diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 393b8c42..cc536049 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -112,3 +112,12 @@ jobs:
run: |
sudo npm install -g markdownlint-cli@0.31.1
make markdownlint
+ - name: Checking whether autogenerated Helm chart documentation is up-to-date
+ working-directory: build/charts/
+ run: |
+ make helm-docs
+ DIFF=$(git diff .)
+ if [ -n "$DIFF" ]; then
+ echo "The Helm chart documentation is out-of-date; please run 'make helm-docs' in 'build/charts/' and commit the changes"
+ exit 1
+ fi
diff --git a/.github/workflows/process_release.yml b/.github/workflows/process_release.yml
index fda6be00..7b704896 100644
--- a/.github/workflows/process_release.yml
+++ b/.github/workflows/process_release.yml
@@ -26,3 +26,23 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
asset_paths: '["./assets/*"]'
+
+ update-website:
+ name: Trigger website update for release
+ needs: upload-release-assets
+ runs-on: ubuntu-latest
+ steps:
+ - id: get-version
+ env:
+ TAG: ${{ github.ref }}
+ run: |
+ version=${TAG:10}
+ echo "version=$version" >> $GITHUB_OUTPUT
+ - name: Update Helm index with Nephe archive
+ uses: benc-uk/workflow-dispatch@v1
+ with:
+ repo: antrea-io/website
+ ref: refs/heads/main
+ workflow: Update Helm index
+ token: ${{ secrets.ANTREA_WEBSITE_WORKFLOW_DISPATCH_PAT }}
+ inputs: ${{ format('{{ "archive-url":"https://github.com/antrea-io/nephe/releases/download/{0}/nephe-chart.tgz" }}', steps.get-version.outputs.version) }}
diff --git a/build/charts/Makefile b/build/charts/Makefile
new file mode 100644
index 00000000..56dd2255
--- /dev/null
+++ b/build/charts/Makefile
@@ -0,0 +1,12 @@
+USERID := $(shell id -u)
+GRPID := $(shell id -g)
+
+VERSION := $(shell head -n 1 ../../VERSION | cut -c 2-)
+
+.PHONY: helm-docs
+helm-docs:
+ docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0
+ sed -i.bak "s/0\.0\.0/$(VERSION)/g" nephe/README.md # replace version placeholder
+ sed -i.bak "s/-dev-informational/--dev-informational/g" nephe/README.md # fix img.shields.io badge URLs
+ sed -i.bak "s/0\.0\.0/$(VERSION)/g" nephe/charts/crds/README.md # replace version placeholder
+ sed -i.bak "s/-dev-informational/--dev-informational/g" nephe/charts/crds/README.md # fix img.shields.io badge URLs
diff --git a/build/charts/nephe/.helmignore b/build/charts/nephe/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/build/charts/nephe/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/build/charts/nephe/Chart.lock b/build/charts/nephe/Chart.lock
new file mode 100644
index 00000000..47b8ae7d
--- /dev/null
+++ b/build/charts/nephe/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: crds
+ repository: ""
+ version: 0.0.0
+digest: sha256:16cbbceffe2a6946ae7cbb20b5a8313267bc77f4669caba20fffb3ff64a773a6
+generated: "2023-03-13T23:32:57.459036359-07:00"
diff --git a/build/charts/nephe/Chart.yaml b/build/charts/nephe/Chart.yaml
new file mode 100644
index 00000000..e094207d
--- /dev/null
+++ b/build/charts/nephe/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: nephe
+type: application
+displayName: Nephe
+home: https://antrea.io/
+version: 0.0.0
+appVersion: latest
+kubeVersion: ">= 1.16.0-0"
+icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
+description: Antrea managed security policies in the public cloud
+dependencies:
+- name: crds
+ condition: crds.enabled
+ version: 0.0.0
+keywords:
+ - Kubernetes
+ - CNCF
+ - Networking
+ - Antrea
+ - Security
+ - Public Cloud
+ - AWS
+ - Azure
+sources:
+ - https://github.com/antrea-io/nephe
+annotations:
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/operator: "false"
+ artifacthub.io/prerelease: "false"
diff --git a/build/charts/nephe/README.md b/build/charts/nephe/README.md
new file mode 100644
index 00000000..fb754454
--- /dev/null
+++ b/build/charts/nephe/README.md
@@ -0,0 +1,31 @@
+# nephe
+
+  
+
+Antrea managed security policies in the public cloud
+
+**Homepage:**
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.16.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| | crds | 0.4.0-dev |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cloudResourcePrefix | string | `"nephe"` | Specifies the prefix to be used while creating cloud resources. |
+| cloudSyncInterval | int | `300` | Specifies the interval (in seconds) to be used for syncing cloud resources with controller. |
+| crds | object | `{"enabled":true}` | Enable/Disable Nephe CRDs dependent chart. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/nephe","tag":""}` | Container image to use for Nephe Controller. |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
diff --git a/build/charts/nephe/charts/crds/.helmignore b/build/charts/nephe/charts/crds/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/build/charts/nephe/charts/crds/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/build/charts/nephe/charts/crds/Chart.yaml b/build/charts/nephe/charts/crds/Chart.yaml
new file mode 100644
index 00000000..ddef2cc7
--- /dev/null
+++ b/build/charts/nephe/charts/crds/Chart.yaml
@@ -0,0 +1,16 @@
+apiVersion: v2
+name: crds
+type: application
+displayName: Nephe CRDs
+home: https://antrea.io/
+version: 0.0.0
+appVersion: latest
+kubeVersion: ">= 1.16.0-0"
+icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
+description: Nephe CRDs
+sources:
+ - https://github.com/antrea-io/nephe
+annotations:
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/operator: "false"
+ artifacthub.io/prerelease: "false"
diff --git a/build/charts/nephe/charts/crds/README.md b/build/charts/nephe/charts/crds/README.md
new file mode 100644
index 00000000..564cc2dc
--- /dev/null
+++ b/build/charts/nephe/charts/crds/README.md
@@ -0,0 +1,18 @@
+# crds
+
+  
+
+Nephe CRDs
+
+**Homepage:**
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.16.0-0`
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
diff --git a/build/charts/nephe/charts/crds/templates/cloudentityselector.yaml b/build/charts/nephe/charts/crds/templates/cloudentityselector.yaml
new file mode 100644
index 00000000..e357ad4d
--- /dev/null
+++ b/build/charts/nephe/charts/crds/templates/cloudentityselector.yaml
@@ -0,0 +1,119 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ controller-gen.kubebuilder.io/version: v0.8.0
+ helm.sh/resource-policy: keep
+ name: cloudentityselectors.crd.cloud.antrea.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ - v1beta1
+ group: crd.cloud.antrea.io
+ names:
+ kind: CloudEntitySelector
+ listKind: CloudEntitySelectorList
+ plural: cloudentityselectors
+ shortNames:
+ - ces
+ singular: cloudentityselector
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: CloudEntitySelector is the Schema for the cloudentityselectors
+ API.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CloudEntitySelectorSpec defines the desired state of CloudEntitySelector.
+ properties:
+ accountName:
+ description: AccountName specifies cloud account in this CloudProvider.
+ type: string
+ vmSelector:
+ description: VMSelector selects the VirtualMachines the user has modify
+ privilege. VMSelector is mandatory, at least one selector under
+ VMSelector is required. It is an array, VirtualMachines satisfying
+ any item on VMSelector are selected(ORed).
+ items:
+ description: VirtualMachineSelector specifies VirtualMachine match
+ criteria. VirtualMachines must satisfy all fields(ANDed) in a
+ VirtualMachineSelector in order to satisfy match.
+ properties:
+ agented:
+ description: Agented specifies if VM runs in agented mode, default
+ is false.
+ type: boolean
+ vmMatch:
+ description: VMMatch specifies VirtualMachines to match. It
+ is an array, match satisfying any item on VMMatch is selected(ORed).
+ If it is not specified, all VirtualMachines matching VpcMatch
+ are selected.
+ items:
+ description: EntityMatch specifies match conditions to cloud
+ entities. Cloud entities must satisfy all fields(ANDed)
+ in EntityMatch to satisfy EntityMatch.
+ properties:
+ matchID:
+ description: MatchID matches cloud entities' identifier.
+ If not specified, it matches any cloud entities.
+ type: string
+ matchName:
+ description: MatchName matches cloud entities' name. If
+ not specified, it matches any cloud entities.
+ type: string
+ type: object
+ type: array
+ vpcMatch:
+ description: VpcMatch specifies the virtual private cloud to
+ which VirtualMachines belong. VpcMatch is ANDed with VMMatch.
+ If it is not specified, VirtualMachines may belong to any
+ virtual private cloud.
+ properties:
+ matchID:
+ description: MatchID matches cloud entities' identifier.
+ If not specified, it matches any cloud entities.
+ type: string
+ matchName:
+ description: MatchName matches cloud entities' name. If
+ not specified, it matches any cloud entities.
+ type: string
+ type: object
+ type: object
+ type: array
+ required:
+ - vmSelector
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/build/charts/nephe/charts/crds/templates/cloudprovideraccount.yaml b/build/charts/nephe/charts/crds/templates/cloudprovideraccount.yaml
new file mode 100644
index 00000000..ca87611c
--- /dev/null
+++ b/build/charts/nephe/charts/crds/templates/cloudprovideraccount.yaml
@@ -0,0 +1,132 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ controller-gen.kubebuilder.io/version: v0.8.0
+ helm.sh/resource-policy: keep
+ name: cloudprovideraccounts.crd.cloud.antrea.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ - v1beta1
+ group: crd.cloud.antrea.io
+ names:
+ kind: CloudProviderAccount
+ listKind: CloudProviderAccountList
+ plural: cloudprovideraccounts
+ shortNames:
+ - cpa
+ singular: cloudprovideraccount
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: CloudProviderAccount is the Schema for the cloudprovideraccounts
+ API.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CloudProviderAccountSpec defines the desired state of CloudProviderAccount.
+ properties:
+ awsConfig:
+ description: Cloud provider account config.
+ properties:
+ endpoint:
+ description: Endpoint URL that overrides the default AWS generated
+ endpoint.
+ type: string
+ region:
+ description: Cloud provider account region.
+ type: string
+ secretRef:
+ description: Reference to k8s secret which has cloud provider
+ credentials.
+ properties:
+ key:
+ description: Key to select in the secret.
+ type: string
+ name:
+ description: Name of the secret.
+ type: string
+ namespace:
+ description: Namespace of the secret.
+ type: string
+ required:
+ - key
+ - name
+ - namespace
+ type: object
+ type: object
+ azureConfig:
+ description: Cloud provider account config.
+ properties:
+ region:
+ type: string
+ secretRef:
+ description: SecretReference is a reference to a k8s secret resource
+ in an arbitrary namespace.
+ properties:
+ key:
+ description: Key to select in the secret.
+ type: string
+ name:
+ description: Name of the secret.
+ type: string
+ namespace:
+ description: Namespace of the secret.
+ type: string
+ required:
+ - key
+ - name
+ - namespace
+ type: object
+ type: object
+ pollIntervalInSeconds:
+ description: PollIntervalInSeconds defines account poll interval (default
+ value is 60, if not specified).
+ type: integer
+ type: object
+ status:
+ description: CloudProviderAccountStatus defines the observed state of
+ CloudProviderAccount.
+ properties:
+ error:
+ description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+ of cluster Important: Run "make" to regenerate code after modifying
+ this file Error is current error, if any, of the CloudProviderAccount.'
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/build/charts/nephe/charts/crds/templates/virtualmachine.yaml b/build/charts/nephe/charts/crds/templates/virtualmachine.yaml
new file mode 100644
index 00000000..d3d4618f
--- /dev/null
+++ b/build/charts/nephe/charts/crds/templates/virtualmachine.yaml
@@ -0,0 +1,137 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ controller-gen.kubebuilder.io/version: v0.8.0
+ name: virtualmachines.crd.cloud.antrea.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ - v1beta1
+ group: crd.cloud.antrea.io
+ names:
+ kind: VirtualMachine
+ listKind: VirtualMachineList
+ plural: virtualmachines
+ shortNames:
+ - vm
+ singular: virtualmachine
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.provider
+ name: Cloud-Provider
+ type: string
+ - jsonPath: .status.region
+ name: Region
+ type: string
+ - jsonPath: .status.virtualPrivateCloud
+ name: Virtual-Private-Cloud
+ type: string
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .status.agented
+ name: Agented
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: VirtualMachine is the Schema for the virtualmachines API A virtualMachine
+ object is created automatically based on matching criteria specification
+ of CloudEntitySelector.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ status:
+ description: VirtualMachineStatus defines the observed state of VirtualMachine
+ It contains observable parameters.
+ properties:
+ agented:
+ description: Agented specifies if VM runs in agented mode, default
+ is false.
+ type: boolean
+ networkInterfaces:
+ description: NetworkInterfaces is array of NetworkInterfaces attached
+ to this VirtualMachine.
+ items:
+ description: NetworkInterface contains information pertaining to
+ NetworkInterface.
+ properties:
+ ips:
+ description: IP addresses of this NetworkInterface.
+ items:
+ properties:
+ address:
+ type: string
+ addressType:
+ type: string
+ required:
+ - address
+ - addressType
+ type: object
+ type: array
+ mac:
+ description: Hardware address of the interface.
+ type: string
+ name:
+ type: string
+ type: object
+ type: array
+ provider:
+ description: Provider specifies cloud provider of this VirtualMachine.
+ enum:
+ - Azure
+ - AWS
+ type: string
+ region:
+ description: Region indicates the cloud region of the VirtualMachine.
+ type: string
+ state:
+ description: State indicates current state of the VirtualMachine.
+ type: string
+ tags:
+ additionalProperties:
+ type: string
+ description: Tags of this VirtualMachine. A corresponding label is
+ also generated for each tag.
+ type: object
+ virtualPrivateCloud:
+ description: VirtualPrivateCloud is the virtual private cloud this
+ VirtualMachine belongs to.
+ type: string
+ required:
+ - agented
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/build/charts/nephe/charts/crds/values.yaml b/build/charts/nephe/charts/crds/values.yaml
new file mode 100644
index 00000000..e69de29b
diff --git a/build/charts/nephe/conf/nephe-controller.conf b/build/charts/nephe/conf/nephe-controller.conf
new file mode 100644
index 00000000..021cc22c
--- /dev/null
+++ b/build/charts/nephe/conf/nephe-controller.conf
@@ -0,0 +1,5 @@
+# Specifies the prefix to be used while creating cloud resources.
+cloudResourcePrefix: {{ .Values.cloudResourcePrefix }}
+
+# Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
+cloudSyncInterval: {{ .Values.cloudSyncInterval }}
diff --git a/build/charts/nephe/templates/NOTES.txt b/build/charts/nephe/templates/NOTES.txt
new file mode 100644
index 00000000..7ada6bc8
--- /dev/null
+++ b/build/charts/nephe/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Nephe has been successfully installed
+
+You are using version {{ .Chart.Version }}
diff --git a/build/charts/nephe/templates/_helpers.tpl b/build/charts/nephe/templates/_helpers.tpl
new file mode 100644
index 00000000..312174f9
--- /dev/null
+++ b/build/charts/nephe/templates/_helpers.tpl
@@ -0,0 +1,13 @@
+{{- define "nepheImageTag" -}}
+{{- if .Values.image.tag }}
+{{- .Values.image.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "nepheImage" -}}
+{{- print .Values.image.repository ":" (include "nepheImageTag" .) -}}
+{{- end -}}
diff --git a/build/charts/nephe/templates/certs/certificate.yaml b/build/charts/nephe/templates/certs/certificate.yaml
new file mode 100644
index 00000000..10b0a360
--- /dev/null
+++ b/build/charts/nephe/templates/certs/certificate.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: serving-cert
+ namespace: {{ .Release.Namespace }}
+spec:
+ dnsNames:
+ - '*.{{ .Release.Namespace }}.svc'
+ - '*.{{ .Release.Namespace }}.svc.cluster.local'
+ issuerRef:
+ kind: Issuer
+ name: selfsigned-issuer
+ secretName: serving-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: selfsigned-issuer
+ namespace: {{ .Release.Namespace }}
+spec:
+ selfSigned: {}
diff --git a/build/charts/nephe/templates/configmap.yaml b/build/charts/nephe/templates/configmap.yaml
new file mode 100644
index 00000000..11d31601
--- /dev/null
+++ b/build/charts/nephe/templates/configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nephe-config
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: nephe-system
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace " \n" "\n" }}
diff --git a/build/charts/nephe/templates/controller/apiservices.yaml b/build/charts/nephe/templates/controller/apiservices.yaml
new file mode 100644
index 00000000..4a52136b
--- /dev/null
+++ b/build/charts/nephe/templates/controller/apiservices.yaml
@@ -0,0 +1,14 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ name: v1alpha1.runtime.cloud.antrea.io
+spec:
+ group: runtime.cloud.antrea.io
+ groupPriorityMinimum: 100
+ service:
+ name: nephe-controller-service
+ namespace: {{ .Release.Namespace }}
+ version: v1alpha1
+ versionPriority: 100
diff --git a/build/charts/nephe/templates/controller/clusterrole.yaml b/build/charts/nephe/templates/controller/clusterrole.yaml
new file mode 100644
index 00000000..c39a4ae5
--- /dev/null
+++ b/build/charts/nephe/templates/controller/clusterrole.yaml
@@ -0,0 +1,152 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: manager-role
+rules:
+- apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - addressgroups
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - appliedtogroups
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - controlplane.antrea.io
+ resources:
+ - networkpolicies/status
+ verbs:
+ - create
+ - delete
+- apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalentities/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalnodes
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups:
+ - crd.antrea.io
+ resources:
+ - externalnodes/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - cloudentityselectors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - cloudentityselectors/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - cloudprovideraccounts
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - cloudprovideraccounts/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - virtualmachines
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - crd.cloud.antrea.io
+ resources:
+ - virtualmachines/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+- apiGroups:
+ - ""
+ resourceNames:
+ - extension-apiserver-authentication
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/build/charts/nephe/templates/controller/clusterrolebinding.yaml b/build/charts/nephe/templates/controller/clusterrolebinding.yaml
new file mode 100644
index 00000000..2d0e3ccd
--- /dev/null
+++ b/build/charts/nephe/templates/controller/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: manager-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: {{ .Release.Namespace }}
diff --git a/build/charts/nephe/templates/controller/deployment.yaml b/build/charts/nephe/templates/controller/deployment.yaml
new file mode 100644
index 00000000..38f22762
--- /dev/null
+++ b/build/charts/nephe/templates/controller/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ control-plane: nephe-controller
+ name: nephe-controller
+ namespace: {{ .Release.Namespace }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ control-plane: nephe-controller
+ template:
+ metadata:
+ labels:
+ control-plane: nephe-controller
+ spec:
+ containers:
+ - args:
+ - --config=/tmp/nephe/nephe-controller.conf
+ - --enable-debug-log
+ command:
+ - /nephe-controller
+ image: {{ include "nepheImage" . | quote }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: nephe-controller
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ resources:
+ limits:
+ cpu: 1000m
+ memory: 2000Mi
+ requests:
+ cpu: 200m
+ memory: 500Mi
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ - mountPath: /tmp/k8s-apiserver/serving-certs
+ name: apiserver-cert
+ readOnly: true
+ - mountPath: /tmp/nephe/nephe-controller.conf
+ name: nephe-config
+ readOnly: true
+ subPath: nephe-controller.conf
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: serving-cert
+ - name: apiserver-cert
+ secret:
+ defaultMode: 420
+ secretName: serving-cert
+ - configMap:
+ name: nephe-config
+ name: nephe-config
diff --git a/build/charts/nephe/templates/controller/role.yaml b/build/charts/nephe/templates/controller/role.yaml
new file mode 100644
index 00000000..d3362109
--- /dev/null
+++ b/build/charts/nephe/templates/controller/role.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: secret-viewer-role
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
diff --git a/build/charts/nephe/templates/controller/rolebinding.yaml b/build/charts/nephe/templates/controller/rolebinding.yaml
new file mode 100644
index 00000000..74b056fe
--- /dev/null
+++ b/build/charts/nephe/templates/controller/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: secret-viewer-rolebinding
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: secret-viewer-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: {{ .Release.Namespace }}
diff --git a/build/charts/nephe/templates/controller/service.yaml b/build/charts/nephe/templates/controller/service.yaml
new file mode 100644
index 00000000..4edc5b6d
--- /dev/null
+++ b/build/charts/nephe/templates/controller/service.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: nephe-controller-service
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 5443
+ selector:
+ control-plane: nephe-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 443
+ targetPort: 9443
+ selector:
+ control-plane: nephe-controller
diff --git a/build/charts/nephe/templates/webhooks/mutator.yaml b/build/charts/nephe/templates/webhooks/mutator.yaml
new file mode 100644
index 00000000..b4653353
--- /dev/null
+++ b/build/charts/nephe/templates/webhooks/mutator.yaml
@@ -0,0 +1,51 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ name: nephe-controller-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+ - v1
+ - v1beta1
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /mutate-crd-cloud-antrea-io-v1alpha1-cloudentityselector
+ failurePolicy: Fail
+ name: mcloudentityselector.kb.io
+ rules:
+ - apiGroups:
+ - crd.cloud.antrea.io
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - cloudentityselectors
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ - v1beta1
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /mutate-crd-cloud-antrea-io-v1alpha1-cloudprovideraccount
+ failurePolicy: Fail
+ name: mcloudprovideraccount.kb.io
+ rules:
+ - apiGroups:
+ - crd.cloud.antrea.io
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ resources:
+ - cloudprovideraccounts
+ sideEffects: None
+
diff --git a/build/charts/nephe/templates/webhooks/validator.yaml b/build/charts/nephe/templates/webhooks/validator.yaml
new file mode 100644
index 00000000..1051a336
--- /dev/null
+++ b/build/charts/nephe/templates/webhooks/validator.yaml
@@ -0,0 +1,75 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
+ name: nephe-controller-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+ - v1
+ - v1beta1
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /validate-crd-cloud-antrea-io-v1alpha1-cloudentityselector
+ failurePolicy: Fail
+ name: vcloudentityselector.kb.io
+ rules:
+ - apiGroups:
+ - crd.cloud.antrea.io
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - cloudentityselectors
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ - v1beta1
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: {{ .Release.Namespace }}
+ path: /validate-crd-cloud-antrea-io-v1alpha1-cloudprovideraccount
+ failurePolicy: Fail
+ name: vcloudprovideraccount.kb.io
+ rules:
+ - apiGroups:
+ - crd.cloud.antrea.io
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - cloudprovideraccounts
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ - v1beta1
+ clientConfig:
+ caBundle: Cg==
+ service:
+ name: nephe-controller-webhook-service
+ namespace: nephe-system
+ path: /validate-v1-secret
+ failurePolicy: Ignore
+ name: vsecret.kb.io
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ - DELETE
+ resources:
+ - secrets
+ sideEffects: None
diff --git a/build/charts/nephe/values.yaml b/build/charts/nephe/values.yaml
new file mode 100644
index 00000000..193f86f4
--- /dev/null
+++ b/build/charts/nephe/values.yaml
@@ -0,0 +1,15 @@
+# -- Container image to use for Nephe Controller.
+image:
+ repository: "projects.registry.vmware.com/antrea/nephe"
+ pullPolicy: "IfNotPresent"
+ tag: ""
+
+# -- Specifies the prefix to be used while creating cloud resources.
+cloudResourcePrefix: "nephe"
+
+# -- Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
+cloudSyncInterval: 300
+
+# -- Enable/Disable Nephe CRDs dependent chart.
+crds:
+ enabled: true
diff --git a/docs/helm.md b/docs/helm.md
new file mode 100644
index 00000000..d75a606e
--- /dev/null
+++ b/docs/helm.md
@@ -0,0 +1,37 @@
+# Installing Nephe with Helm
+
+## Table of Contents
+
+
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+
+
+Starting with Nephe v0.4, Nephe can be installed and updated using
+[Helm](https://helm.sh/).
+
+Helm installation is currently considered Alpha.
+
+## Prerequisites
+
+* Ensure that Helm 3 is [installed](https://helm.sh/docs/intro/install/). We
+ recommend using a recent version of Helm if possible. Refer to the [Helm
+ documentation](https://helm.sh/docs/topics/version_skew/) for compatibility
+ between Helm and Kubernetes versions.
+* Add the Antrea Helm chart repository:
+
+ ```bash
+ helm repo add antrea https://charts.antrea.io
+ helm repo update
+ ```
+
+## Installation
+
+To install the Nephe Helm chart, use the following command:
+
+```bash
+helm install nephe antrea/nephe --namespace nephe-system
+```
+
+This will install the latest available version of Nephe. You can also install a
+specific version of Nephe (>= v0.4) with `--version `.
diff --git a/hack/generate-helm-release.sh b/hack/generate-helm-release.sh
new file mode 100755
index 00000000..f341f76a
--- /dev/null
+++ b/hack/generate-helm-release.sh
@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eo pipefail
+
+function echoerr {
+ >&2 echo "$@"
+}
+
+_usage="Usage: $0 --out
+Package the Nephe chart into a chart archive.
+Environment variable VERSION must be set.
+ --out Output directory for chart archive
+ --help, -h Print this message and exit
+
+You can set the HELM environment variable to the path of the helm binary you want us to
+use. Otherwise we will download the appropriate version of the helm binary and use it."
+
+function print_usage {
+ echoerr "$_usage"
+}
+
+function print_help {
+ echoerr "Try '$0 --help' for more information."
+}
+
+OUT=""
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+ --out)
+ OUT="$2"
+ shift 2
+ ;;
+ -h|--help)
+ print_usage
+ exit 0
+ ;;
+ *) # unknown option
+ echoerr "Unknown option $1"
+ exit 1
+ ;;
+esac
+done
+
+if [ -z "$VERSION" ]; then
+ echoerr "Environment variable VERSION must be set"
+ print_help
+ exit 1
+fi
+
+if [ "$OUT" == "" ]; then
+ echoerr "--out is required to provide output path"
+ print_help
+ exit 1
+fi
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+source $THIS_DIR/verify-helm.sh
+
+if [ -z "$HELM" ]; then
+ HELM="$(verify_helm)"
+elif ! $HELM version > /dev/null 2>&1; then
+ echoerr "$HELM does not appear to be a valid helm binary"
+ print_help
+ exit 1
+fi
+
+NEPHE_CHART="$THIS_DIR/../build/charts/nephe"
+# create a backup file before making changes.
+# note that the backup file will not be included in the release: .bak files are
+# ignored as per the .helmignore file.
+cp "$NEPHE_CHART/Chart.yaml" "$NEPHE_CHART/Chart.yaml.bak"
+cp "$NEPHE_CHART/charts/crds/Chart.yaml" "$NEPHE_CHART/charts/crds/Chart.yaml.bak"
+cp "$NEPHE_CHART/Chart.lock" "$NEPHE_CHART/Chart.lock.bak"
+
+yq -i '.annotations."artifacthub.io/prerelease" = strenv(PRERELEASE)' "$NEPHE_CHART/Chart.yaml"
+# Update version for dependent chart.
+sed -i "s/version: "[0-9].[0-9].[0-9]"/version: "$VERSION"/" "$NEPHE_CHART/Chart.yaml"
+sed -i "s/version: "[0-9].[0-9].[0-9]"/version: "$VERSION"/" "$NEPHE_CHART/charts/crds/Chart.yaml"
+$HELM dependency update "$NEPHE_CHART"
+
+$HELM package --app-version "$VERSION" --version "$VERSION" "$NEPHE_CHART"
+mv "nephe-$VERSION.tgz" "$OUT/nephe-chart.tgz"
+mv "$NEPHE_CHART/Chart.yaml.bak" "$NEPHE_CHART/Chart.yaml"
+mv "$NEPHE_CHART/charts/crds/Chart.yaml.bak" "$NEPHE_CHART/charts/crds/Chart.yaml"
+mv "$NEPHE_CHART/Chart.lock.bak" "$NEPHE_CHART/Chart.lock"
diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh
index a9653074..7e3b5b79 100755
--- a/hack/release/prepare-assets.sh
+++ b/hack/release/prepare-assets.sh
@@ -56,3 +56,8 @@ export IMG_NAME=projects.registry.vmware.com/antrea/nephe
cp ./hack/install-vm-agent-wrapper.sh "$OUTPUT_DIR/"
cp ./hack/install-vm-agent-wrapper.ps1 "$OUTPUT_DIR/"
+
+# Package the nephe chart
+# We need to strip the leading "v" from the version string to ensure that we use
+# a valid SemVer 2 version.
+VERSION=${VERSION:1} ./hack/generate-helm-release.sh --out "$OUTPUT_DIR"
diff --git a/hack/verify-helm.sh b/hack/verify-helm.sh
new file mode 100755
index 00000000..b1f249fc
--- /dev/null
+++ b/hack/verify-helm.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+_BINDIR="$THIS_DIR/.bin"
+# Must be an exact match, as the generated YAMLs may not be consistent across
+# versions
+_HELM_VERSION="v3.8.1"
+
+# Ensure the helm tool exists and is the correct version, or install it
+verify_helm() {
+ # Check if there is already a helm binary in $_BINDIR and if yes, check if
+ # the version matches the expected one.
+ local helm="$(PATH=$_BINDIR command -v helm)"
+ if [ -x "$helm" ]; then
+ # Verify version if helm was already installed.
+ local helm_version="$($helm version --short 2> >(grep -v 'This is insecure' >&2))"
+ # Should work with:
+ # - v3.8.1
+ # - v3.8.1+g5cb9af4
+ helm_version="${helm_version%+*}"
+ if [ "${helm_version}" == "${_HELM_VERSION}" ]; then
+ # If version is exact match, stop here.
+ echo "$helm"
+ return 0
+ fi
+ >&2 echo "Detected helm version ($helm_version) does not match expected one ($_HELM_VERSION), installing correct version"
+ fi
+ local ostype=""
+ if [[ "$OSTYPE" == "linux-gnu" ]]; then
+ ostype="linux"
+ elif [[ "$OSTYPE" == "darwin"* ]]; then
+ ostype="darwin"
+ else
+ >&2 echo "Unsupported OS type $OSTYPE"
+ return 1
+ fi
+ rc=0
+ local unameArch="$(uname -m)" || rc=$?
+ if [ $rc -ne 0 ]; then
+ >&2 echo "Cannot detect architecture type, uname not available?"
+ return 1
+ fi
+ local arch=""
+ case "$unameArch" in
+ x86_64) arch="amd64";;
+ arm64) arch="arm64";;
+ *) >&2 echo "Unsupported architecture type $unameArch"; return 1;;
+ esac
+
+ >&2 echo "Installing helm"
+ local helm_url="https://get.helm.sh/helm-${_HELM_VERSION}-${ostype}-${arch}.tar.gz"
+ curl -sLo helm.tar.gz "${helm_url}" || return 1
+ mkdir -p "$_BINDIR" || return 1
+ tar -xzf helm.tar.gz -C "$_BINDIR" --strip-components=1 "${ostype}-${arch}/helm" || return 1
+ rm -f helm.tar.gz
+ helm="$_BINDIR/helm"
+ echo "$helm"
+ return 0
+}
diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
index b3c524a4..5b3072c3 100644
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -40,8 +40,6 @@ var (
apiServerPort = 5443
// Match Nephe Controller Service Name
nepheControllerSvcName = "nephe-controller-service"
- // Match Nephe Controller Service Domain Name
- nepheControllerDomainName = "nephe-controller-service.nephe-system.svc"
)
// ExtraConfig holds custom apiserver config.
@@ -66,7 +64,7 @@ func NewConfig(codecs serializer.CodecFactory, vmpIndexer cache.Indexer, cloudIn
recommend.SecureServing.ServerCert.PairName = "tls"
recommend.SecureServing.ServerCert.CertDirectory = "/tmp/k8s-apiserver/serving-certs"
if err := recommend.SecureServing.MaybeDefaultWithSelfSignedCerts(nepheControllerSvcName,
- []string{nepheControllerDomainName}, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
+ []string{}, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
return nil, err
}