: + description: AllowedUnsafeSysctls - Allowlist of unsafe sysctls or unsafe sysctl patterns (ending in `*`). Valid values match `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, or `net.*`. + items: + type: string + type: array + containerLogMaxFiles: + description: ContainerLogMaxFiles - The maximum number of container log files that can be present for a container. The number must be ≥ 2. + format: int32 + minimum: 2 + type: integer + containerLogMaxSizeMB: + description: ContainerLogMaxSizeMB - The maximum size in MB of a container log file before it is rotated. + format: int32 + type: integer + cpuCfsQuota: + description: CPUCfsQuota - Enable CPU CFS quota enforcement for containers that specify CPU limits. + type: boolean + cpuCfsQuotaPeriod: + description: CPUCfsQuotaPeriod - Sets CPU CFS quota period value. Must end in "ms", e.g. "100ms" + type: string + cpuManagerPolicy: + description: CPUManagerPolicy - CPU Manager policy to use. + enum: + - none + - static + type: string + failSwapOn: + description: FailSwapOn - If set to true it will make the Kubelet fail to start if swap is enabled on the node. + type: boolean + imageGcHighThreshold: + description: ImageGcHighThreshold - The percent of disk usage after which image garbage collection is always run. Valid values are 0-100 (inclusive). + format: int32 + maximum: 100 + minimum: 0 + type: integer + imageGcLowThreshold: + description: ImageGcLowThreshold - The percent of disk usage before which image garbage collection is never run. Valid values are 0-100 (inclusive) and must be less than `imageGcHighThreshold`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + podMaxPids: + description: PodMaxPids - The maximum number of processes per pod. Must not exceed kernel PID limit. -1 disables the limit. + format: int32 + minimum: -1 + type: integer + topologyManagerPolicy: + description: TopologyManagerPolicy - Topology Manager policy to use. + enum: + - none + - best-effort + - restricted + - single-numa-node + type: string + type: object + kubeletDiskType: + description: "KubeletDiskType specifies the kubelet disk type. Default to OS. Possible values include: 'OS', 'Temporary'. Requires Microsoft.ContainerService/KubeletDisk preview feature to be set. Immutable. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/rest/api/aks/agent-pools/create-or-update?tabs=HTTP#kubeletdisktype" + enum: + - OS + - Temporary + type: string + linuxOSConfig: + description: LinuxOSConfig specifies the custom Linux OS settings and configurations. Immutable. + properties: + swapFileSizeMB: + description: "SwapFileSizeMB specifies size in MB of a swap file will be created on the agent nodes from this node pool. Max value of SwapFileSizeMB should be the size of temporary disk(/dev/sdb). Must be at least 1. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk" + format: int32 + minimum: 1 + type: integer + sysctls: + description: Sysctl specifies the settings for Linux agent nodes. + properties: + fsAioMaxNr: + description: FsAioMaxNr specifies the maximum number of system-wide asynchronous io requests. Valid values are 65536-6553500 (inclusive). Maps to fs.aio-max-nr. + format: int32 + maximum: 6553500 + minimum: 65536 + type: integer + fsFileMax: + description: FsFileMax specifies the max number of file-handles that the Linux kernel will allocate, by increasing increases the maximum number of open files permitted. Valid values are 8192-12000500 (inclusive). Maps to fs.file-max. + format: int32 + maximum: 12000500 + minimum: 8192 + type: integer + fsInotifyMaxUserWatches: + description: FsInotifyMaxUserWatches specifies the number of file watches allowed by the system. Each watch is roughly 90 bytes on a 32-bit kernel, and roughly 160 bytes on a 64-bit kernel. Valid values are 781250-2097152 (inclusive). Maps to fs.inotify.max_user_watches. + format: int32 + maximum: 2097152 + minimum: 781250 + type: integer + fsNrOpen: + description: FsNrOpen specifies the maximum number of file-handles a process can allocate. Valid values are 8192-20000500 (inclusive). Maps to fs.nr_open. + format: int32 + maximum: 20000500 + minimum: 8192 + type: integer + kernelThreadsMax: + description: KernelThreadsMax specifies the maximum number of all threads that can be created. Valid values are 20-513785 (inclusive). Maps to kernel.threads-max. + format: int32 + maximum: 513785 + minimum: 20 + type: integer + netCoreNetdevMaxBacklog: + description: NetCoreNetdevMaxBacklog specifies maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them. Valid values are 1000-3240000 (inclusive). Maps to net.core.netdev_max_backlog. + format: int32 + maximum: 3240000 + minimum: 1000 + type: integer + netCoreOptmemMax: + description: NetCoreOptmemMax specifies the maximum ancillary buffer size (option memory buffer) allowed per socket. Socket option memory is used in a few cases to store extra structures relating to usage of the socket. Valid values are 20480-4194304 (inclusive). Maps to net.core.optmem_max. + format: int32 + maximum: 4194304 + minimum: 20480 + type: integer + netCoreRmemDefault: + description: NetCoreRmemDefault specifies the default receive socket buffer size in bytes. Valid values are 212992-134217728 (inclusive). Maps to net.core.rmem_default. + format: int32 + maximum: 134217728 + minimum: 212992 + type: integer + netCoreRmemMax: + description: NetCoreRmemMax specifies the maximum receive socket buffer size in bytes. Valid values are 212992-134217728 (inclusive). Maps to net.core.rmem_max. + format: int32 + maximum: 134217728 + minimum: 212992 + type: integer + netCoreSomaxconn: + description: NetCoreSomaxconn specifies maximum number of connection requests that can be queued for any given listening socket. An upper limit for the value of the backlog parameter passed to the listen(2)(https://man7.org/linux/man-pages/man2/listen.2.html) function. If the backlog argument is greater than the somaxconn, then it's silently truncated to this limit. Valid values are 4096-3240000 (inclusive). Maps to net.core.somaxconn. + format: int32 + maximum: 3240000 + minimum: 4096 + type: integer + netCoreWmemDefault: + description: NetCoreWmemDefault specifies the default send socket buffer size in bytes. Valid values are 212992-134217728 (inclusive). Maps to net.core.wmem_default. + format: int32 + maximum: 134217728 + minimum: 212992 + type: integer + netCoreWmemMax: + description: NetCoreWmemMax specifies the maximum send socket buffer size in bytes. Valid values are 212992-134217728 (inclusive). Maps to net.core.wmem_max. + format: int32 + maximum: 134217728 + minimum: 212992 + type: integer + netIpv4IPLocalPortRange: + description: NetIpv4IPLocalPortRange is used by TCP and UDP traffic to choose the local port on the agent node. PortRange should be specified in the format "first last". First, being an integer, must be between [1024 - 60999]. Last, being an integer, must be between [32768 - 65000]. Maps to net.ipv4.ip_local_port_range. + type: string + netIpv4NeighDefaultGcThresh1: + description: NetIpv4NeighDefaultGcThresh1 specifies the minimum number of entries that may be in the ARP cache. Garbage collection won't be triggered if the number of entries is below this setting. Valid values are 128-80000 (inclusive). Maps to net.ipv4.neigh.default.gc_thresh1. + format: int32 + maximum: 80000 + minimum: 128 + type: integer + netIpv4NeighDefaultGcThresh2: + description: NetIpv4NeighDefaultGcThresh2 specifies soft maximum number of entries that may be in the ARP cache. ARP garbage collection will be triggered about 5 seconds after reaching this soft maximum. Valid values are 512-90000 (inclusive). Maps to net.ipv4.neigh.default.gc_thresh2. + format: int32 + maximum: 90000 + minimum: 512 + type: integer + netIpv4NeighDefaultGcThresh3: + description: NetIpv4NeighDefaultGcThresh3 specified hard maximum number of entries in the ARP cache. Valid values are 1024-100000 (inclusive). Maps to net.ipv4.neigh.default.gc_thresh3. + format: int32 + maximum: 100000 + minimum: 1024 + type: integer + netIpv4TCPFinTimeout: + description: NetIpv4TCPFinTimeout specifies the length of time an orphaned connection will remain in the FIN_WAIT_2 state before it's aborted at the local end. Valid values are 5-120 (inclusive). Maps to net.ipv4.tcp_fin_timeout. + format: int32 + maximum: 120 + minimum: 5 + type: integer + netIpv4TCPKeepaliveProbes: + description: NetIpv4TCPKeepaliveProbes specifies the number of keepalive probes TCP sends out, until it decides the connection is broken. Valid values are 1-15 (inclusive). Maps to net.ipv4.tcp_keepalive_probes. + format: int32 + maximum: 15 + minimum: 1 + type: integer + netIpv4TCPKeepaliveTime: + description: NetIpv4TCPKeepaliveTime specifies the rate at which TCP sends out a keepalive message when keepalive is enabled. Valid values are 30-432000 (inclusive). Maps to net.ipv4.tcp_keepalive_time. + format: int32 + maximum: 432000 + minimum: 30 + type: integer + netIpv4TCPMaxSynBacklog: + description: NetIpv4TCPMaxSynBacklog specifies the maximum number of queued connection requests that have still not received an acknowledgment from the connecting client. If this number is exceeded, the kernel will begin dropping requests. Valid values are 128-3240000 (inclusive). Maps to net.ipv4.tcp_max_syn_backlog. + format: int32 + maximum: 3240000 + minimum: 128 + type: integer + netIpv4TCPMaxTwBuckets: + description: NetIpv4TCPMaxTwBuckets specifies maximal number of timewait sockets held by system simultaneously. If this number is exceeded, time-wait socket is immediately destroyed and warning is printed. Valid values are 8000-1440000 (inclusive). Maps to net.ipv4.tcp_max_tw_buckets. + format: int32 + maximum: 1440000 + minimum: 8000 + type: integer + netIpv4TCPTwReuse: + description: NetIpv4TCPTwReuse is used to allow to reuse TIME-WAIT sockets for new connections when it's safe from protocol viewpoint. Maps to net.ipv4.tcp_tw_reuse. + type: boolean + netIpv4TCPkeepaliveIntvl: + description: NetIpv4TCPkeepaliveIntvl specifies the frequency of the probes sent out. Multiplied by tcpKeepaliveprobes, it makes up the time to kill a connection that isn't responding, after probes started. Valid values are 1-75 (inclusive). Maps to net.ipv4.tcp_keepalive_intvl. + format: int32 + maximum: 75 + minimum: 1 + type: integer + netNetfilterNfConntrackBuckets: + description: NetNetfilterNfConntrackBuckets specifies the size of hash table used by nf_conntrack module to record the established connection record of the TCP protocol. Valid values are 65536-147456 (inclusive). Maps to net.netfilter.nf_conntrack_buckets. + format: int32 + maximum: 147456 + minimum: 65536 + type: integer + netNetfilterNfConntrackMax: + description: NetNetfilterNfConntrackMax specifies the maximum number of connections supported by the nf_conntrack module or the size of connection tracking table. Valid values are 131072-1048576 (inclusive). Maps to net.netfilter.nf_conntrack_max. + format: int32 + maximum: 1048576 + minimum: 131072 + type: integer + vmMaxMapCount: + description: VMMaxMapCount specifies the maximum number of memory map areas a process may have. Maps to vm.max_map_count. Valid values are 65530-262144 (inclusive). + format: int32 + maximum: 262144 + minimum: 65530 + type: integer + vmSwappiness: + description: VMSwappiness specifies aggressiveness of the kernel in swapping memory pages. Higher values will increase aggressiveness, lower values decrease the amount of swap. Valid values are 0-100 (inclusive). Maps to vm.swappiness. + format: int32 + maximum: 100 + minimum: 0 + type: integer + vmVfsCachePressure: + description: VMVfsCachePressure specifies the percentage value that controls tendency of the kernel to reclaim the memory, which is used for caching of directory and inode objects. Valid values are 1-500 (inclusive). Maps to vm.vfs_cache_pressure. + format: int32 + maximum: 500 + minimum: 1 + type: integer + type: object + transparentHugePageDefrag: + description: "TransparentHugePageDefrag specifies whether the kernel should make aggressive use of memory compaction to make more hugepages available. See also [Linux doc]. \n [Linux doc]: https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge for more details." + enum: + - always + - defer + - defer+madvise + - madvise + - never + type: string + transparentHugePageEnabled: + description: "TransparentHugePageEnabled specifies various modes of Transparent Hugepages. See also [Linux doc]. \n [Linux doc]: https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge for more details." + enum: + - always + - madvise + - never + type: string + type: object + maxPods: + description: "MaxPods specifies the kubelet `--max-pods` configuration for the node pool. Immutable. See also [AKS doc], [K8s doc]. \n [AKS doc]: https://learn.microsoft.com/azure/aks/configure-azure-cni#configure-maximum---new-clusters [K8s doc]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" + format: int32 + type: integer + mode: + description: 'Mode - represents mode of an agent pool. Possible values include: System, User.' + enum: + - System + - User + type: string + name: + description: Name - name of the agent pool. If not specified, CAPZ uses the name of the CR as the agent pool name. Immutable. + type: string + nodeLabels: + additionalProperties: + type: string + description: "Node labels - labels for all of the nodes present in node pool. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/azure/aks/use-labels" + type: object + nodePublicIPPrefixID: + description: NodePublicIPPrefixID specifies the public IP prefix resource ID which VM nodes should use IPs from. Immutable. + type: string + osDiskSizeGB: + description: OSDiskSizeGB is the disk size for every machine in this agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. Immutable. + format: int32 + type: integer + osDiskType: + default: Managed + description: "OsDiskType specifies the OS disk type for each node in the pool. Allowed values are 'Ephemeral' and 'Managed' (default). Immutable. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/azure/aks/cluster-configuration#ephemeral-os" + enum: + - Ephemeral + - Managed + type: string + osType: + description: "OSType specifies the virtual machine operating system. Default to Linux. Possible values include: 'Linux', 'Windows'. 'Windows' requires the AzureManagedControlPlane's `spec.networkPlugin` to be `azure`. Immutable. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/rest/api/aks/agent-pools/create-or-update?tabs=HTTP#ostype" + enum: + - Linux + - Windows + type: string + providerIDList: + description: ProviderIDList is the unique identifier as specified by the cloud provider. + items: + type: string + type: array + scaleDownMode: + default: Delete + description: 'ScaleDownMode affects the cluster autoscaler behavior. Default to Delete. Possible values include: ''Deallocate'', ''Delete''' + enum: + - Deallocate + - Delete + type: string + scaleSetPriority: + description: 'ScaleSetPriority specifies the ScaleSetPriority value. Default to Regular. Possible values include: ''Regular'', ''Spot'' Immutable.' + enum: + - Regular + - Spot + type: string + scaling: + description: Scaling specifies the autoscaling parameters for the node pool. + properties: + maxSize: + description: MaxSize is the maximum number of nodes for auto-scaling. + format: int32 + type: integer + minSize: + description: MinSize is the minimum number of nodes for auto-scaling. + format: int32 + type: integer + type: object + sku: + description: SKU is the size of the VMs in the node pool. Immutable. + type: string + spotMaxPrice: + anyOf: + - type: integer + - type: string + description: SpotMaxPrice defines max price to pay for spot instance. Possible values are any decimal value greater than zero or -1. If you set the max price to be -1, the VM won't be evicted based on price. The price for the VM will be the current price for spot or the price for a standard VM, which ever is less, as long as there's capacity and quota available. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + subnetName: + description: SubnetName specifies the Subnet where the MachinePool will be placed Immutable. + type: string + taints: + description: "Taints specifies the taints for nodes present in this agent pool. See also [AKS doc]. \n [AKS doc]: https://learn.microsoft.com/azure/aks/use-multiple-node-pools#setting-node-pool-taints" + items: + description: Taint represents a Kubernetes taint. + properties: + effect: + description: Effect specifies the effect for the taint + enum: + - NoSchedule + - NoExecute + - PreferNoSchedule + type: string + key: + description: Key is the key of the taint + type: string + value: + description: Value is the value of the taint + type: string + required: + - effect + - key + - value + type: object + type: array + required: + - mode + - sku + type: object + status: + description: AzureManagedMachinePoolStatus defines the observed state of AzureManagedMachinePool. + properties: + conditions: + description: Conditions defines current service state of the AzureManagedControlPlane. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + errorMessage: + description: Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. + type: string + errorReason: + description: Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. + type: string + longRunningOperationStates: + description: LongRunningOperationStates saves the states for Azure long-running operations so they can be continued on the next reconciliation loop. + items: + description: Future contains the data needed for an Azure long-running operation to continue across reconcile loops. + properties: + data: + description: Data is the base64 url encoded json Azure AutoRest Future. + type: string + name: + description: Name is the name of the Azure resource. Together with the service name, this forms the unique identifier for the future. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the resource. + type: string + serviceName: + description: ServiceName is the name of the Azure service. Together with the name of the resource, this forms the unique identifier for the future. + type: string + type: + description: Type describes the type of future, such as update, create, delete, etc. + type: string + required: + - data + - name + - serviceName + - type + type: object + type: array + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/azurepodidentityexception-crd.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/azurepodidentityexception-crd.yaml new file mode 100644 index 000000000..7cd1dba6b --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/azurepodidentityexception-crd.yaml @@ -0,0 +1,62 @@ +{{- if .Values.crds.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azurepodidentityexceptions.aadpodidentity.k8s.io + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + clusterctl.cluster.x-k8s.io: "" + cluster.x-k8s.io/provider: infrastructure-azure + {{- include "cluster-api-provider-azure.labels" . | nindent 4 }} +spec: + group: aadpodidentity.k8s.io + names: + kind: AzurePodIdentityException + listKind: AzurePodIdentityExceptionList + plural: azurepodidentityexceptions + singular: azurepodidentityexception + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. + properties: + metadata: + type: object + podLabels: + additionalProperties: + type: string + type: object + type: object + status: + description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. + properties: + metadata: + type: object + status: + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} \ No newline at end of file diff --git a/bootstrap/helm/cluster-api-provider-azure/templates/job.yaml b/bootstrap/helm/cluster-api-provider-azure/templates/job.yaml new file mode 100644 index 000000000..a789ce19d --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/templates/job.yaml @@ -0,0 +1,64 @@ +{{- if .Values.job.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + labels: + {{- include "cluster-api-provider-azure-plural.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.job.annotations | nindent 4 }} +spec: + template: + spec: + containers: + - name: wait-for-provider + image: {{ .Values.job.image.repository }}:{{ .Values.job.image.tag }} + imagePullPolicy: {{ .Values.job.image.pullPolicy }} + command: ["kubectl"] + args: ["wait", "--for=condition=Available", "--timeout=600s", "deployment/{{ include "cluster-api-provider-azure.fullname" (index .Subcharts "cluster-api-provider-azure") }}-controller-manager", "-n", "{{ .Release.namespace }}"] + restartPolicy: Never + serviceAccountName: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + backoffLimit: 4 +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + labels: + {{- include "cluster-api-provider-azure-plural.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.job.annotations | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + labels: + {{- include "cluster-api-provider-azure-plural.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.job.annotations | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + namespace: {{ .Release.namespace }} +roleRef: + kind: Role + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cluster-api-provider-azure-plural.fullname" . }}-wait-for-provider + labels: + {{- include "cluster-api-provider-azure-plural.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.job.annotations | nindent 4 }} +{{- end }} diff --git a/bootstrap/helm/cluster-api-provider-azure/values.yaml b/bootstrap/helm/cluster-api-provider-azure/values.yaml new file mode 100644 index 000000000..48b41b5cb --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/values.yaml @@ -0,0 +1,26 @@ +crds: + create: true + +cluster-api-provider-azure: + bootstrapMode: false # we should never set this to true since it uses a deprecated method for setting the credentials + crds: + create: false + configVariables: + exprimental: + machinePool: true + controllerManager: + manager: + image: + repository: ghcr.io/pluralsh/cluster-api-azure-controller + tag: v1.9.14 + +job: + enabled: true + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + image: + repository: bitnami/kubectl + tag: 1.25.8 + pullPolicy: IfNotPresent diff --git a/bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl b/bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl @@ -0,0 +1 @@ +{}