diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c7bf3d8..504274f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -33,3 +33,16 @@ jobs: labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64 provenance: false + release-helm-chart: + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - uses: azure/setup-helm@v3 + - uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f588d80..3d7ce90 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,8 +20,15 @@ jobs: cache: false - uses: actions/checkout@v4 - run: go mod tidy && git diff --exit-code go.mod go.sum + helm: + name: helm-lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: helm lint helm/haproxy-operator/ --strict + - run: helm template chart helm/haproxy-operator > /dev/null golangci: - name: lint + name: golangci-lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/helm/haproxy-operator/Chart.yaml b/helm/haproxy-operator/Chart.yaml new file mode 100644 index 0000000..9b9802c --- /dev/null +++ b/helm/haproxy-operator/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: haprox-operator +version: 1.0.0 +appVersion: v1.0.0 +description: Install HAProxy Operator +sources: + - https://github.com/six-group/haproxy-operator +maintainers: + - name: snorwin + - name: m-terra \ No newline at end of file diff --git a/helm/haproxy-operator/crds/config.haproxy.com_backends.yaml b/helm/haproxy-operator/crds/config.haproxy.com_backends.yaml new file mode 100644 index 0000000..015b4b1 --- /dev/null +++ b/helm/haproxy-operator/crds/config.haproxy.com_backends.yaml @@ -0,0 +1,1610 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: backends.config.haproxy.com +spec: + group: config.haproxy.com + names: + kind: Backend + listKind: BackendList + plural: backends + singular: backend + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.mode + name: Mode + type: string + - jsonPath: .status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Backend is the Schema for the backend API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackendSpec defines the desired state of Backend + properties: + acl: + description: ACL (Access Control Lists) provides a flexible solution + to perform content switching and generally to take decisions based + on content extracted from the request, the response or any environmental + status + items: + properties: + criterion: + description: Criterion is the name of a sample fetch method, + or one of its ACL specific declinations. + pattern: ^[^\s]+$ + type: string + name: + description: Name + pattern: ^[^\s]+$ + type: string + values: + description: Values are of the type supported by the criterion. + items: + type: string + type: array + required: + - criterion + - name + - values + type: object + type: array + balance: + description: Balance defines the load balancing algorithm to be used + in a backend. + properties: + algorithm: + description: Algorithm is the algorithm used to select a server + when doing load balancing. This only applies when no persistence + information is available, or when a connection is redispatched + to another server. + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - hdr + - random + - rdp-cookie + type: string + required: + - algorithm + type: object + checkTimeout: + description: CheckTimeout sets an additional check timeout, but only + after a connection has been already established. + type: string + cookie: + description: Cookie enables cookie-based persistence in a backend. + properties: + attribute: + description: Attribute add an extra attribute when a cookie is + inserted. + items: + type: string + type: array + domain: + description: Domain specify the domain at which a cookie is inserted. + You can specify several domain names by invoking this option + multiple times. + items: + type: string + type: array + dynamic: + description: Dynamic activates dynamic cookies, when used, a session + cookie is dynamically created for each server, based on the + IP and port of the server, and a secret key. + type: boolean + httpOnly: + description: HTTPOnly add an "HttpOnly" cookie attribute when + a cookie is inserted. It doesn't share the cookie with non-HTTP + components. + type: boolean + indirect: + description: Indirect no cookie will be emitted to a client which + already has a valid one for the server which has processed the + request. + type: boolean + maxIdle: + description: MaxIdle cookies are ignored after some idle time. + format: int64 + type: integer + maxLife: + description: MaxLife cookies are ignored after some life time. + format: int64 + type: integer + mode: + description: Mode could be 'rewrite', 'insert', 'prefix'. Select + one. + properties: + insert: + description: Insert cookie will have to be inserted by haproxy + in server responses. + type: boolean + prefix: + description: Prefix is needed in some specific environments + where the client does not support more than one single cookie + and the application already needs it. + type: boolean + rewrite: + description: Rewrite the cookie will be provided by the server. + type: boolean + required: + - insert + - prefix + - rewrite + type: object + name: + description: Name of the cookie which will be monitored, modified + or inserted in order to bring persistence. + type: string + noCache: + description: NoCache recommended in conjunction with the insert + mode when there is a cache between the client and HAProx + type: boolean + postOnly: + description: PostOnly ensures that cookie insertion will only + be performed on responses to POST requests. + type: boolean + preserve: + description: Preserve only be used with "insert" and/or "indirect". + It allows the server to emit the persistence cookie itself. + type: boolean + secure: + description: Secure add a "Secure" cookie attribute when a cookie + is inserted. The user agent never emits this cookie over non-secure + channels. The cookie will be presented only over SSL/TLS connections. + type: boolean + type: object + errorFiles: + description: ErrorFiles custom error files to be used + items: + properties: + code: + description: Code is the HTTP status code. + enum: + - 200 + - 400 + - 401 + - 403 + - 404 + - 405 + - 407 + - 408 + - 410 + - 413 + - 425 + - 429 + - 500 + - 501 + - 502 + - 503 + - 504 + format: int64 + type: integer + file: + description: File designates a file containing the full HTTP + response. + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + required: + - code + - file + type: object + type: array + forwardFor: + description: Forwardfor enable insertion of the X-Forwarded-For header + to requests sent to servers + properties: + enabled: + type: boolean + except: + description: 'Pattern: ^[^\s]+$' + type: string + header: + description: 'Pattern: ^[^\s]+$' + type: string + ifnone: + type: boolean + required: + - enabled + type: object + hashType: + description: HashType specifies a method to use for mapping hashes + to servers + properties: + function: + enum: + - sdbm + - djb2 + - wt6 + - crc32 + type: string + method: + enum: + - map-based + - consistent + type: string + modifier: + enum: + - avalanche + type: string + type: object + hostCertificate: + description: HostCertificate specifies a certificate for that host + used in the crt-list of a frontend + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + certificate: + description: Certificate that will be presented to clients who + provide a valid TLSServerNameIndication field matching the SNIFilter. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + sniFilter: + description: SNIFilter specifies the filter for the SSL Certificate. Wildcards + are supported in the SNIFilter. Negative filter are also supported. + type: string + required: + - certificate + - sniFilter + type: object + hostRegex: + description: HostRegex specifies a regular expression used for backend + switching rules. + type: string + httpPretendKeepalive: + description: HTTPPretendKeepalive will keep the connection alive. + It is recommended not to enable this option by default. + type: boolean + httpRequest: + description: HTTPRequest rules define a set of rules which apply to + layer 7 processing. + properties: + addHeader: + description: AddHeader appends HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + deny: + description: Deny stops the evaluation of the rules and immediately + rejects the request and emits an HTTP 403 error. Optionally + the status code specified as an argument to deny_status. + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + enabled: + description: Enabled enables deny http request + type: boolean + required: + - enabled + type: object + denyStatus: + description: DenyStatus is the HTTP status code. + format: int64 + maximum: 599 + minimum: 200 + type: integer + redirect: + description: Redirect performs an HTTP redirection based on a + redirect rule. + items: + properties: + code: + description: Code indicates which type of HTTP redirection + is desired. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: int64 + type: integer + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + option: + description: Value to redirect + properties: + ClearCookie: + description: ClearCookie is to instruct the browser + to delete the cookie. It will be added with NAME (and + optionally "="). To add "=" type any string in the + value field + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + SetCookie: + description: SetCookie adds header to the redirection. + It will be added with NAME (and optionally "=value") + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + appendSlash: + description: AppendSlash adds a / character at the end + of the URL. + type: boolean + dropQuery: + description: DropQuery removes the query string from + the original URL when performing the concatenation. + type: boolean + type: object + type: + description: Type selects a mode and value to redirect + properties: + insert: + description: Prefix adds a prefix to the URL's location. + type: boolean + location: + description: Location replaces the entire location of + a URL. + type: boolean + prefix: + description: Scheme redirects to a different scheme. + type: boolean + type: object + value: + description: Value to redirect + type: string + type: object + type: array + return: + description: Return stops the evaluation of the rules and immediately + returns a response. + properties: + content: + description: Content is a full HTTP response specifying the + errorfile to use, or the response payload specifying the + file or the string to use. + properties: + format: + description: ContentFormat defines the format of the Content. + Can be one an errorfile or a string. + enum: + - default-errorfile + - errorfile + - errorfiles + - file + - lf-file + - string + - lf-string + type: string + type: + description: Type specifies the content-type of the HTTP + REsponse. + type: string + value: + description: Value specifying the file or the string to + use. + type: string + required: + - format + - type + - value + type: object + status: + default: 200 + description: Status can be optionally specified, the default + status code used for the response is 200. + format: int64 + type: integer + required: + - content + type: object + setHeader: + description: SetHeader sets HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + setPath: + description: SetPath sets request path + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + format: + description: Value specifies the path value + type: string + type: object + type: array + type: object + mode: + default: http + description: Mode can be either 'tcp' or 'http'. In TCP mode it is + a layer 4 proxy. In HTTP mode it is a layer 7 proxy. + enum: + - http + - tcp + type: string + redispatch: + description: Redispatch enable or disable session redistribution in + case of connection failure + type: boolean + serverTemplates: + description: ServerTemplates defines the backend server templates + and its configuration. + items: + properties: + SendProxyV2: + description: SendProxyV2 preparing new update. + properties: + v1: + description: V1 parameter enforces use of the PROXY protocol + version 1. + type: boolean + v2: + description: V2 parameter enforces use of the PROXY protocol + version 2. + properties: + enabled: + description: Enabled enables the PROXY protocol version + 2. + type: boolean + options: + description: Options is a list of options to add to + the PROXY protocol header. + properties: + authority: + description: Authority is the host name value passed + by the client (only SNI from a TLS) + type: boolean + certCn: + description: CertCn is equivalent to use V2SSLCN. + type: boolean + certKey: + description: CertKey is the key algorithm of the + used certificate. + type: boolean + certSig: + description: CertSig is the signature algorithm + of the used certificate. + type: boolean + crc32C: + description: Crc32c is the checksum of the PROXYv2 + header. + type: boolean + ssl: + description: Ssl is equivalent to use V2SSL. + type: boolean + sslCipher: + description: SslCipher is the name of the used cipher. + type: boolean + uniqueID: + description: UniqueId sends a unique ID generated + using the frontend's "unique-id-format" within + the PROXYv2 header. This unique-id is primarily + meant for "mode tcp". It can lead to unexpected + results in "mode http". + type: boolean + type: object + type: object + v2SSL: + description: V2SSL parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header. + type: boolean + v2SSLCN: + description: V2SSLCN parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header and + he SSL information extension along with the Common Name + from the subject of the client certificate (if any), is + added to the PROXY protocol header. + type: boolean + type: object + check: + description: Check configures the health checks of the server. + properties: + enabled: + description: Enable enables health checks on a server. If + not set, no health checking is performed, and the server + is always considered available. + type: boolean + fall: + description: Fall specifies the number of consecutive unsuccessful + health checks after a server will be considered as dead. + This value defaults to 3 if unspecified. + format: int64 + type: integer + inter: + description: Inter sets the interval between two consecutive + health checks. If left unspecified, the delay defaults + to 2000 ms. + type: string + rise: + description: Rise specifies the number of consecutive successful + health checks after a server will be considered as operational. + This value defaults to 2 if unspecified. + format: int64 + type: integer + required: + - enabled + type: object + cookie: + description: Cookie sets the cookie value assigned to the server. + type: boolean + fqdn: + description: FQDN for all the servers this template initializes. + type: string + initAddr: + description: InitAddr indicates in what order the server address + should be resolved upon startup if it uses an FQDN. Attempts + are made to resolve the address by applying in turn each of + the methods mentioned in the comma-delimited list. The first + method which succeeds is used. + type: string + num: + description: Num is the max number of servers as server name + suffixes this template initializes. + format: int64 + type: integer + numMin: + description: NumMin is the min number of servers as server name + suffixes this template initializes. + format: int64 + type: integer + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: Prefix for the server names to be built. + pattern: ^[^\s]+$ + type: string + resolvers: + description: Resolvers points to an existing resolvers to resolve + current server hostname. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sendProxy: + description: SendProxy enforces use of the PROXY protocol over + any connection established to this server. The PROXY protocol + informs the other end about the layer 3/4 addresses of the + incoming connection, so that it can know the client address + or the public address it accessed to, whatever the upper layer + protocol. + type: boolean + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + verifyHost: + description: VerifyHost is only available when support for OpenSSL + was built in, and only takes effect if pec.ssl.verify' is + set to 'required'. This directive sets a default static hostname + to check the server certificate against when no SNI was used + to connect to the server. + type: string + weight: + description: Weight parameter is used to adjust the server weight + relative to other servers. All servers will receive a load + proportional to their weight relative to the sum of all weights. + format: int64 + maximum: 256 + minimum: 0 + type: integer + required: + - fqdn + - num + - port + - prefix + type: object + type: array + servers: + description: Servers defines the backend servers and its configuration. + items: + properties: + SendProxyV2: + description: SendProxyV2 preparing new update. + properties: + v1: + description: V1 parameter enforces use of the PROXY protocol + version 1. + type: boolean + v2: + description: V2 parameter enforces use of the PROXY protocol + version 2. + properties: + enabled: + description: Enabled enables the PROXY protocol version + 2. + type: boolean + options: + description: Options is a list of options to add to + the PROXY protocol header. + properties: + authority: + description: Authority is the host name value passed + by the client (only SNI from a TLS) + type: boolean + certCn: + description: CertCn is equivalent to use V2SSLCN. + type: boolean + certKey: + description: CertKey is the key algorithm of the + used certificate. + type: boolean + certSig: + description: CertSig is the signature algorithm + of the used certificate. + type: boolean + crc32C: + description: Crc32c is the checksum of the PROXYv2 + header. + type: boolean + ssl: + description: Ssl is equivalent to use V2SSL. + type: boolean + sslCipher: + description: SslCipher is the name of the used cipher. + type: boolean + uniqueID: + description: UniqueId sends a unique ID generated + using the frontend's "unique-id-format" within + the PROXYv2 header. This unique-id is primarily + meant for "mode tcp". It can lead to unexpected + results in "mode http". + type: boolean + type: object + type: object + v2SSL: + description: V2SSL parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header. + type: boolean + v2SSLCN: + description: V2SSLCN parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header and + he SSL information extension along with the Common Name + from the subject of the client certificate (if any), is + added to the PROXY protocol header. + type: boolean + type: object + address: + description: Address can be a host name, an IPv4 address, an + IPv6 address. + pattern: ^[^\s]+$ + type: string + check: + description: Check configures the health checks of the server. + properties: + enabled: + description: Enable enables health checks on a server. If + not set, no health checking is performed, and the server + is always considered available. + type: boolean + fall: + description: Fall specifies the number of consecutive unsuccessful + health checks after a server will be considered as dead. + This value defaults to 3 if unspecified. + format: int64 + type: integer + inter: + description: Inter sets the interval between two consecutive + health checks. If left unspecified, the delay defaults + to 2000 ms. + type: string + rise: + description: Rise specifies the number of consecutive successful + health checks after a server will be considered as operational. + This value defaults to 2 if unspecified. + format: int64 + type: integer + required: + - enabled + type: object + cookie: + description: Cookie sets the cookie value assigned to the server. + type: boolean + initAddr: + description: InitAddr indicates in what order the server address + should be resolved upon startup if it uses an FQDN. Attempts + are made to resolve the address by applying in turn each of + the methods mentioned in the comma-delimited list. The first + method which succeeds is used. + type: string + name: + description: Name of the server. + type: string + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + resolvers: + description: Resolvers points to an existing resolvers to resolve + current server hostname. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sendProxy: + description: SendProxy enforces use of the PROXY protocol over + any connection established to this server. The PROXY protocol + informs the other end about the layer 3/4 addresses of the + incoming connection, so that it can know the client address + or the public address it accessed to, whatever the upper layer + protocol. + type: boolean + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + verifyHost: + description: VerifyHost is only available when support for OpenSSL + was built in, and only takes effect if pec.ssl.verify' is + set to 'required'. This directive sets a default static hostname + to check the server certificate against when no SNI was used + to connect to the server. + type: string + weight: + description: Weight parameter is used to adjust the server weight + relative to other servers. All servers will receive a load + proportional to their weight relative to the sum of all weights. + format: int64 + maximum: 256 + minimum: 0 + type: integer + required: + - address + - name + - port + type: object + type: array + tcpRequest: + description: TCPRequest rules perform an action on an incoming connection + depending on a layer 4 condition. + items: + properties: + action: + description: Action defines the action to perform if the condition + applies. + enum: + - accept + - capture + - do-resolve + - expect-netscaler-cip + - expect-proxy + - reject + - sc-inc-gpc0 + - sc-inc-gpc1 + - sc-set-gpt0 + - send-spoe-group + - set-dst-port + - set-dst + - set-priority + - set-src + - set-var + - silent-drop + - track-sc0 + - track-sc1 + - track-sc2 + - unset-var + - use-service + - lua + type: string + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + timeout: + description: Timeout sets timeout for the action + type: string + type: + description: Type specifies the type of the tcp-request rule. + enum: + - connection + - content + - inspect-delay + - session + type: string + required: + - type + type: object + type: array + timeouts: + additionalProperties: + type: string + description: 'Timeouts: check, connect, http-keep-alive, http-request, + queue, server, tunnel. The timeout value specified in milliseconds + by default, but can be in any other unit if the number is suffixed + by the unit. More info: https://cbonte.github.io/haproxy-dconv/2.6/configuration.html' + type: object + required: + - mode + type: object + status: + description: Status defines the observed state of an object + properties: + error: + description: Error shows the actual error message if Phase is 'Error'. + type: string + observedGeneration: + description: ObservedGeneration the generation observed by the controller. + format: int64 + type: integer + phase: + description: Phase is a simple, high-level summary of where the object + is in its lifecycle. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/haproxy-operator/crds/config.haproxy.com_frontends.yaml b/helm/haproxy-operator/crds/config.haproxy.com_frontends.yaml new file mode 100644 index 0000000..7e6c3d2 --- /dev/null +++ b/helm/haproxy-operator/crds/config.haproxy.com_frontends.yaml @@ -0,0 +1,1188 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: frontends.config.haproxy.com +spec: + group: config.haproxy.com + names: + kind: Frontend + listKind: FrontendList + plural: frontends + singular: frontend + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.mode + name: Mode + type: string + - jsonPath: .status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Frontend is the Schema for the frontends API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FrontendSpec defines the desired state of Frontend + properties: + acl: + description: ACL (Access Control Lists) provides a flexible solution + to perform content switching and generally to take decisions based + on content extracted from the request, the response or any environmental + status + items: + properties: + criterion: + description: Criterion is the name of a sample fetch method, + or one of its ACL specific declinations. + pattern: ^[^\s]+$ + type: string + name: + description: Name + pattern: ^[^\s]+$ + type: string + values: + description: Values are of the type supported by the criterion. + items: + type: string + type: array + required: + - criterion + - name + - values + type: object + type: array + backendSwitching: + description: BackendSwitching rules specify the specific backend used + if/unless an ACL-based condition is matched. + items: + properties: + backend: + description: Backend reference used to resolve the backend name. + properties: + name: + description: Name of a specific backend + type: string + regexMapping: + description: Mapping of multiple backends + properties: + name: + description: Name to identify the mapping + type: string + parameter: + default: base + description: 'Parameter which will be used for the mapping + (default: base)' + type: string + selector: + description: LabelSelector to select multiple backends + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + - parameter + - selector + type: object + type: object + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + type: object + type: array + binds: + description: Binds defines the frontend listening addresses, ports + and its configuration. + items: + properties: + acceptProxy: + description: AcceptProxy enforces the use of the PROXY protocol + over any connection accepted by any of the sockets declared + on the same line. + type: boolean + address: + description: Address can be a host name, an IPv4 address, an + IPv6 address, or '*' (is equal to the special address "0.0.0.0"). + pattern: ^[^\s]+$ + type: string + hidden: + description: Hidden hides the bind and prevent exposing the + Bind in services or routes + type: boolean + name: + description: Name for these sockets, which will be reported + on the stats page. + type: string + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + portRangeEnd: + description: PortRangeEnd if set it must be greater than Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + sslCertificateList: + description: This setting is only available when support for + OpenSSL was built in. It designates a list of PEM file with + an optional ssl configuration and a SNI filter per certificate. + properties: + elements: + description: Elements is a list of SSL configuration and + a SNI filter per certificate. If backend switching based + on regex is used the host certificate + items: + properties: + alpn: + description: Alpn enables the TLS ALPN extension and + advertises the specified protocol list as supported + on top of ALPN. + items: + type: string + type: array + certificate: + description: Certificate that will be presented to + clients who provide a valid TLSServerNameIndication + field matching the SNIFilter. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key + of a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key + of a secret in the pod namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + sniFilter: + description: SNIFilter specifies the filter for the + SSL Certificate. Wildcards are supported in the + SNIFilter. Negative filter are also supported. + type: string + required: + - certificate + - sniFilter + type: object + type: array + name: + description: Name is the name of the certificate list + type: string + selector: + description: LabelSelector to select multiple backend certificates + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + transparent: + description: Transparent is an optional keyword which is supported + only on certain Linux kernels. It indicates that the addresses + will be bound even if they do not belong to the local machine, + and that packets targeting any of these addresses will be + intercepted just as if the addresses were locally configured. + This normally requires that IP forwarding is enabled. Caution! + do not use this with the default address '*', as it would + redirect any traffic for the specified port. + type: boolean + required: + - name + - port + type: object + minItems: 1 + type: array + defaultBackend: + description: DefaultBackend to use when no 'use_backend' rule has + been matched. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + errorFiles: + description: ErrorFiles custom error files to be used + items: + properties: + code: + description: Code is the HTTP status code. + enum: + - 200 + - 400 + - 401 + - 403 + - 404 + - 405 + - 407 + - 408 + - 410 + - 413 + - 425 + - 429 + - 500 + - 501 + - 502 + - 503 + - 504 + format: int64 + type: integer + file: + description: File designates a file containing the full HTTP + response. + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + required: + - code + - file + type: object + type: array + forwardFor: + description: Forwardfor enable insertion of the X-Forwarded-For header + to requests sent to servers + properties: + enabled: + type: boolean + except: + description: 'Pattern: ^[^\s]+$' + type: string + header: + description: 'Pattern: ^[^\s]+$' + type: string + ifnone: + type: boolean + required: + - enabled + type: object + httpPretendKeepalive: + description: HTTPPretendKeepalive will keep the connection alive. + It is recommended not to enable this option by default. + type: boolean + httpRequest: + description: HTTPRequest rules define a set of rules which apply to + layer 7 processing. + properties: + addHeader: + description: AddHeader appends HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + deny: + description: Deny stops the evaluation of the rules and immediately + rejects the request and emits an HTTP 403 error. Optionally + the status code specified as an argument to deny_status. + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + enabled: + description: Enabled enables deny http request + type: boolean + required: + - enabled + type: object + denyStatus: + description: DenyStatus is the HTTP status code. + format: int64 + maximum: 599 + minimum: 200 + type: integer + redirect: + description: Redirect performs an HTTP redirection based on a + redirect rule. + items: + properties: + code: + description: Code indicates which type of HTTP redirection + is desired. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: int64 + type: integer + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + option: + description: Value to redirect + properties: + ClearCookie: + description: ClearCookie is to instruct the browser + to delete the cookie. It will be added with NAME (and + optionally "="). To add "=" type any string in the + value field + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + SetCookie: + description: SetCookie adds header to the redirection. + It will be added with NAME (and optionally "=value") + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + appendSlash: + description: AppendSlash adds a / character at the end + of the URL. + type: boolean + dropQuery: + description: DropQuery removes the query string from + the original URL when performing the concatenation. + type: boolean + type: object + type: + description: Type selects a mode and value to redirect + properties: + insert: + description: Prefix adds a prefix to the URL's location. + type: boolean + location: + description: Location replaces the entire location of + a URL. + type: boolean + prefix: + description: Scheme redirects to a different scheme. + type: boolean + type: object + value: + description: Value to redirect + type: string + type: object + type: array + return: + description: Return stops the evaluation of the rules and immediately + returns a response. + properties: + content: + description: Content is a full HTTP response specifying the + errorfile to use, or the response payload specifying the + file or the string to use. + properties: + format: + description: ContentFormat defines the format of the Content. + Can be one an errorfile or a string. + enum: + - default-errorfile + - errorfile + - errorfiles + - file + - lf-file + - string + - lf-string + type: string + type: + description: Type specifies the content-type of the HTTP + REsponse. + type: string + value: + description: Value specifying the file or the string to + use. + type: string + required: + - format + - type + - value + type: object + status: + default: 200 + description: Status can be optionally specified, the default + status code used for the response is 200. + format: int64 + type: integer + required: + - content + type: object + setHeader: + description: SetHeader sets HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + setPath: + description: SetPath sets request path + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + format: + description: Value specifies the path value + type: string + type: object + type: array + type: object + mode: + default: http + description: Mode can be either 'tcp' or 'http'. In TCP mode it is + a layer 4 proxy. In HTTP mode it is a layer 7 proxy. + enum: + - http + - tcp + type: string + tcpRequest: + description: TCPRequest rules perform an action on an incoming connection + depending on a layer 4 condition. + items: + properties: + action: + description: Action defines the action to perform if the condition + applies. + enum: + - accept + - capture + - do-resolve + - expect-netscaler-cip + - expect-proxy + - reject + - sc-inc-gpc0 + - sc-inc-gpc1 + - sc-set-gpt0 + - send-spoe-group + - set-dst-port + - set-dst + - set-priority + - set-src + - set-var + - silent-drop + - track-sc0 + - track-sc1 + - track-sc2 + - unset-var + - use-service + - lua + type: string + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + timeout: + description: Timeout sets timeout for the action + type: string + type: + description: Type specifies the type of the tcp-request rule. + enum: + - connection + - content + - inspect-delay + - session + type: string + required: + - type + type: object + type: array + timeouts: + additionalProperties: + type: string + description: 'Timeouts: check, connect, http-keep-alive, http-request, + queue, server, tunnel. The timeout value specified in milliseconds + by default, but can be in any other unit if the number is suffixed + by the unit. More info: https://cbonte.github.io/haproxy-dconv/2.6/configuration.html' + type: object + required: + - binds + - defaultBackend + - mode + type: object + status: + description: Status defines the observed state of an object + properties: + error: + description: Error shows the actual error message if Phase is 'Error'. + type: string + observedGeneration: + description: ObservedGeneration the generation observed by the controller. + format: int64 + type: integer + phase: + description: Phase is a simple, high-level summary of where the object + is in its lifecycle. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/haproxy-operator/crds/config.haproxy.com_listens.yaml b/helm/haproxy-operator/crds/config.haproxy.com_listens.yaml new file mode 100644 index 0000000..2c4b4da --- /dev/null +++ b/helm/haproxy-operator/crds/config.haproxy.com_listens.yaml @@ -0,0 +1,1969 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: listens.config.haproxy.com +spec: + group: config.haproxy.com + names: + kind: Listen + listKind: ListenList + plural: listens + singular: listen + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.mode + name: Mode + type: string + - jsonPath: .status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Listen is the Schema for the frontends API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ListenSpec defines the desired state of Listen + properties: + acl: + description: ACL (Access Control Lists) provides a flexible solution + to perform content switching and generally to take decisions based + on content extracted from the request, the response or any environmental + status + items: + properties: + criterion: + description: Criterion is the name of a sample fetch method, + or one of its ACL specific declinations. + pattern: ^[^\s]+$ + type: string + name: + description: Name + pattern: ^[^\s]+$ + type: string + values: + description: Values are of the type supported by the criterion. + items: + type: string + type: array + required: + - criterion + - name + - values + type: object + type: array + balance: + description: Balance defines the load balancing algorithm to be used + in a backend. + properties: + algorithm: + description: Algorithm is the algorithm used to select a server + when doing load balancing. This only applies when no persistence + information is available, or when a connection is redispatched + to another server. + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - hdr + - random + - rdp-cookie + type: string + required: + - algorithm + type: object + binds: + description: Binds defines the frontend listening addresses, ports + and its configuration. + items: + properties: + acceptProxy: + description: AcceptProxy enforces the use of the PROXY protocol + over any connection accepted by any of the sockets declared + on the same line. + type: boolean + address: + description: Address can be a host name, an IPv4 address, an + IPv6 address, or '*' (is equal to the special address "0.0.0.0"). + pattern: ^[^\s]+$ + type: string + hidden: + description: Hidden hides the bind and prevent exposing the + Bind in services or routes + type: boolean + name: + description: Name for these sockets, which will be reported + on the stats page. + type: string + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + portRangeEnd: + description: PortRangeEnd if set it must be greater than Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + sslCertificateList: + description: This setting is only available when support for + OpenSSL was built in. It designates a list of PEM file with + an optional ssl configuration and a SNI filter per certificate. + properties: + elements: + description: Elements is a list of SSL configuration and + a SNI filter per certificate. If backend switching based + on regex is used the host certificate + items: + properties: + alpn: + description: Alpn enables the TLS ALPN extension and + advertises the specified protocol list as supported + on top of ALPN. + items: + type: string + type: array + certificate: + description: Certificate that will be presented to + clients who provide a valid TLSServerNameIndication + field matching the SNIFilter. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key + of a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key + of a secret in the pod namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + sniFilter: + description: SNIFilter specifies the filter for the + SSL Certificate. Wildcards are supported in the + SNIFilter. Negative filter are also supported. + type: string + required: + - certificate + - sniFilter + type: object + type: array + name: + description: Name is the name of the certificate list + type: string + selector: + description: LabelSelector to select multiple backend certificates + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + transparent: + description: Transparent is an optional keyword which is supported + only on certain Linux kernels. It indicates that the addresses + will be bound even if they do not belong to the local machine, + and that packets targeting any of these addresses will be + intercepted just as if the addresses were locally configured. + This normally requires that IP forwarding is enabled. Caution! + do not use this with the default address '*', as it would + redirect any traffic for the specified port. + type: boolean + required: + - name + - port + type: object + minItems: 1 + type: array + checkTimeout: + description: CheckTimeout sets an additional check timeout, but only + after a connection has been already established. + type: string + cookie: + description: Cookie enables cookie-based persistence in a backend. + properties: + attribute: + description: Attribute add an extra attribute when a cookie is + inserted. + items: + type: string + type: array + domain: + description: Domain specify the domain at which a cookie is inserted. + You can specify several domain names by invoking this option + multiple times. + items: + type: string + type: array + dynamic: + description: Dynamic activates dynamic cookies, when used, a session + cookie is dynamically created for each server, based on the + IP and port of the server, and a secret key. + type: boolean + httpOnly: + description: HTTPOnly add an "HttpOnly" cookie attribute when + a cookie is inserted. It doesn't share the cookie with non-HTTP + components. + type: boolean + indirect: + description: Indirect no cookie will be emitted to a client which + already has a valid one for the server which has processed the + request. + type: boolean + maxIdle: + description: MaxIdle cookies are ignored after some idle time. + format: int64 + type: integer + maxLife: + description: MaxLife cookies are ignored after some life time. + format: int64 + type: integer + mode: + description: Mode could be 'rewrite', 'insert', 'prefix'. Select + one. + properties: + insert: + description: Insert cookie will have to be inserted by haproxy + in server responses. + type: boolean + prefix: + description: Prefix is needed in some specific environments + where the client does not support more than one single cookie + and the application already needs it. + type: boolean + rewrite: + description: Rewrite the cookie will be provided by the server. + type: boolean + required: + - insert + - prefix + - rewrite + type: object + name: + description: Name of the cookie which will be monitored, modified + or inserted in order to bring persistence. + type: string + noCache: + description: NoCache recommended in conjunction with the insert + mode when there is a cache between the client and HAProx + type: boolean + postOnly: + description: PostOnly ensures that cookie insertion will only + be performed on responses to POST requests. + type: boolean + preserve: + description: Preserve only be used with "insert" and/or "indirect". + It allows the server to emit the persistence cookie itself. + type: boolean + secure: + description: Secure add a "Secure" cookie attribute when a cookie + is inserted. The user agent never emits this cookie over non-secure + channels. The cookie will be presented only over SSL/TLS connections. + type: boolean + type: object + errorFiles: + description: ErrorFiles custom error files to be used + items: + properties: + code: + description: Code is the HTTP status code. + enum: + - 200 + - 400 + - 401 + - 403 + - 404 + - 405 + - 407 + - 408 + - 410 + - 413 + - 425 + - 429 + - 500 + - 501 + - 502 + - 503 + - 504 + format: int64 + type: integer + file: + description: File designates a file containing the full HTTP + response. + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + required: + - code + - file + type: object + type: array + forwardFor: + description: Forwardfor enable insertion of the X-Forwarded-For header + to requests sent to servers + properties: + enabled: + type: boolean + except: + description: 'Pattern: ^[^\s]+$' + type: string + header: + description: 'Pattern: ^[^\s]+$' + type: string + ifnone: + type: boolean + required: + - enabled + type: object + hashType: + description: HashType Specify a method to use for mapping hashes to + servers + properties: + function: + enum: + - sdbm + - djb2 + - wt6 + - crc32 + type: string + method: + enum: + - map-based + - consistent + type: string + modifier: + enum: + - avalanche + type: string + type: object + hostCertificate: + description: HostCertificate specifies a certificate for that host + used in the crt-list of a frontend + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + certificate: + description: Certificate that will be presented to clients who + provide a valid TLSServerNameIndication field matching the SNIFilter. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + sniFilter: + description: SNIFilter specifies the filter for the SSL Certificate. Wildcards + are supported in the SNIFilter. Negative filter are also supported. + type: string + required: + - certificate + - sniFilter + type: object + httpPretendKeepalive: + description: HTTPPretendKeepalive will keep the connection alive. + It is recommended not to enable this option by default. + type: boolean + httpRequest: + description: HTTPRequest rules define a set of rules which apply to + layer 7 processing. + properties: + addHeader: + description: AddHeader appends HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + deny: + description: Deny stops the evaluation of the rules and immediately + rejects the request and emits an HTTP 403 error. Optionally + the status code specified as an argument to deny_status. + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + enabled: + description: Enabled enables deny http request + type: boolean + required: + - enabled + type: object + denyStatus: + description: DenyStatus is the HTTP status code. + format: int64 + maximum: 599 + minimum: 200 + type: integer + redirect: + description: Redirect performs an HTTP redirection based on a + redirect rule. + items: + properties: + code: + description: Code indicates which type of HTTP redirection + is desired. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: int64 + type: integer + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + option: + description: Value to redirect + properties: + ClearCookie: + description: ClearCookie is to instruct the browser + to delete the cookie. It will be added with NAME (and + optionally "="). To add "=" type any string in the + value field + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + SetCookie: + description: SetCookie adds header to the redirection. + It will be added with NAME (and optionally "=value") + properties: + name: + description: Name + type: string + value: + description: Value + type: string + type: object + appendSlash: + description: AppendSlash adds a / character at the end + of the URL. + type: boolean + dropQuery: + description: DropQuery removes the query string from + the original URL when performing the concatenation. + type: boolean + type: object + type: + description: Type selects a mode and value to redirect + properties: + insert: + description: Prefix adds a prefix to the URL's location. + type: boolean + location: + description: Location replaces the entire location of + a URL. + type: boolean + prefix: + description: Scheme redirects to a different scheme. + type: boolean + type: object + value: + description: Value to redirect + type: string + type: object + type: array + return: + description: Return stops the evaluation of the rules and immediately + returns a response. + properties: + content: + description: Content is a full HTTP response specifying the + errorfile to use, or the response payload specifying the + file or the string to use. + properties: + format: + description: ContentFormat defines the format of the Content. + Can be one an errorfile or a string. + enum: + - default-errorfile + - errorfile + - errorfiles + - file + - lf-file + - string + - lf-string + type: string + type: + description: Type specifies the content-type of the HTTP + REsponse. + type: string + value: + description: Value specifying the file or the string to + use. + type: string + required: + - format + - type + - value + type: object + status: + default: 200 + description: Status can be optionally specified, the default + status code used for the response is 200. + format: int64 + type: integer + required: + - content + type: object + setHeader: + description: SetHeader sets HTTP header fields + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + name: + description: Name specifies the header name + type: string + value: + description: Value specifies the header value + properties: + env: + description: Env variable with the header value + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + format: + description: Format specifies the format of the header + value (implicit default is '%s') + type: string + str: + description: Str with the header value + type: string + type: object + required: + - name + - value + type: object + type: array + setPath: + description: SetPath sets request path + items: + properties: + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + format: + description: Value specifies the path value + type: string + type: object + type: array + type: object + mode: + default: http + description: Mode can be either 'tcp' or 'http'. In TCP mode it is + a layer 4 proxy. In HTTP mode it is a layer 7 proxy. + enum: + - http + - tcp + type: string + redispatch: + description: Redispatch enable or disable session redistribution in + case of connection failure + type: boolean + serverTemplates: + description: ServerTemplates defines the backend server templates + and its configuration. + items: + properties: + SendProxyV2: + description: SendProxyV2 preparing new update. + properties: + v1: + description: V1 parameter enforces use of the PROXY protocol + version 1. + type: boolean + v2: + description: V2 parameter enforces use of the PROXY protocol + version 2. + properties: + enabled: + description: Enabled enables the PROXY protocol version + 2. + type: boolean + options: + description: Options is a list of options to add to + the PROXY protocol header. + properties: + authority: + description: Authority is the host name value passed + by the client (only SNI from a TLS) + type: boolean + certCn: + description: CertCn is equivalent to use V2SSLCN. + type: boolean + certKey: + description: CertKey is the key algorithm of the + used certificate. + type: boolean + certSig: + description: CertSig is the signature algorithm + of the used certificate. + type: boolean + crc32C: + description: Crc32c is the checksum of the PROXYv2 + header. + type: boolean + ssl: + description: Ssl is equivalent to use V2SSL. + type: boolean + sslCipher: + description: SslCipher is the name of the used cipher. + type: boolean + uniqueID: + description: UniqueId sends a unique ID generated + using the frontend's "unique-id-format" within + the PROXYv2 header. This unique-id is primarily + meant for "mode tcp". It can lead to unexpected + results in "mode http". + type: boolean + type: object + type: object + v2SSL: + description: V2SSL parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header. + type: boolean + v2SSLCN: + description: V2SSLCN parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header and + he SSL information extension along with the Common Name + from the subject of the client certificate (if any), is + added to the PROXY protocol header. + type: boolean + type: object + check: + description: Check configures the health checks of the server. + properties: + enabled: + description: Enable enables health checks on a server. If + not set, no health checking is performed, and the server + is always considered available. + type: boolean + fall: + description: Fall specifies the number of consecutive unsuccessful + health checks after a server will be considered as dead. + This value defaults to 3 if unspecified. + format: int64 + type: integer + inter: + description: Inter sets the interval between two consecutive + health checks. If left unspecified, the delay defaults + to 2000 ms. + type: string + rise: + description: Rise specifies the number of consecutive successful + health checks after a server will be considered as operational. + This value defaults to 2 if unspecified. + format: int64 + type: integer + required: + - enabled + type: object + cookie: + description: Cookie sets the cookie value assigned to the server. + type: boolean + fqdn: + description: FQDN for all the servers this template initializes. + type: string + initAddr: + description: InitAddr indicates in what order the server address + should be resolved upon startup if it uses an FQDN. Attempts + are made to resolve the address by applying in turn each of + the methods mentioned in the comma-delimited list. The first + method which succeeds is used. + type: string + num: + description: Num is the max number of servers as server name + suffixes this template initializes. + format: int64 + type: integer + numMin: + description: NumMin is the min number of servers as server name + suffixes this template initializes. + format: int64 + type: integer + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: Prefix for the server names to be built. + pattern: ^[^\s]+$ + type: string + resolvers: + description: Resolvers points to an existing resolvers to resolve + current server hostname. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sendProxy: + description: SendProxy enforces use of the PROXY protocol over + any connection established to this server. The PROXY protocol + informs the other end about the layer 3/4 addresses of the + incoming connection, so that it can know the client address + or the public address it accessed to, whatever the upper layer + protocol. + type: boolean + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + verifyHost: + description: VerifyHost is only available when support for OpenSSL + was built in, and only takes effect if pec.ssl.verify' is + set to 'required'. This directive sets a default static hostname + to check the server certificate against when no SNI was used + to connect to the server. + type: string + weight: + description: Weight parameter is used to adjust the server weight + relative to other servers. All servers will receive a load + proportional to their weight relative to the sum of all weights. + format: int64 + maximum: 256 + minimum: 0 + type: integer + required: + - fqdn + - num + - port + - prefix + type: object + type: array + servers: + description: Servers defines the backend servers and its configuration. + items: + properties: + SendProxyV2: + description: SendProxyV2 preparing new update. + properties: + v1: + description: V1 parameter enforces use of the PROXY protocol + version 1. + type: boolean + v2: + description: V2 parameter enforces use of the PROXY protocol + version 2. + properties: + enabled: + description: Enabled enables the PROXY protocol version + 2. + type: boolean + options: + description: Options is a list of options to add to + the PROXY protocol header. + properties: + authority: + description: Authority is the host name value passed + by the client (only SNI from a TLS) + type: boolean + certCn: + description: CertCn is equivalent to use V2SSLCN. + type: boolean + certKey: + description: CertKey is the key algorithm of the + used certificate. + type: boolean + certSig: + description: CertSig is the signature algorithm + of the used certificate. + type: boolean + crc32C: + description: Crc32c is the checksum of the PROXYv2 + header. + type: boolean + ssl: + description: Ssl is equivalent to use V2SSL. + type: boolean + sslCipher: + description: SslCipher is the name of the used cipher. + type: boolean + uniqueID: + description: UniqueId sends a unique ID generated + using the frontend's "unique-id-format" within + the PROXYv2 header. This unique-id is primarily + meant for "mode tcp". It can lead to unexpected + results in "mode http". + type: boolean + type: object + type: object + v2SSL: + description: V2SSL parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header. + type: boolean + v2SSLCN: + description: V2SSLCN parameter add the SSL information extension + of the PROXY protocol to the PROXY protocol header and + he SSL information extension along with the Common Name + from the subject of the client certificate (if any), is + added to the PROXY protocol header. + type: boolean + type: object + address: + description: Address can be a host name, an IPv4 address, an + IPv6 address. + pattern: ^[^\s]+$ + type: string + check: + description: Check configures the health checks of the server. + properties: + enabled: + description: Enable enables health checks on a server. If + not set, no health checking is performed, and the server + is always considered available. + type: boolean + fall: + description: Fall specifies the number of consecutive unsuccessful + health checks after a server will be considered as dead. + This value defaults to 3 if unspecified. + format: int64 + type: integer + inter: + description: Inter sets the interval between two consecutive + health checks. If left unspecified, the delay defaults + to 2000 ms. + type: string + rise: + description: Rise specifies the number of consecutive successful + health checks after a server will be considered as operational. + This value defaults to 2 if unspecified. + format: int64 + type: integer + required: + - enabled + type: object + cookie: + description: Cookie sets the cookie value assigned to the server. + type: boolean + initAddr: + description: InitAddr indicates in what order the server address + should be resolved upon startup if it uses an FQDN. Attempts + are made to resolve the address by applying in turn each of + the methods mentioned in the comma-delimited list. The first + method which succeeds is used. + type: string + name: + description: Name of the server. + type: string + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + resolvers: + description: Resolvers points to an existing resolvers to resolve + current server hostname. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sendProxy: + description: SendProxy enforces use of the PROXY protocol over + any connection established to this server. The PROXY protocol + informs the other end about the layer 3/4 addresses of the + incoming connection, so that it can know the client address + or the public address it accessed to, whatever the upper layer + protocol. + type: boolean + ssl: + description: SSL configures OpenSSL + properties: + alpn: + description: Alpn enables the TLS ALPN extension and advertises + the specified protocol list as supported on top of ALPN. + items: + type: string + type: array + caCertificate: + description: CACertificate configures the CACertificate + used for the Server or Bind client certificate + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + certificate: + description: Certificate configures a PEM based Certificate + file containing both the required certificates and any + associated private keys. + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + enabled: + description: Enabled enables SSL deciphering on connections + instantiated from this listener. A certificate is necessary. + All contents in the buffers will appear in clear text, + so that ACLs and HTTP processing will only have access + to deciphered contents. SSLv3 is disabled per default, + set MinVersion to SSLv3 to enable it. + type: boolean + minVersion: + description: MinVersion enforces use of the specified version + or upper on SSL connections instantiated from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + sni: + description: SNI parameter evaluates the sample fetch expression, + converts it to a string and uses the result as the host + name sent in the SNI TLS extension to the server. + type: string + verify: + description: Verify is only available when support for OpenSSL + was built in. If set to 'none', client certificate is + not requested. This is the default. In other cases, a + client certificate is requested. If the client does not + provide a certificate after the request and if 'Verify' + is set to 'required', then the handshake is aborted, while + it would have succeeded if set to 'optional'. The verification + of the certificate provided by the client using CAs from + CACertificate. On verify failure the handshake abortes, + regardless of the 'verify' option. + enum: + - none + - optional + - required + type: string + required: + - enabled + type: object + verifyHost: + description: VerifyHost is only available when support for OpenSSL + was built in, and only takes effect if pec.ssl.verify' is + set to 'required'. This directive sets a default static hostname + to check the server certificate against when no SNI was used + to connect to the server. + type: string + weight: + description: Weight parameter is used to adjust the server weight + relative to other servers. All servers will receive a load + proportional to their weight relative to the sum of all weights. + format: int64 + maximum: 256 + minimum: 0 + type: integer + required: + - address + - name + - port + type: object + type: array + tcpRequest: + description: TCPRequest rules perform an action on an incoming connection + depending on a layer 4 condition. + items: + properties: + action: + description: Action defines the action to perform if the condition + applies. + enum: + - accept + - capture + - do-resolve + - expect-netscaler-cip + - expect-proxy + - reject + - sc-inc-gpc0 + - sc-inc-gpc1 + - sc-set-gpt0 + - send-spoe-group + - set-dst-port + - set-dst + - set-priority + - set-src + - set-var + - silent-drop + - track-sc0 + - track-sc1 + - track-sc2 + - unset-var + - use-service + - lua + type: string + condition: + description: Condition is a condition composed of ACLs. + type: string + conditionType: + description: ConditionType specifies the type of the condition + matching ('if' or 'unless') + enum: + - if + - unless + type: string + timeout: + description: Timeout sets timeout for the action + type: string + type: + description: Type specifies the type of the tcp-request rule. + enum: + - connection + - content + - inspect-delay + - session + type: string + required: + - type + type: object + type: array + timeouts: + additionalProperties: + type: string + description: 'Timeouts: check, connect, http-keep-alive, http-request, + queue, server, tunnel. The timeout value specified in milliseconds + by default, but can be in any other unit if the number is suffixed + by the unit. More info: https://cbonte.github.io/haproxy-dconv/2.6/configuration.html' + type: object + required: + - binds + - mode + type: object + status: + description: Status defines the observed state of an object + properties: + error: + description: Error shows the actual error message if Phase is 'Error'. + type: string + observedGeneration: + description: ObservedGeneration the generation observed by the controller. + format: int64 + type: integer + phase: + description: Phase is a simple, high-level summary of where the object + is in its lifecycle. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/haproxy-operator/crds/config.haproxy.com_resolvers.yaml b/helm/haproxy-operator/crds/config.haproxy.com_resolvers.yaml new file mode 100644 index 0000000..8bbf7c0 --- /dev/null +++ b/helm/haproxy-operator/crds/config.haproxy.com_resolvers.yaml @@ -0,0 +1,149 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: resolvers.config.haproxy.com +spec: + group: config.haproxy.com + names: + kind: Resolver + listKind: ResolverList + plural: resolvers + singular: resolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.mode + name: Mode + type: string + - jsonPath: .status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Resolver is the Schema for the Resolver API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ResolverSpec defines the desired state of Resolver + properties: + acceptedPayloadSize: + description: AcceptedPayloadSize defines the maximum payload size + accepted by HAProxy and announced to all the name servers configured + in this resolver. + format: int64 + maximum: 8192 + minimum: 512 + type: integer + hold: + description: Hold defines the period during which the last name resolution + should be kept based on the last resolution status. + properties: + nx: + description: Nx defines interval between two successive name resolution + when the last answer was nx. + type: string + obsolete: + description: Obsolete defines interval between two successive + name resolution when the last answer was obsolete. + type: string + other: + description: Other defines interval between two successive name + resolution when the last answer was other. + type: string + refused: + description: Refused defines interval between two successive name + resolution when the last answer was nx. + type: string + timeout: + description: Timeout defines interval between two successive name + resolution when the last answer was timeout. + type: string + valid: + description: Valid defines interval between two successive name + resolution when the last answer was valid. + type: string + type: object + nameservers: + description: Nameservers used to configure a nameservers. + items: + properties: + address: + description: Address + pattern: ^[^\s]+$ + type: string + name: + description: Name specifies a unique name of the nameserver. + pattern: ^[A-Za-z0-9-_.:]+$ + type: string + port: + description: Port + format: int64 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - name + type: object + type: array + parseResolvConf: + description: ParseResolvConf if true, adds all nameservers found in + /etc/resolv.conf to this resolvers nameservers list. + type: boolean + resolveRetries: + description: 'ResolveRetries defines the number of queries to + send to resolve a server name before giving up. Default value: 3' + format: int64 + minimum: 1 + type: integer + timeouts: + description: Timeouts defines timeouts related to name resolution. + properties: + resolve: + description: 'Resolve time to trigger name resolutions when no + other time applied. Default value: 1s' + type: string + retry: + description: 'Retry time between two DNS queries, when no valid + response have been received. Default value: 1s' + type: string + type: object + type: object + status: + description: Status defines the observed state of an object + properties: + error: + description: Error shows the actual error message if Phase is 'Error'. + type: string + observedGeneration: + description: ObservedGeneration the generation observed by the controller. + format: int64 + type: integer + phase: + description: Phase is a simple, high-level summary of where the object + is in its lifecycle. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/haproxy-operator/crds/proxy.haproxy.com_instances.yaml b/helm/haproxy-operator/crds/proxy.haproxy.com_instances.yaml new file mode 100644 index 0000000..f1b334f --- /dev/null +++ b/helm/haproxy-operator/crds/proxy.haproxy.com_instances.yaml @@ -0,0 +1,2159 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: instances.proxy.haproxy.com +spec: + group: proxy.haproxy.com + names: + kind: Instance + listKind: InstanceList + plural: instances + singular: instance + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Instance is the Schema for the instances API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: InstanceSpec defines the desired state of Instance + properties: + allowPrivilegedPorts: + description: AllowPrivilegedPorts allows to bind sockets with port + numbers less than 1024. + nullable: true + type: boolean + configuration: + description: Configuration is used to bootstrap the global and defaults + section of the HAProxy configuration. + properties: + defaults: + description: Defaults presets settings for all frontend, backend + and listen + properties: + additionalParameters: + description: AdditionalParameters can be used to specify any + further configuration statements which are not covered in + this section explicitly. + type: string + errorFiles: + description: ErrorFiles custom error files to be used + items: + properties: + code: + description: Code is the HTTP status code. + enum: + - 200 + - 400 + - 401 + - 403 + - 404 + - 405 + - 407 + - 408 + - 410 + - 413 + - 425 + - 429 + - 500 + - 501 + - 502 + - 503 + - 504 + format: int64 + type: integer + file: + description: File designates a file containing the full + HTTP response. + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + required: + - code + - file + type: object + type: array + logging: + description: Logging is used to configure default logging + for all proxies. + properties: + enabled: + description: Enabled will enable logs for all proxies + type: boolean + httpLog: + description: HTTPLog enables HTTP log format which is + the most complete and the best suited for HTTP proxies. + It provides the same level of information as the TCP + format with additional features which are specific to + the HTTP protocol. + type: boolean + tcpLog: + description: TCPLog enables advanced logging of TCP connections + with session state and timers. By default, the log output + format is very poor, as it only contains the source + and destination addresses, and the instance name. + type: boolean + required: + - enabled + type: object + mode: + default: http + description: Mode can be either 'tcp' or 'http'. In tcp mode + it is a layer 4 proxy. In http mode it is a layer 7 proxy. + enum: + - http + - tcp + type: string + timeouts: + additionalProperties: + type: string + default: + client: 5s + connect: 5s + server: 10s + description: 'Timeouts: check, client, client-fin, connect, + http-keep-alive, http-request, queue, server, server-fin, + tunnel. The timeout value specified in milliseconds by default, + but can be in any other unit if the number is suffixed by + the unit. More info: https://cbonte.github.io/haproxy-dconv/2.6/configuration.html' + type: object + required: + - mode + - timeouts + type: object + global: + description: Global contains the global HAProxy configuration + settings + properties: + additionalCertificates: + description: AdditionalCertificates can be used to include + global ssl certificates which can bes used in any listen + items: + properties: + name: + type: string + value: + type: string + valueFrom: + items: + properties: + configMapKeyRef: + description: ConfigMapKeyRef selects a key of + a ConfigMap + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: SecretKeyRef selects a key of a secret + in the pod namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array + required: + - name + type: object + type: array + additionalParameters: + description: AdditionalParameters can be used to specify any + further configuration statements which are not covered in + this section explicitly. + type: string + hardStopAfter: + description: HardStopAfter is the maximum time the instance + will remain alive when a soft-stop is received. + format: int64 + type: integer + logging: + description: Logging is used to enable and configure logging + in the global section of the HAProxy configuration. + properties: + address: + default: /var/lib/rsyslog/rsyslog.sock + description: Address can be a filesystem path to a UNIX + domain socket or a remote syslog target (IPv4/IPv6 address + optionally followed by a colon and a UDP port). + pattern: ^[^\s]+$ + type: string + enabled: + description: Enabled will toggle the creation of a global + syslog server. + type: boolean + facility: + default: local0 + description: Facility must be one of the 24 standard syslog + facilities. + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + format: + description: Format is the log format used when generating + syslog messages. + enum: + - rfc3164 + - rfc5424 + - short + - raw + type: string + hostname: + description: Hostname specifies a value for the syslog + hostname header, otherwise uses the hostname of the + system. + type: string + level: + description: Level can be specified to filter outgoing + messages. By default, all messages are sent. + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + type: string + sendHostname: + description: SendHostname sets the hostname field in the + syslog header. Generally used if one is not relaying + logs through an intermediate syslog server. + type: boolean + required: + - address + - enabled + type: object + maxconn: + description: Maxconn sets the maximum per-process number of + concurrent connections. Proxies will stop accepting connections + when this limit is reached. + format: int64 + type: integer + nbthread: + description: Nbthread this setting is only available when + support for threads was built in. It makes HAProxy run on + specified number of threads. + format: int64 + type: integer + reload: + default: false + description: Reload enables auto-reload of the configuration + using sockets. Requires an image that supports this feature. + type: boolean + ssl: + description: GlobalSSL sets the global SSL options. + properties: + defaultBindCipherSuites: + description: DefaultBindCipherSuites sets the default + list of cipher algorithms ("cipher suite") that are + negotiated during the TLSv1.3 handshake for all binds + which do not explicitly define theirs. + items: + type: string + type: array + defaultBindCiphers: + description: DefaultBindCiphers sets the list of cipher + algorithms ("cipher suite") that are negotiated during + the SSL/TLS handshake up to TLSv1.2 for all binds which + do not explicitly define theirs. + items: + type: string + type: array + defaultBindOptions: + description: DefaultBindOptions sets default ssl-options + to force on all binds. + properties: + minVersion: + description: MinVersion enforces use of the specified + version or upper on SSL connections instantiated + from this listener. + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + type: string + type: object + type: object + statsTimeout: + description: StatsTimeout sets the timeout on the stats socket. + Default is set to 10 seconds. + type: string + tune: + description: TuneOptions sets the global tune options. + properties: + bufsize: + description: Bufsize sets the buffer size to this size + (in bytes). Lower values allow more sessions to coexist + in the same amount of RAM, and higher values allow some + applications with very large cookies to work. + format: int64 + type: integer + maxrewrite: + description: Maxrewrite sets the reserved buffer space + to this size in bytes. The reserved space is used for + header rewriting or appending. The first reads on sockets + will never fill more than bufsize-maxrewrite. + format: int64 + type: integer + ssl: + description: SSL sets the SSL tune options. + properties: + cacheSize: + description: CacheSize sets the size of the global + SSL session cache, in a number of blocks. A block + is large enough to contain an encoded session without + peer certificate. An encoded session with peer + certificate is stored in multiple blocks depending + on the size of the peer certificate. The default + value may be forced at build time, otherwise defaults + to 20000. Setting this value to 0 disables the + SSL session cache. + format: int64 + type: integer + captureBufferSize: + description: CaptureBufferSize sets the maximum size + of the buffer used for capturing client hello cipher + list, extensions list, elliptic curves list and + elliptic curve point formats. If the value is 0 + (default value) the capture is disabled, otherwise + a buffer is allocated for each SSL/TLS connection. + format: int64 + type: integer + ctxCacheSize: + description: CtxCacheSize sets the size of the cache + used to store generated certificates to + entries. This is an LRU cache. Because generating + an SSL certificate dynamically is expensive, they + are cached. The default cache size is set to 1000 + entries. + format: int64 + type: integer + defaultDHParam: + description: DefaultDHParam sets the maximum size + of the Diffie-Hellman parameters used for generating + the ephemeral/temporary Diffie-Hellman key in case + of DHE key exchange. The final size will try to + match the size of the server's RSA (or DSA) key + (e.g, a 2048 bits temporary DH key for a 2048 bits + RSA key), but will not exceed this maximum value. + Default value if 2048. + format: int64 + type: integer + forcePrivateCache: + description: ForcePrivateCache disables SSL session + cache sharing between all processes. It should normally + not be used since it will force many renegotiations + due to clients hitting a random process. + type: boolean + keylog: + description: Keylog activates the logging of the TLS + keys. It should be used with care as it will consume + more memory per SSL session and could decrease performances. + This is disabled by default. + type: string + lifetime: + description: Lifetime sets how long a cached SSL session + may remain valid. This time defaults to 5 min. It + is important to understand that it does not guarantee + that sessions will last that long, because if the + cache is full, the longest idle sessions will be + purged despite their configured lifetime. + type: string + maxRecord: + description: MaxRecord sets the maximum amount of + bytes passed to SSL_write() at a time. Default value + 0 means there is no limit. Over SSL/TLS, the client + can decipher the data only once it has received + a full record. + format: int64 + type: integer + type: object + type: object + required: + - reload + type: object + selector: + description: LabelSelector to select other configuration objects + of the config.haproxy.com API + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - defaults + - global + - selector + type: object + image: + default: haproxy:latest + description: Image specifies the HaProxy image including th tag. + type: string + imagePullPolicy: + description: ImagePullPolicy one of Always, Never, IfNotPresent. + type: string + labels: + additionalProperties: + type: string + description: Labels additional labels for the ha-proxy pods + nullable: true + type: object + metrics: + description: Metrics defines the metrics endpoint and scraping configuration. + nullable: true + properties: + address: + default: 0.0.0.0 + description: 'Address to bind the metrics endpoint (default: ''0.0.0.0'').' + type: string + enabled: + description: Enabled will enable metrics globally for Instance. + type: boolean + interval: + description: Interval at which metrics should be scraped If not + specified Prometheus' global scrape interval is used. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + port: + description: Port specifies the port used for metrics. + format: int64 + type: integer + relabelings: + description: 'RelabelConfigs to apply to samples before scraping. + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config' + items: + description: 'RelabelConfig allows dynamic rewriting of the + label set, being applied to samples before ingestion. It defines + ``-section of Prometheus configuration. + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs' + properties: + action: + default: replace + description: Action to perform based on regex matching. + Default is 'replace'. uppercase and lowercase actions + require Prometheus >= 2.36. + enum: + - replace + - Replace + - keep + - Keep + - drop + - Drop + - hashmod + - HashMod + - labelmap + - LabelMap + - labeldrop + - LabelDrop + - labelkeep + - LabelKeep + - lowercase + - Lowercase + - uppercase + - Uppercase + type: string + modulus: + description: Modulus to take of the hash of the source label + values. + format: int64 + type: integer + regex: + description: Regular expression against which the extracted + value is matched. Default is '(.*)' + type: string + replacement: + description: Replacement value against which a regex replace + is performed if the regular expression matches. Regex + capture groups are available. Default is '$1' + type: string + separator: + description: Separator placed between concatenated source + label values. default is ';'. + type: string + sourceLabels: + description: The source labels select values from existing + labels. Their content is concatenated using the configured + separator and matched against the configured regular expression + for the replace, keep, and drop actions. + items: + description: LabelName is a valid Prometheus label name + which may only contain ASCII letters, numbers, as well + as underscores. + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + type: array + targetLabel: + description: Label to which the resulting value is written + in a replace action. It is mandatory for replace actions. + Regex capture groups are available. + type: string + type: object + type: array + required: + - enabled + - port + type: object + network: + description: Network contains the configuration of Route, Services + and other network related configuration. + properties: + hostIPs: + additionalProperties: + type: string + description: HostIPs defines an environment variable BIND_ADDRESS + in the instance based on the provided host to IP mapping + type: object + hostNetwork: + description: HostNetwork will enable the usage of host network. + type: boolean + route: + description: Route defines the desired state for OpenShift Routes. + properties: + enabled: + description: Enabled will toggle the creation of OpenShift + Routes. + type: boolean + tls: + description: TLS provides the ability to configure certificates + and termination for the route. + properties: + caCertificate: + description: caCertificate provides the cert authority + certificate contents + type: string + certificate: + description: certificate provides certificate contents + type: string + destinationCACertificate: + description: destinationCACertificate provides the contents + of the ca certificate of the final destination. When + using reencrypt termination this file should be provided + in order to have routers use it for health checks on + the secure connection. If this field is not specified, + the router may provide its own destination CA and perform + hostname validation using the short service name (service.namespace.svc), + which allows infrastructure generated certificates to + automatically verify. + type: string + insecureEdgeTerminationPolicy: + description: "insecureEdgeTerminationPolicy indicates + the desired behavior for insecure connections to a route. + While each router may make its own decisions on which + ports to expose, this is normally port 80. \n * Allow + - traffic is sent to the server on the insecure port + (default) * Disable - no traffic is allowed on the insecure + port. * Redirect - clients are redirected to the secure + port." + type: string + key: + description: key provides key file contents + type: string + termination: + description: "termination indicates termination type. + \n * edge - TLS termination is done by the router and + http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination + without the router providing TLS termination * reencrypt + - TLS termination is done by the router and https is + used to communicate with the backend" + type: string + required: + - termination + type: object + required: + - enabled + type: object + service: + description: Service defines the desired state for a Service. + properties: + enabled: + description: Enabled will toggle the creation of a Service. + type: boolean + required: + - enabled + type: object + type: object + placement: + description: Placement define how the instance's pods should be scheduled. + nullable: true + properties: + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is a selector which must be true for + the pod to fit on a node. + type: object + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group of + pods ought to spread across topology domains. Scheduler will + schedule pods in a way which abides by the constraints. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a alpha-level + feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + replicas: + default: 1 + description: Replicas is the desired number of replicas of the HAProxy + Instance. + format: int32 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run this Instance. + type: string + sidecars: + description: Sidecars additional sidecar containers + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must only be set if type + is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components + that enable the WindowsHostProcessContainers feature + flag. Setting this field without the feature flag + will result in errors when validating the Pod. All + of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). In + addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + required: + - configuration + - image + - network + - replicas + type: object + status: + description: InstanceStatus defines the observed state of Instance + properties: + error: + description: Error shows the actual error message if Phase is 'Error'. + type: string + phase: + description: Phase is a simple, high-level summary of where the Listen + is in its lifecycle. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/haproxy-operator/templates/aggregate_edit_clusterrole.yaml b/helm/haproxy-operator/templates/aggregate_edit_clusterrole.yaml new file mode 100644 index 0000000..60cc5ff --- /dev/null +++ b/helm/haproxy-operator/templates/aggregate_edit_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: aggregate-haproxy-view +rules: +- apiGroups: + - config.haproxy.com + resources: + - listens + - frontends + - backends + - resolvers + verbs: + - get + - list + - watch +- apiGroups: + - proxy.haproxy.com + resources: + - instances + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/helm/haproxy-operator/templates/aggregate_view_clusterrole.yaml b/helm/haproxy-operator/templates/aggregate_view_clusterrole.yaml new file mode 100644 index 0000000..3f6b5a0 --- /dev/null +++ b/helm/haproxy-operator/templates/aggregate_view_clusterrole.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: aggregate-haproxy-edit +rules: +- apiGroups: + - config.haproxy.com + resources: + - listens + - frontends + - backends + - resolvers + verbs: + - create + - update + - patch + - delete +- apiGroups: + - proxy.haproxy.com + resources: + - instances + verbs: + - create + - update + - patch + - delete \ No newline at end of file diff --git a/helm/haproxy-operator/templates/clusterrole.yaml b/helm/haproxy-operator/templates/clusterrole.yaml new file mode 100644 index 0000000..5948d84 --- /dev/null +++ b/helm/haproxy-operator/templates/clusterrole.yaml @@ -0,0 +1,90 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.name }} +rules: + - apiGroups: + - config.haproxy.com + resources: + - '*' + verbs: + - get + - list + - watch + - get + - patch + - update + - delete + - apiGroups: + - proxy.haproxy.com + resources: + - instances + verbs: + - get + - list + - watch + - apiGroups: + - proxy.haproxy.com + resources: + - instances/status + verbs: + - get + - patch + - update + - apiGroups: + - proxy.haproxy.com + resources: + - instances/finalizers + verbs: + - update + - apiGroups: + - '' + resources: + - configmaps + - services + - secrets + - endpoints + verbs: + - create + - get + - list + - patch + - update + - watch + - delete + - apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - create + - get + - list + - patch + - update + - watch + - delete + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - get + - list + - patch + - update + - watch + - delete + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - get + - list + - watch + - patch + - update \ No newline at end of file diff --git a/helm/haproxy-operator/templates/clusterrole_binding.yaml b/helm/haproxy-operator/templates/clusterrole_binding.yaml new file mode 100644 index 0000000..532f3d6 --- /dev/null +++ b/helm/haproxy-operator/templates/clusterrole_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} diff --git a/helm/haproxy-operator/templates/deployment.yaml b/helm/haproxy-operator/templates/deployment.yaml new file mode 100644 index 0000000..86dda05 --- /dev/null +++ b/helm/haproxy-operator/templates/deployment.yaml @@ -0,0 +1,54 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + app: {{ .Values.name }} + app.openshift.io/runtime: golang + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.name }} + template: + metadata: + labels: + app: {{ .Values.name }} + spec: + serviceAccountName: {{ .Values.name }} + containers: + - name: {{ .Values.name }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: IfNotPresent + env: + - name: LEADER_ELECT + value: 'true' + - name: HELPER_IMAGE + value: {{ .Values.helper.image.repository }}:{{ .Values.helper.image.tag }} + - name: RSYSLOG_IMAGE + value: {{ .Values.rsyslog.image.repository }}:{{ .Values.rsyslog.image.tag }} + ports: + - containerPort: 8080 + name: metrics + - containerPort: 8081 + name: health-probe + resources: + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 diff --git a/helm/haproxy-operator/templates/leaderelection_role.yaml b/helm/haproxy-operator/templates/leaderelection_role.yaml new file mode 100644 index 0000000..13e65f1 --- /dev/null +++ b/helm/haproxy-operator/templates/leaderelection_role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.name }}-leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/helm/haproxy-operator/templates/leaderelection_role_binding.yaml b/helm/haproxy-operator/templates/leaderelection_role_binding.yaml new file mode 100644 index 0000000..71eec15 --- /dev/null +++ b/helm/haproxy-operator/templates/leaderelection_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.name }}-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.name }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} diff --git a/helm/haproxy-operator/templates/serviceaccount.yaml b/helm/haproxy-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..95cbc37 --- /dev/null +++ b/helm/haproxy-operator/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/haproxy-operator/values.yaml b/helm/haproxy-operator/values.yaml new file mode 100644 index 0000000..8c4a366 --- /dev/null +++ b/helm/haproxy-operator/values.yaml @@ -0,0 +1,22 @@ +name: haproxy-operator + +resources: + limits: + cpu: '2' + memory: 4Gi + requests: + cpu: 200m + memory: 512Mi + +image: + repository: ghcr.io/six-group/haproxy-operator + +helper: + image: + repository: rhel8/support-tools + tag: 8.9 + +rsyslog: + image: + repository: rhel8/rsyslog + tag: 8.9 \ No newline at end of file