From 2035f7f9e6b01a10a7c94d649e33bfce23013b56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?MI=E2=84=82H=CE=9B=CE=9EL=20F=D1=B2R=D0=98=CE=9BR=D1=B2?= <20387402+xUnholy@users.noreply.github.com> Date: Tue, 6 Oct 2020 18:02:56 +1100 Subject: [PATCH] WIP Initial Fluxv2 Migration (#100) * update to fluxv2 Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * add fullnameOverride to fix pvc char length error Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * udpate virtualservices to match services Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * update certificate api version Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * update cluster issuer api version Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> update cert-manager chart Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> move back to staging lets encrypt until stable Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> move back to staging lets encrypt until stable Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * cert-manager vebosity set to 4 Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * syntax: indentation Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * syntax: indentation Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> update cert-manager chart Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * update workflow to remove broken resource checks Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> * update workflow and build scripts Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- .github/workflows/build.yml | 9 +- .github/workflows/builder-image.yml | 55 +- .github/workflows/helm-operator.yml | 47 - ...-secret-cloudflare-cert-manager-token.yaml | Bin 221 -> 221 bytes .secrets/k8s-secret-dex-helm-values.yaml | Bin 1672 -> 1677 bytes .secrets/k8s-secret-fluxcd-ssh.yaml | Bin 3653 -> 3662 bytes bootstrap/install.sh | 36 + bootstrap/repo.yaml | 30 + {scripts/builder => build/docker}/Dockerfile | 0 {scripts/builder => build/docker}/README.md | 0 {scripts => build}/validate.sh | 0 cilium/calico-chaining/README.md | 116 + cilium/calico-chaining/chaining.yaml | 37 + cilium/calico-chaining/cilium.yaml | 668 ++++ cilium/calico-chaining/json-mock.yaml | 1012 +++++++ cilium/calico-chaining/values.yaml | 25 + config/flux/values.yaml | 43 - config/helm-operator/values.yaml | 43 - .../actions-runner-controller.yaml | 2698 ++++++++--------- namespaces/actions-runner-system/runner.yaml | 3 +- namespaces/backups/velero/velero.yaml | 38 +- namespaces/flux/flagger/flagger.yaml | 26 - .../flux/helm-operator/helm-operator.yaml | 794 ----- namespaces/flux/namespace.yaml | 8 - namespaces/gitops-system/README.md | 30 + .../bitnami-charts.yaml | 9 + .../flagger-charts.yaml | 10 + .../helm-chart-repositories/grafana-loki.yaml | 9 + .../jetstack-charts.yaml | 21 + .../k8s-at-home-charts.yaml | 9 + .../kubernetes-stable-charts.yaml | 9 + .../openebs-charts.yaml | 9 + .../openfaas-charts.yaml | 9 + .../prometheus-community-charts.yaml | 9 + .../vmware-charts.yaml | 9 + .../weaveworks-kured-charts.yaml | 9 + namespaces/gitops-system/namespace.yaml | 7 + .../notifications/slack-alert.yaml | 15 + .../notifications/slack-provider.yaml | 11 + ...erator-1.6.5.yaml => operator-v1.7.2.yaml} | 2 +- namespaces/istio-system/certificate.yaml | 2 +- .../istio-system/istio/istio-1.6.5.yaml | 592 ++++ .../istio-system/istio/istio-1.6.7.yaml | 591 ++++ .../istio-1.7.2.yaml} | 209 +- namespaces/kube-system/kured/kured.yaml | 34 +- .../metrics-server/metrics-server.yaml | 36 +- .../sealed-secrets/sealed-secrets.yaml | 33 +- .../network/cert-manager/cert-manager.yaml | 49 +- .../cert-manager/clusterissuer-prod.yaml | 2 +- .../cert-manager/clusterissuer-stg.yaml | 2 +- .../cert-manager/secret.encrypted.yaml | 3 +- .../network/cloudflare-ddns/deployment.yaml | 2 +- namespaces/network/dex/dex.yaml | 40 +- namespaces/network/dex/secret.encrypted.yaml | 15 + .../network/external-dns/external-dns.yaml | 36 +- namespaces/network/keycloak/keycloak.yaml | 2 +- namespaces/network/metallb/metallb.yaml | 36 +- .../network/nginx-ingress/nginx-ingress.yaml | 2 +- .../oauth2-proxy/oauth2-proxy-dex.yaml | 55 - .../network/oauth2-proxy/oauth2-proxy.yaml | 115 +- namespaces/observability/botkube/botkube.yaml | 199 -- .../jaeger-operator/jaeger-operator.yaml | 15 - namespaces/observability/jaeger/jaeger.yaml | 15 - .../observability/kiali/kiali-server.yaml | 2 +- .../kube-prometheus-stack.yaml} | 69 +- .../secret.encrypted-grafana.yaml | 0 .../secret.encrypted.yaml | 0 .../secret.oauth2.encrypted.yaml | 0 .../vs-alert-manager.yaml | 2 +- .../vs-grafana.yaml | 2 +- .../vs-prometheus.yaml | 2 +- namespaces/observability/loki/loki.yaml | 36 +- .../observability/speedtest/speedtest.yaml | 37 +- namespaces/openfaas-fn/namespace.yaml | 16 +- namespaces/openfaas-fn/networkpolicy.yaml | 30 +- namespaces/openfaas/namespace.yaml | 18 +- namespaces/openfaas/networkpolicy.yaml | 30 +- namespaces/openfaas/openfaas/openfaas.yaml | 88 +- namespaces/security/falco/falco.yaml | 2 +- namespaces/security/gatekeeper/000-crd.yaml | 430 +-- .../security/gatekeeper/gatekeeper.yaml | 2 +- namespaces/storage/openebs/openebs.yaml | 34 +- namespaces/storage/rook-ceph/rook-ceph.yaml | 25 - scripts/flux.sh | 46 - scripts/helm-gen.sh | 17 - 86 files changed, 5517 insertions(+), 3323 deletions(-) delete mode 100644 .github/workflows/helm-operator.yml create mode 100755 bootstrap/install.sh create mode 100644 bootstrap/repo.yaml rename {scripts/builder => build/docker}/Dockerfile (100%) rename {scripts/builder => build/docker}/README.md (100%) rename {scripts => build}/validate.sh (100%) create mode 100644 cilium/calico-chaining/README.md create mode 100644 cilium/calico-chaining/chaining.yaml create mode 100644 cilium/calico-chaining/cilium.yaml create mode 100644 cilium/calico-chaining/json-mock.yaml create mode 100644 cilium/calico-chaining/values.yaml delete mode 100644 config/flux/values.yaml delete mode 100644 config/helm-operator/values.yaml delete mode 100644 namespaces/flux/flagger/flagger.yaml delete mode 100644 namespaces/flux/helm-operator/helm-operator.yaml delete mode 100644 namespaces/flux/namespace.yaml create mode 100644 namespaces/gitops-system/README.md create mode 100644 namespaces/gitops-system/helm-chart-repositories/bitnami-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/flagger-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/grafana-loki.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/jetstack-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/k8s-at-home-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/kubernetes-stable-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/openebs-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/openfaas-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/prometheus-community-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/vmware-charts.yaml create mode 100644 namespaces/gitops-system/helm-chart-repositories/weaveworks-kured-charts.yaml create mode 100644 namespaces/gitops-system/namespace.yaml create mode 100644 namespaces/gitops-system/notifications/slack-alert.yaml create mode 100644 namespaces/gitops-system/notifications/slack-provider.yaml rename namespaces/istio-operator/{operator-1.6.5.yaml => operator-v1.7.2.yaml} (99%) create mode 100644 namespaces/istio-system/istio/istio-1.6.5.yaml create mode 100644 namespaces/istio-system/istio/istio-1.6.7.yaml rename namespaces/istio-system/{istio-1.6.5/istio-1.6.5.yaml => istio/istio-1.7.2.yaml} (78%) create mode 100644 namespaces/network/dex/secret.encrypted.yaml delete mode 100644 namespaces/network/oauth2-proxy/oauth2-proxy-dex.yaml delete mode 100644 namespaces/observability/botkube/botkube.yaml delete mode 100644 namespaces/observability/jaeger-operator/jaeger-operator.yaml delete mode 100644 namespaces/observability/jaeger/jaeger.yaml rename namespaces/observability/{prometheus-operator/prometheus-operator.yaml => kube-prometheus-stack/kube-prometheus-stack.yaml} (83%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/secret.encrypted-grafana.yaml (100%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/secret.encrypted.yaml (100%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/secret.oauth2.encrypted.yaml (100%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/vs-alert-manager.yaml (87%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/vs-grafana.yaml (84%) rename namespaces/observability/{prometheus-operator => kube-prometheus-stack}/vs-prometheus.yaml (87%) delete mode 100644 namespaces/storage/rook-ceph/rook-ceph.yaml delete mode 100755 scripts/flux.sh delete mode 100755 scripts/helm-gen.sh diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 6d4de1fbc2..25b3dd4001 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -19,4 +19,4 @@ Which issue(s) this PR fixes (optional, using fixes #(, fixes #5Z@OFT% z@#*3AXaF|R#PQw0pr9rWtg$oK&LE|g{F}Fd<&_fQD}&qB;bgbRJs9RJ3wXYYl*KRc zKYW5>J|7w~B{9>$c5-}|t&i0C!$d9GH>x7`_Jc*=>RE9_HbS8_rlH;wemy5O6sQ<@bU}g@l(dn#>R+|JF<^Z52-7DZ7W23VIbQHAY_EY3bYQ_g z9W<4G%Cj^FeU77Jbc+RzWqaZ+lK7aP1cN4qQUwC{+?MB>Ibp(QuP*UC*ij(s zNLeQ#$*qAsB7S`mOhdV4fbKFt(HP}Y)g!bMX)1=-bYD*W|KiIIt!SYu^fccK4XNU* X=xadGm=Cw&IQ*OrKCcVR!5IOHOh;*W diff --git a/.secrets/k8s-secret-dex-helm-values.yaml b/.secrets/k8s-secret-dex-helm-values.yaml index c4cb703b564a02ee320df66d333dea33451fb292..5ab2e705fb9aa7cbf92c86346a2cd2c959b13a0d 100644 GIT binary patch literal 1677 zcmV;826FiTM@dveQdv+`0GV8{x}9}Cf2}L}AgQhv^5tSkCQ-fh5}C+8a~$pLoFc7J zjnJF^pmLcaOyXRBjU(6GL#+?!m^P!$|1;+K)Zdo6fxS?s(`+;#%Cmf1(UQf75y7dh zSKY4KG!owWBIn$*CgG1I*+h0kl2wapj4MYqbbjT!YG?ssPoo)-a8tR#TC@R>zRuL9 zXOnewSq*dS4HnVBGYe0EnTpTCAQ)@L`Ynk)lJ?tD>D+MpQ#_=HF%A;#>gimOilnM{ z3a5^LDa<0!h}USGa%_vBaZ}CI_30112AdSJzyKBcXl1zJs|Ag!rshh6mn} znhw$~JQK`?FgjqupuqwF*ZK{{0b`crEOX4qL)KMY@LyB70I``}SivTF*q4OFCw)I4 z<+O>hqsWKSlt6HDf(~Ckunk9De3#WTd@vO-`yvP^sg&y`d31rsA+sjf7Pb&fOTc-> zy4OYR0qs_`7*Gz@^t2-4I-o9+S(wL;gyEaDjT++9C>@7pDugo53Xymw1`5` zB<(+JM@UK|l6lUY%YMVUYYUpUa5(a~O)fFvMwt!n!H%_ZQW5*^;gb(MVU~8_(Fj zvQ;Q>qo9W&5X-{RGHK>^(eCx)rz@Hetqr{Y^kHcoQo$1QPM<9 zb%1mSA|Z5s6fq_wNHO0we0M^*UNf6PV2_gV2Cgbo$JsU$ruuZV<+`S4z0@X>!=Kg++k0Kv(Q|B*0 z%A)oEoM#^S2_G^D+7UjxVY<98<;U$Kw{IP_@M1QF zusR~9ck^-Hdxph0`-bl(qX6)jg-LYNZvt2DqJGJI%_Rm~#0ObG`~X>NQNgEHd#uUL z1LD)SLn$Q0Bm;*dXt@^$n{sx<7n|=_Fj-P{N;#fnex-Xn7H%zZ;_htJsY!r|2xUw{ zN(~QBqv0RL*AfA?Q6A#@y8|c#&3i#Oo+aRYZJ8&_0bFFGu}-d4JJ!EN7p00$b)gFH X&Grf*PjdnJ^_fM8&pAmvs_GMOvS~H$ literal 1672 zcmV;326y=YM@dveQdv+`0OSP196evUOxPpCVcN7cdUyz`IvFQyeCA~g=UN6tBA~Ok zn=nv_T7MVueXUv+*ZTHa$+JU^)k z;{}*6C08L?VAu9re`G3n-k{e-=X~7g!yteG#YQr49c$O==#O>4j@!BT{~G2)@5kRa z`5Las+Og2xeen`T>D8&0Ev~curVRmOXrs@uh=!}!@HJw!`_W%V6;(J26V@OFj6;U8 z!c=gId>9Y}`k;F>nqWIrl13oGD7qs{uEiNZgiIp-dV4J4^Beg~Q_kI`Y=;^XEBWcQ zp0PbuS&KWVnG3@nvNQ**iXWitnxRd=OZSryWwB;$Yz#h^B5#}vMS6}NCxjQRq}(S55^X(lmflsz5PM7f8$QICV5z|<<1 zj03$Ma`kE>8DkEQOTT1_@@(R`Z-DR2F7V~r!oVGGlX5BZTQt;burco;mrR^ zhaiQ`G`HYwufwmOPk;|aSGPF8WW!Z({s4l;xmyuqq-3$q)Nxl}S3D(yIQ6tR0vWB{ z3O!S#>Jfsv60+GpB^;JMRRW{C{EL$t2r~Au_6cC?T76X=4hX?R<0G$Y!d}SB4>-0p zge4Yz`}k&ZzzIOKjR+ludkZE&H3V;Ca@;3OA<~@b;W0m^hGKM_T(xJ#Y;~Nugdxq| zS3CDNw4eb;V;Uzr@HyrK>78Hv9ik5BI+{d6yx0pE8wE)`cdu;j>7mu|0x#vs|J*VP z4LO)C4$b~k$Dgt6P)$5TBHh;B;R6tpA;esYoi~i)MO?^JP0EDa`HV<{SNcDdRi@uX zH`1ly0gG;5aYFCvglFW~vMk!ZyiAAa?^X}d*6z%i%nvweg$d%i?T0^GA)(~?Q;P3i zpC3*}I)%5iyYrDgdVWf8$IY;4v49UQ2psx+G8ez-neJfjU!m*)~emDV*M6EE~r)sn~8e|dj2zhdyixsk%bzcT?qH`|kyU@C{JS|QVzg%Tj3 zKTij3;yOq&4G7O{;ToYA^myH+GH(A45=g**)!mc6q_^#PFiP(O6s?0Yk;%9x;RLs9 zNNJ!MM4!u=dtePT^x^kbQ&bfs@jWk^lm{Yb^f3lF+e~2BA3G=(+2HT}W(ktl8mN)^ zuPU;9?E>p_nAMlJVH-1pe%1}dhm#35pxvp;W%2`WD?=OqDfu2+Y^e|tG*$?2W-3f; z$J--`>u%Abyza8&oS7vfyzYn?9S^4u%1@L7J0H{WaP*wN4xxZ3I~pT0^6;@9B=+v-ID8@Jai!>{7|;9ZH^n)tHQ>tBXZ zQsZN`Z|$lA*;eI5IddwV!R8+chdDn`T!y(DG{=wiBj_SW*39wO9DOFhm#kV;NRg{i z0qo+R*EZ_M_yv$bdM@R15L2?+mk+@Gg%CWI_-~lp=tX&?a^=T&L_4Azowl9y(eYCE zE)Be_zIP>5QX+>V^bp8e>Vql{m=q@n%8Y{en22O{ObNbMOWxe1KPt99-k5wSz)9#f zUkiocl91t+Lj8m`tg0ufD7m5478uFB-5Yf0`k>Qv@>Zoe_lrn3-LZQFgnacU_?jE@ z z&YS~#-YIIG-1XIiHrovi6IJttH3Q{~o@fbA%cR3Mfv#C1vR*C$!!O-5MkgAFfO*-R za4eDDq6jsg;jb~#Au>~@^*oYyp<8;P2lQh-tq5WI9tx-2rJ5QGWGDtbIe#1{rH2^I S2xPm937IVSY@c2;iVk+UCOl*S diff --git a/.secrets/k8s-secret-fluxcd-ssh.yaml b/.secrets/k8s-secret-fluxcd-ssh.yaml index eff253f87cb231f5ff74f6a01703f405e337c8cc..60f05223ddebfd6f1c3e77d2419031ecd747b797 100644 GIT binary patch literal 3662 zcmV-U4zck7M@dveQdv+`0Oohu5GzAB7Ps7@YpT@yvFFIs|HTM87>|keV9>*+McnJ2 ze@~{qb$$O{t7&rV0DWD zb{u<%A4e&;G<129Fn&(}I@7nQmSo)C?aaH7s(Jjn>UI99 z3KFT^3rAgrVwBc1GRw$BwgXwd5cgoQG@l-v%h9_mYzx7ek{XRNX}YeArMvipHpeey zoL38+IjhLk=@nzi}9iS@rf#br!V8T4E%x(*X;9oA>xee^Yk%MFf^u zM$gcxRaRdat&to2JgM7Yed9MB(Wq4_velvNMaC~Q|%efb;UPxc!Oj34bx z3_1E0k+<90I>dTZx9GY#v!r0*7tgK3VkmK&Xdc zYt~vE)~_B-g`t5t?miw6OXA-kyUjI7Lp8=`NCK9ScHwzX{cg#3^#+DcS%4OC%==AF zZx9kjQL@^n2@6Dj{9U0mTcWowTi~e&G8#XV@X%Ic`@W{GQ|vqJrj65??Heg9@jl_^ zp}Y#vaoEfjmxzyl$A;OI?Fll*VBz3`$n{i2a12bZ^$_+HWpY0s6yTO{ia}>kl(9HE z{2LzFS|;6sl!L53dAC(k&gM!Gf_-SR1P8$7J(Axgs$W6D3Vqx(E@4N~kgD`vD3ODf z4=<;ms~yS{d{!6Sh;o%>#+@%iVd%78UvwJ$oh^|e_Iv&ag8t;{@*RFxMJh!pq9d!f z_oUF$QD;gh%*!C=MQhuD8Pi1hD<`B9hd zC%-H@=uCXXP#e1!SZIU(Z;jzR^w~4v~B?(9x?@#dEk@1k7!@dPP~LV+3m0b5eI}G?p&Q zlnxMwEh+wO-}FHL#lzypf@x=ERO5gWasj?)s^tKh#;8(rPl9C-6j~OA>>}{V?$D20 z-f!u17JG}!CduzFTI;EXzTXQSub>B7$%oT7S6R`6^~|{!k$#3B>~TbI?%qqN|9E$c zT~|`Vnf#`xq(07yD-XAHX-rOMzJE%F^#lrpek*AAhHy<4p{y7d8tYO?`H{+IIc#?a zD{Au1v^oU20+^qU>iUusbLgGaze2IK&;H`=!%|d)pv+jaEUgI%o$uHy_pWK-uX2MN zQmQ!K6*$)EmTR!AG{wTroG1>UD)H(?0|GKx2#d8ohlRYq(&bA^%SdvCC$ocFQ9&z%Ymb3d-Hk|Bi=mj2}$A2zHg) ze=%w@%XhX=#a&kWKT=aMQ=Bk`4`-qZ5NHlNs(aOplt{gNH};OtTLl@NOHjmgOrz~< zlDi?fMnbwZCD30I)$emppbg}XrxS^6v63A%LxP? zl`fo6=QLatV+D5m4;<5yA%e?|X-7r`TLR5H zKz9S*GochA#ysRXOt0pWSRf%)Cv*a1spWYefKVdqHv%$;{s5-8y>~a}6=99Xp{By` znrZ!iNt{r+juy)!hT*kO@9|wdy8uyaVt#J_SqIP6z0tQQ-`y)B^r!P&v@3_UiVj~> zpRS8#01g*O=To}HG`s__H_k+>ftl8r0_k(e4k%~CZR#n?Vj`gTIZ>rA!DL047^}1f zHb2%1f3OL1xQRS-_b2{rtgb7AsP9HfE}5I^oJtjj&#d@`a2NCUot-P651l^0cRP&Q zVvGFgxrC{ZuBuUTKEZ@1#YHB)6ADE{eGQ89I)$0s z!}sob=?>IoP#%1gWnjb*!W1GMV7D;NV3eO8fg@kFG=jFGX=HfPE9T~084LATqF^Qk zxhE4*g3##JN=5WGw}#S+w50$b@t(z%*712uv2lOtIGX1-E=aA>5~(}X6vYn(_fgXx zJ+9m(AKO8b5T*#g0u2A6X6;Ol43&?s9sXi#Iht{{K@g$@IYcVty#~TiQd#I_P=emg zEE_B$DTJ4!n=|(WEFE%g(zZ%bWyzd-(ZZArWlA0v#9)xrYfMD&!NX{)=znkVwR)jM zy@iaFjg?qzPkW@9H;`HdmJM2UA5a&vP(kYxXp$gO*p#^Db*Ptf#-R~6u*n+ien8Qm zEl_{8hqLL@$JcPA#tE2bzZusQt$72r6uXV*XF_`NMIOpyOS)*dW0M@t+9w*v?{ux( zs~7lhoQT2Tt#6(f)h^-<^9d47DDBSSvJNQZqb1~J9161x7BJ4g>I8GFJ(S8ti#Ywk&J!=f>Y+u_=;w+fKCg+$_m+$ryyzan+G z(w_&xqZx#ze%IgO1RU3o#hR-EOQf(5zQhovF1`uDfY|8&ZeDxCRnl+Sk- zBjM5i1$Y#p^;sb%mb26V7 zg~(20QXmtBCYvHEEI}J3XNn%aNWbxdFwG(#C4#{Rqm;1u*&=jD(fLDU7ykT9zF7WO zrTe)kNJO4eK0(x2@`Np@J|rmLhK5W*h}Fo})!#JLkFue)XNU)mbL}^si%l%VmuDLh ztBUm~tfrAao}ki7;B`Fs3@6rN;E|sJU>a(KrlD~K41sri648EYhvrp)ZJrl>wjt_7 zLC8QUC(KQ-qvQb29A<6CL8yM}g+>E0Rd4le#t6a}8_~Fq+1ckg1Ge)AaDtnm15(#| z1{1VV0#=QolP~uacs|;ml64ie+8w*mk*Z8N2fU6AkuS2JWpiT|`!pwu9=mL9HA2Yih(%#NU7L+oAe}oe+O#o?{kAHa zi@`WU&n-R0J^&+hR-)9%z3UQ+q+s*aYl>U&0iEfN0gRQ>Je6ck z-xLM9 z*-q`8m#EuGaVFomLu6O|1s;FP2oXU5!T~b72VfU}^&XNax?l=?ti-k0- zi|5v@=0Egws%4e&0rKB!<@^7XmtNWR!we}9t8A{@8gu4|Bis^5Et8^;u$}_kwims; z@@FQ9QTNw?#Pcv*aaW>2t<$Ec;R37+wz~XqJF5mquT-L##0k75V!V@LbLyLT)-HLW g(#V>~;yGV*bn67a_M2BiwX52ZWjYXH5l(YA>D-(m1^@s6 literal 3653 zcmV-L4!ZFGM@dveQdv+`02^522rrCCPXwFT(iy*#nT2tBS5$gbGM2+9&u}ao9noqP zs>|2T9@Xg1J7-o%erF`}K5Ld}YL-G69t$`1jwRf7GMiZk$Hw6luP|Zjsz38=A#R>s zjP$oQH%~;fc_g_ATsfEKEx9fz4Qy?DoD2M=XI@dubaJ@fo2SXr7kC|F<(UfUFIfB< z?{FdPM((FLZ)1bLRk;iFm>Qu(3J-q8>)oz;gAkt~>hRQix~4~|NFzgd($xT zjBsCP6-$H0Jf$TTBYn?F(2Y2~CeiXrU8Md#Dd1~yOvc$Niq>^WXr-=S1}*ux!~{rR8-y< zoB4Olr_lIcM0_AFoNGFUdx$s%>mm`pg$32jq)-zw?$-v};SW66Wb_MLt=-X^VfIIW;AGbOML>k$8Q zEl|Y)7|<1>{IXt{RqD`#xw14MOFh{X1Qg48zefpe{Hm2%Q^jw1TZM?MP6Pu~UcTk3 zr$Mj@ig4M32u>scIO(1)uw7l%OdkyoQT55MNUdMjP z^S?A`T9HjD5*@BTH!GEO)onvSTw&SBMxwEb&Ptg)!nOT!ft+~rBuKEfC(&Jmf1E?F@Lr_7;qzJq?-WqZrJcV(F6Mx^bp0`Xn82)A6rkA3l}A=4BRD%c z6lviIt|-Y^iKm(28ET}GrGfgB5NL;s%G|tYxF#Kp=9E$()ZiF{!!O<}hwQ4as9?dQlwr zjlVs$X`WRbK@pJU430X8ex2ccJwW;nmWVMV(UZ2frgDS~x}}a=0MM%tKBs$(Q8$&Q zdcq3>Fl(v`|CD2AUZT$<{=@b0>^&2&iChu0%sdhm+EMZT`T7qquGkL+GG{(1U)lH| zVduTcCokE5XtVz`T#fMm#(CtXK>Z6zre#ObwRv1)(%63UZ($RzM8CzahJ8i5`7*MI zTQ5~y5V(r1k}}?gi5e@#RV z<8?kvkMJKN4pS_DB)A=a36Wo&G45wQ{(Lu#h~%K^TWel=nziD_*pS-~QBD(2z*CJd zaXppg92LL87g(l(zUxveHp|UiY;O0BVrx;}ga@O(%*S@GfuD!im@D9ec)f-1I!_eX zrFT8Vz-lkC;H}kYiaDX@IhX|0HL87HS6rCQDUsV&>1*y3uv!luDTYv77{Jbp@TV~7 z+Z5}X&@!N?3xZ_UiXr}kOi1dvOv3+81^>dpT`b17t!b3 z1$nf|_bW*};iME@s61S&T*f>ILlr{lUl+$aP2hbPf*!U9mu<;ZeRQq%X^{$Z>{MU% z{G1#?TIwmI?yW76V&XhnqRrXG4Zr$rLupVP+-WcY`vk?de(yFh9;YAbK3tJt_bHu0 z`@G;s|2!0d#=y(XH9opIfopu@cGEpSc|Kk1Sp7Me4xEPqj($a7tspP}O-uuh06pj{ z*>aL=ogRMxlV-eTvf@)_O8d0%lQ7&h%#Q=@jxAvrFM98CBLl{0Clmq$^TCHwgpF}hv#gorK`z)oJ6`2*f8x$-Y zOQf!fArW?@xR3XR!mP|Ej-R#;TX05`3T&S<4Wpic_TAfDOF+W;VyHpnn?7+bXuz+k zr<|9mcjv2bDlk-ZKsIgGh9yiax~S3$5ITHlot%nruWtN_?&+?1eiY~*MWW&oVtg8q zvGly2M(om-7t106xg6-5u{|m`Rb-;csNO@yb5ze1pWqUIsfvq_omwl($>W-zp*_b> zn6=qZd)as(PtJcx7sQ`Lq>f>eil9HNfG0GDJ8?&IU@RZT?06S>e9C;B=>6T4_&b-) z`>&#K2lYJvnR46{m+KW2PovvFHZAYMjw!L{1lj0zNQ=n1CrJeZxB0ewj(YczGs3RH zJ|!-kuSm*oo7zNkG5a6mo1Z(2Vb*;_R3GN|Em_RwRVGtGMhIk$&8#H4&E>?KUM#Eh z%{>4Gu-_PmU1tt)S!UCdf+TUP=HX?`77fnX$ah~-4ejTzJ1#?OeY1Q0bwn!18CH^L z8h_b|%X678n7k7U9N#e;t1vbg`7JXM*kKQvxLoWNx9xh>pB1B$vA39P0RY}Y@9})^ zIb;vQ@4k_mCTJ0RcUY074t@h+Lwbtt4@!lnjaXKC)v5nTtK3#SGvULa#cLEZ2@4Ut zX0O&Y$c@EhXb;y^e1>HaHZ@_@p$$yvCx+~pKkh?0`}Co_BBe5YVfVHqyNm?EdJDaH z<4L8onz;4 zQi&qRd)d{Zm&=B4y_nC>B}F+tb8UAL_?3 zV#DxB$h9<-qfGqGe3^7PqI0?~p6Qq~SjL_}oPwS73w(C+|9gzEg8r>?CgOI2h|-+F zPL$**=(sbZ++pzQbS)+`J;S~xD$YVCw!HWR>?1DETW*AHDQNV7YT*mBWaI2Q2OAbU zMwec00cp^zl%i5R(rEu{8eFB>o+fg72)bI&%PHt3mRMnSlIp)(fu8r=Rf{H%?vm@&o7D6MEmjdrgWV{Caq5sj>`T*49bD!BG zpdHydl*Zt|H|rK{utW6e4dW!nNNH4Yep3u`tjtJHomB82xnsZ4F<#c^0#jzCOo6Ls z4?x19>l5&{0V8d5>LJF2N)&fBL*j^x4+JYGs9}+J{(bCt)%LridUl&d&8T@(Mk;>B z6Q4l~U>?7N((}SQH@oG^*{@LfHZYm?uOnLOZTa|Qw7jGw&E+x+Rc@QdP@^*b7BDT< z%7_MDA%ArL9GL-+uTEk?9r0-y+p`*yM7z^UAEzLEvTQ!LfE}JyaUeVCa`V8>>;991 zwlOi$oHGj()&ehpYGzSVFffqXf6f;A(aVRfs!SW1PY^g_oUac!Q}ZOA~?@gjG-4 z@msrW63{%V zIkn@FkYs62ZTBw8n~b;N!An@}{J4h6b4wY-Gy67@)qrxmU=@S^b7Qh_dHiZHqIES9 zUd<+MPexy?$fA|kGH|yd&^IOELATJpW!6zhkau&%{f_Xl3dk}ISg<~x4s&uS*mbsF zR3@-61_w{LT+bTWIAhK*M>P`Z2M-bXr8D~_k6Nq6ihNw<(q3mSQ{Qr=kemCZ@>Er( zDIH8m@>%Obq(a=oZHkkL*OG_r%^h)^J90{eqt`cfY(r7_o%hhAlp2VGe!4;r^jog< X`4hmXfXNK~zYR;%T$JSY6){IGa5owS diff --git a/bootstrap/install.sh b/bootstrap/install.sh new file mode 100755 index 0000000000..d8c6d9e4c8 --- /dev/null +++ b/bootstrap/install.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +set -eou pipefail + +# TODO: automatically update the ~/.kube/config with required context generated. +KUBECONFIG=~/.kube/config:~/projects/k8s-install/ansible/playbooks/output/k8s-config.yaml kubectl config view --flatten > ~/.kube/config + +if [[ ! $(gotk) ]]; then + echo "gotk needs to be installed - https://toolkit.fluxcd.io/get-started/#install-the-toolkit-cli" + exit 1 +fi + +# Untaint master nodes +# TODO: Enable Ansible to allow configuring the taints to be added/removed. +[[ ! $(kubectl taint nodes --all node-role.kubernetes.io/master-) ]] && echo "Masters untainted" + +# Check the cluster meets the fluxv2 prerequisites +gotk check --pre +[[ $? -ne 0 ]] && echo "Prerequisites were not satisfied" && exit 1 + +gotk install \ + --version=latest \ + --components=source-controller,kustomize-controller,helm-controller,notification-controller \ + --namespace=gitops-system \ + --network-policy=false \ + --arch=arm64 + +if [[ -f .secrets/k8s-secret-fluxcd-ssh.yaml ]]; then + echo "Applying existing sealed-secret key" + kubectl apply -f .secrets/k8s-secret-sealed-secret-private-key.yaml +fi + +if [[ -f bootstrap/repo.yaml ]]; then + echo "Applying Repo Sync" + kubectl apply -f bootstrap/repo.yaml +fi diff --git a/bootstrap/repo.yaml b/bootstrap/repo.yaml new file mode 100644 index 0000000000..9b3d84d9bc --- /dev/null +++ b/bootstrap/repo.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: GitRepository +metadata: + name: k8s-gitops + namespace: gitops-system +spec: + interval: 5m + ref: + branch: fluxv2-init + url: https://github.com/raspbernetes/k8s-gitops.git + ignore: | + # exclude all + /* + # include deploy dir + !/namespaces/ + /namespaces/**/*.md +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 +kind: Kustomization +metadata: + name: k8s-gitops + namespace: gitops-system +spec: + interval: 5m + path: './namespaces/' + sourceRef: + kind: GitRepository + name: k8s-gitops + prune: true diff --git a/scripts/builder/Dockerfile b/build/docker/Dockerfile similarity index 100% rename from scripts/builder/Dockerfile rename to build/docker/Dockerfile diff --git a/scripts/builder/README.md b/build/docker/README.md similarity index 100% rename from scripts/builder/README.md rename to build/docker/README.md diff --git a/scripts/validate.sh b/build/validate.sh similarity index 100% rename from scripts/validate.sh rename to build/validate.sh diff --git a/cilium/calico-chaining/README.md b/cilium/calico-chaining/README.md new file mode 100644 index 0000000000..bba5403a54 --- /dev/null +++ b/cilium/calico-chaining/README.md @@ -0,0 +1,116 @@ +# Cilium + +## Calico Chaining + +Documentation: https://docs.cilium.io/en/v1.8/gettingstarted/cni-chaining-calico/ + +### Deployment + +```bash +kubectl apply -f cilium/calico-chaining/chaining.yaml +``` + +```bash +helm repo add cilium https://helm.cilium.io/ +``` + +#### Helm Template (Optional) + +```bash +helm template cilium/cilium --version 1.8.90 \ + --namespace=kube-system \ + --values=cilium/calico-chaining/values.yaml > cilium/calico-chaining/cilium.yaml +``` + +```bash +kubectl apply -f cilium/calico-chaining/cilium.yaml +``` + +#### Helm Install (Recommended) + +```bash +helm install cilium cilium/cilium --version v1.9.0-rc0 \ + --namespace=kube-system \ + --values=cilium/calico-chaining/values.yaml +``` + +### Testing + +Image: https://hub.docker.com/r/raspbernetes/json-mock + +```bash +kubectl apply -f cilium/calico-chaining/json-mock.yaml +``` + +### Cleanup + +```bash +kubectl delete -f cilium/calico-chaining/chaining.yaml +``` + +#### Helm Template Cleanup + +```bash +kubectl delete -f cilium/calico-chaining/cilium.yaml +``` + +#### Helm Install Cleanup + +```bash +helm uninstall cilium +``` + +```bash +kubectl delete -f cilium/calico-chaining/json-mock.yaml +``` + +## Output + +```bash +❯ k get po +NAME READY STATUS RESTARTS AGE +calico-kube-controllers-c9784d67d-pmh2h 1/1 Running 1 64m +calico-node-j2ppc 1/1 Running 0 64m +calico-node-m6c74 1/1 Running 0 64m +calico-node-rhlw8 1/1 Running 0 64m +calico-node-rm9nj 1/1 Running 0 64m +cilium-62whg 1/1 Running 0 21m +cilium-7q7bj 1/1 Running 1 21m +cilium-b6zd9 1/1 Running 1 21m +cilium-gwrmj 1/1 Running 0 21m +cilium-operator-5cf59548b6-7vdn4 1/1 Running 0 21m +cilium-operator-5cf59548b6-mthbh 1/1 Running 1 21m +coredns-f9fd979d6-kh8j9 1/1 Running 0 14m +coredns-f9fd979d6-zzwxk 1/1 Running 0 19m +echo-a-66c7b457cb-5pnqn 1/1 Running 0 5m +echo-b-5cb69b67dd-869ll 1/1 Running 0 5m +echo-b-host-fbccc9bb9-9dgc6 1/1 Running 0 5m +etcd-k8s-master-01 1/1 Running 0 115m +etcd-k8s-master-02 1/1 Running 1 115m +etcd-k8s-master-03 1/1 Running 0 114m +host-to-b-multi-node-clusterip-5b7666b85f-fnkn2 0/1 Running 4 4m56s +host-to-b-multi-node-headless-7788c557df-shn2d 0/1 Running 4 4m55s +kube-apiserver-k8s-master-01 1/1 Running 0 115m +kube-apiserver-k8s-master-02 1/1 Running 1 115m +kube-apiserver-k8s-master-03 1/1 Running 1 114m +kube-controller-manager-k8s-master-01 1/1 Running 1 115m +kube-controller-manager-k8s-master-02 1/1 Running 2 115m +kube-controller-manager-k8s-master-03 1/1 Running 1 113m +kube-proxy-bvvft 1/1 Running 0 115m +kube-proxy-h6l52 1/1 Running 0 115m +kube-proxy-x6fg9 1/1 Running 0 114m +kube-proxy-zqnw8 1/1 Running 0 115m +kube-scheduler-k8s-master-01 1/1 Running 1 115m +kube-scheduler-k8s-master-02 1/1 Running 2 115m +kube-scheduler-k8s-master-03 1/1 Running 1 113m +metrics-server-64dd4994b-mw8g2 1/1 Running 1 108m +pod-to-a-85c9d7755c-29fnd 0/1 Running 4 4m59s +pod-to-a-allowed-cnp-655c99c98f-7q84v 0/1 Running 4 4m58s +pod-to-a-denied-cnp-7998f5bd67-jrxg7 1/1 Running 0 4m58s +pod-to-b-intra-node-nodeport-8d9fb4ccc-gb45d 0/1 Running 4 4m53s +pod-to-b-multi-node-clusterip-c6b4b97c7-kmgdx 0/1 Running 4 4m57s +pod-to-b-multi-node-headless-54649b5569-s6rmd 0/1 Running 4 4m56s +pod-to-b-multi-node-nodeport-75bfddc769-gh4ql 0/1 Running 4 4m54s +pod-to-external-1111-64cffd6cd7-xmvs5 1/1 Running 0 4m59s +pod-to-external-fqdn-allow-google-cnp-95c44f8ff-ftm5b 0/1 Running 4 4m57s +``` diff --git a/cilium/calico-chaining/chaining.yaml b/cilium/calico-chaining/chaining.yaml new file mode 100644 index 0000000000..42c870dc04 --- /dev/null +++ b/cilium/calico-chaining/chaining.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cni-configuration + namespace: kube-system +data: + cni-config: |- + { + "name": "generic-veth", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "mtu": 1440, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "cilium-cni" + } + ] + } diff --git a/cilium/calico-chaining/cilium.yaml b/cilium/calico-chaining/cilium.yaml new file mode 100644 index 0000000000..00b593c194 --- /dev/null +++ b/cilium/calico-chaining/cilium.yaml @@ -0,0 +1,668 @@ +--- +# Source: cilium/charts/agent/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: kube-system +--- +# Source: cilium/charts/operator/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: kube-system +--- +# Source: cilium/charts/config/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: cilium-config + namespace: kube-system +data: + disable-envoy-version-check: 'true' + + # Identity allocation mode selects how identities are shared between cilium + # nodes by setting how they are stored. The options are "crd" or "kvstore". + # - "crd" stores identities in kubernetes as CRDs (custom resource definition). + # These can be queried with: + # kubectl get ciliumid + # - "kvstore" stores identities in a kvstore, etcd or consul, that is + # configured below. Cilium versions before 1.6 supported only the kvstore + # backend. Upgrades from these older cilium versions should continue using + # the kvstore by commenting out the identity-allocation-mode below, or + # setting it to "kvstore". + identity-allocation-mode: crd + + # If you want to run cilium in debug mode change this value to true + debug: 'false' + + # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 + # address. + enable-ipv4: 'true' + + # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 + # address. + enable-ipv6: 'false' + # Users who wish to specify their own custom CNI configuration file must set + # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. + custom-cni-conf: 'true' + enable-bpf-clock-probe: 'true' + + # If you want cilium monitor to aggregate tracing for packets, set this level + # to "low", "medium", or "maximum". The higher the level, the less packets + # that will be seen in monitor output. + monitor-aggregation: medium + + # The monitor aggregation interval governs the typical time between monitor + # notification events for each allowed connection. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-interval: 5s + + # The monitor aggregation flags determine which TCP flags which, upon the + # first observation, cause monitor notifications to be generated. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-flags: all + # bpf-policy-map-max specifies the maximum number of entries in endpoint + # policy map (per endpoint) + bpf-policy-map-max: '16384' + # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, + # backend and affinity maps. + bpf-lb-map-max: '65536' + # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic + # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. + bpf-map-dynamic-size-ratio: '0.0025' + + # Pre-allocation of map entries allows per-packet latency to be reduced, at + # the expense of up-front memory allocation for the entries in the maps. The + # default value below will minimize memory usage in the default installation; + # users who are sensitive to latency may consider setting this to "true". + # + # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore + # this option and behave as though it is set to "true". + # + # If this value is modified, then during the next Cilium startup the restore + # of existing endpoints and tracking of ongoing connections may be disrupted. + # This may lead to policy drops or a change in loadbalancing decisions for a + # connection for some time. Endpoints may need to be recreated to restore + # connectivity. + # + # If this option is set to "false" during an upgrade from 1.3 or earlier to + # 1.4 or later, then it may cause one-time disruptions during the upgrade. + preallocate-bpf-maps: 'false' + + # Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecar-istio-proxy-image: 'cilium/istio_proxy' + + # Encapsulation mode for communication between nodes + # Possible values: + # - disabled + # - vxlan (default) + # - geneve + tunnel: disabled + + # Name of the cluster. Only relevant when building a mesh of clusters. + cluster-name: default + + # wait-bpf-mount makes init container wait until bpf filesystem is mounted + wait-bpf-mount: 'false' + # Enable chaining with another CNI plugin + # + # Supported modes: + # - none + # - aws-cni + # - flannel + # - portmap (Enables HostPort support for Cilium) + cni-chaining-mode: generic-veth + enable-identity-mark: 'false' + # Disable the PodCIDR route to the cilium_host interface as it is not + # required. While chaining, it is the responsibility of the underlying plugin + # to enable routing. + enable-local-node-route: 'false' + + masquerade: 'false' + enable-bpf-masquerade: 'true' + enable-xt-socket-fallback: 'true' + install-iptables-rules: 'true' + auto-direct-node-routes: 'false' + kube-proxy-replacement: 'probe' + enable-health-check-nodeport: 'true' + node-port-bind-protection: 'true' + enable-auto-protect-node-port-range: 'true' + enable-session-affinity: 'true' + k8s-require-ipv4-pod-cidr: 'true' + k8s-require-ipv6-pod-cidr: 'false' + read-cni-conf: /tmp/cni-configuration/cni-config + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist + # Disable health checking, when chaining mode is not set to portmap or none + enable-endpoint-health-checking: 'false' + enable-well-known-identities: 'false' + enable-remote-node-identity: 'true' + operator-api-serve-addr: '127.0.0.1:9234' + ipam: 'cluster-pool' + cluster-pool-ipv4-cidr: '10.0.0.0/8' + cluster-pool-ipv4-mask-size: '24' + disable-cnp-status-updates: 'true' +--- +# Source: cilium/charts/agent/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium +rules: + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces + - services + - nodes + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - nodes + - nodes/status + verbs: + - patch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch + - update + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints + - ciliumendpoints/status + - ciliumnodes + - ciliumnodes/status + - ciliumidentities + verbs: + - '*' +--- +# Source: cilium/charts/operator/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-operator +rules: + - apiGroups: + - '' + resources: + # to automatically delete [core|kube]dns pods so that are starting to being + # managed by Cilium + - pods + verbs: + - get + - list + - watch + - delete + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + # to perform the translation of a CNP that contains `ToGroup` to its endpoints + - services + - endpoints + # to check apiserver connectivity + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints + - ciliumendpoints/status + - ciliumnodes + - ciliumnodes/status + - ciliumidentities + - ciliumidentities/status + verbs: + - '*' + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + # For cilium-operator running in HA mode. + # + # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election + # between mulitple running instances. + # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less + # common and fewer objects in the cluster watch "all Leases". + # The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release. + # In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure + # that we only authorize access to leases resources in supported K8s versions. + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +# Source: cilium/charts/agent/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: + - kind: ServiceAccount + name: cilium + namespace: kube-system +--- +# Source: cilium/charts/operator/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: kube-system +--- +# Source: cilium/charts/agent/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + # This annotation plus the CriticalAddonsOnly toleration makes + # cilium to be a critical pod in the cluster, which ensures cilium + # gets priority scheduling. + # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ + scheduler.alpha.kubernetes.io/critical-pod: '' + labels: + k8s-app: cilium + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - cilium + topologyKey: kubernetes.io/hostname + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + livenessProbe: + httpGet: + host: '127.0.0.1' + path: /healthz + port: 9876 + scheme: HTTP + httpHeaders: + - name: 'brief' + value: 'true' + failureThreshold: 10 + # The initial delay for the liveness probe is intentionally large to + # avoid an endless kill & restart cycle if in the event that the initial + # bootstrapping takes longer than expected. + initialDelaySeconds: 120 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + host: '127.0.0.1' + path: /healthz + port: 9876 + scheme: HTTP + httpHeaders: + - name: 'brief' + value: 'true' + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_FLANNEL_MASTER_DEVICE + valueFrom: + configMapKeyRef: + key: flannel-master-device + name: cilium-config + optional: true + - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT + valueFrom: + configMapKeyRef: + key: flannel-uninstall-on-exit + name: cilium-config + optional: true + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: CILIUM_CNI_CHAINING_MODE + valueFrom: + configMapKeyRef: + key: cni-chaining-mode + name: cilium-config + optional: true + - name: CILIUM_CUSTOM_CNI_CONF + valueFrom: + configMapKeyRef: + key: custom-cni-conf + name: cilium-config + optional: true + image: 'docker.io/cilium/cilium-dev:v1.9.0-rc0' + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - '/cni-install.sh' + - '--enable-debug=false' + preStop: + exec: + command: + - /cni-uninstall.sh + name: cilium-agent + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + privileged: true + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/opt/cni/bin + name: cni-path + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /tmp/cni-configuration + name: cni-configuration + readOnly: true + # Needed to be able to load kernel modules + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + hostNetwork: true + initContainers: + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + - name: CILIUM_WAIT_BPF_MOUNT + valueFrom: + configMapKeyRef: + key: wait-bpf-mount + name: cilium-config + optional: true + image: 'docker.io/cilium/cilium-dev:v1.9.0-rc0' + imagePullPolicy: IfNotPresent + name: clean-cilium-state + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + mountPropagation: HostToContainer + - mountPath: /var/run/cilium + name: cilium-run + resources: + requests: + cpu: 100m + memory: 100Mi + restartPolicy: Always + priorityClassName: system-node-critical + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + # To keep state between restarts / upgrades + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + # To keep state between restarts / upgrades for bpf maps + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + # To install cilium cni plugin in the host + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + # To install cilium cni configuration in the host + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + # To be able to load kernel modules + - hostPath: + path: /lib/modules + name: lib-modules + # To access iptables concurrently with other processes (e.g. kube-proxy) + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + # To read the clustermesh configuration + - name: clustermesh-secrets + secret: + defaultMode: 420 + optional: true + secretName: cilium-clustermesh + # To read the configuration from the config map + - configMap: + name: cilium-config + name: cilium-config-path + - name: cni-configuration + configMap: + name: cni-configuration + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate +--- +# Source: cilium/charts/operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.cilium/app: operator + name: cilium-operator + name: cilium-operator + namespace: kube-system +spec: + # We support HA mode only for Kubernetes version > 1.14 + # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go + # for more details. + replicas: 2 + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + labels: + io.cilium/app: operator + name: cilium-operator + spec: + # In HA mode, cilium-operator pods must not be scheduled on the same + # node as they will clash with each other. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: io.cilium/app + operator: In + values: + - operator + topologyKey: 'kubernetes.io/hostname' + containers: + - args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + command: + - cilium-operator-generic + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + image: 'docker.io/cilium/operator-dev:v1.9.0-rc0' + imagePullPolicy: IfNotPresent + name: cilium-operator + livenessProbe: + httpGet: + host: '127.0.0.1' + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + hostNetwork: true + restartPolicy: Always + priorityClassName: system-cluster-critical + serviceAccount: cilium-operator + serviceAccountName: cilium-operator + tolerations: + - operator: Exists + volumes: + # To read the configuration from the config map + - configMap: + name: cilium-config + name: cilium-config-path diff --git a/cilium/calico-chaining/json-mock.yaml b/cilium/calico-chaining/json-mock.yaml new file mode 100644 index 0000000000..efb0912997 --- /dev/null +++ b/cilium/calico-chaining/json-mock.yaml @@ -0,0 +1,1012 @@ +# Automatically generated by Makefile. DO NOT EDIT +--- +metadata: + name: echo-a + labels: + name: echo-a + topology: any + component: network-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: echo-a + spec: + hostNetwork: false + containers: + - name: echo-a-container + env: + - name: PORT + value: '8080' + ports: + - containerPort: 8080 + image: docker.io/raspbernetes/json-mock:latest + imagePullPolicy: IfNotPresent + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:8080 + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:8080 + selector: + matchLabels: + name: echo-a + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: echo-b + labels: + name: echo-b + topology: any + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: echo-b + spec: + hostNetwork: false + containers: + - name: echo-b-container + env: + - name: PORT + value: '8080' + ports: + - containerPort: 8080 + hostPort: 40000 + image: docker.io/raspbernetes/json-mock:latest + imagePullPolicy: IfNotPresent + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:8080 + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:8080 + selector: + matchLabels: + name: echo-b + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: echo-b-host + labels: + name: echo-b-host + topology: any + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: echo-b-host + spec: + hostNetwork: true + containers: + - name: echo-b-host-container + env: + - name: PORT + value: '41000' + ports: [] + image: docker.io/raspbernetes/json-mock:latest + imagePullPolicy: IfNotPresent + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:41000 + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - localhost:41000 + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + selector: + matchLabels: + name: echo-b-host + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-a + labels: + name: pod-to-a + topology: any + component: network-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-a + spec: + hostNetwork: false + containers: + - name: pod-to-a-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-a:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-a:8080/public + selector: + matchLabels: + name: pod-to-a + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-external-1111 + labels: + name: pod-to-external-1111 + topology: any + component: network-check + traffic: external + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-external-1111 + spec: + hostNetwork: false + containers: + - name: pod-to-external-1111-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - 1.1.1.1 + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - 1.1.1.1 + selector: + matchLabels: + name: pod-to-external-1111 + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-a-denied-cnp + labels: + name: pod-to-a-denied-cnp + topology: any + component: policy-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-a-denied-cnp + spec: + hostNetwork: false + containers: + - name: pod-to-a-denied-cnp-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + timeoutSeconds: 7 + exec: + command: + - ash + - -c + - '! curl -s --fail --connect-timeout 5 -o /dev/null echo-a:8080/private' + livenessProbe: + timeoutSeconds: 7 + exec: + command: + - ash + - -c + - '! curl -s --fail --connect-timeout 5 -o /dev/null echo-a:8080/private' + selector: + matchLabels: + name: pod-to-a-denied-cnp + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-a-allowed-cnp + labels: + name: pod-to-a-allowed-cnp + topology: any + component: policy-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-a-allowed-cnp + spec: + hostNetwork: false + containers: + - name: pod-to-a-allowed-cnp-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-a:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-a:8080/public + selector: + matchLabels: + name: pod-to-a-allowed-cnp + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-external-fqdn-allow-google-cnp + labels: + name: pod-to-external-fqdn-allow-google-cnp + topology: any + component: policy-check + traffic: external + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-external-fqdn-allow-google-cnp + spec: + hostNetwork: false + containers: + - name: pod-to-external-fqdn-allow-google-cnp-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - www.google.com + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - www.google.com + selector: + matchLabels: + name: pod-to-external-fqdn-allow-google-cnp + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-b-multi-node-clusterip + labels: + name: pod-to-b-multi-node-clusterip + topology: multi-node + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-b-multi-node-clusterip + spec: + hostNetwork: false + containers: + - name: pod-to-b-multi-node-clusterip-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b:8080/public + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + selector: + matchLabels: + name: pod-to-b-multi-node-clusterip + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-b-multi-node-headless + labels: + name: pod-to-b-multi-node-headless + topology: multi-node + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-b-multi-node-headless + spec: + hostNetwork: false + containers: + - name: pod-to-b-multi-node-headless-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-headless:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-headless:8080/public + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + selector: + matchLabels: + name: pod-to-b-multi-node-headless + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: host-to-b-multi-node-clusterip + labels: + name: host-to-b-multi-node-clusterip + topology: multi-node + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: host-to-b-multi-node-clusterip + spec: + hostNetwork: true + containers: + - name: host-to-b-multi-node-clusterip-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b:8080/public + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + dnsPolicy: ClusterFirstWithHostNet + selector: + matchLabels: + name: host-to-b-multi-node-clusterip + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: host-to-b-multi-node-headless + labels: + name: host-to-b-multi-node-headless + topology: multi-node + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: host-to-b-multi-node-headless + spec: + hostNetwork: true + containers: + - name: host-to-b-multi-node-headless-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-headless:8080/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-headless:8080/public + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + dnsPolicy: ClusterFirstWithHostNet + selector: + matchLabels: + name: host-to-b-multi-node-headless + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-b-multi-node-nodeport + labels: + name: pod-to-b-multi-node-nodeport + topology: multi-node + component: nodeport-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-b-multi-node-nodeport + spec: + hostNetwork: false + containers: + - name: pod-to-b-multi-node-nodeport-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-host-headless:31313/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-host-headless:31313/public + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + selector: + matchLabels: + name: pod-to-b-multi-node-nodeport + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: pod-to-b-intra-node-nodeport + labels: + name: pod-to-b-intra-node-nodeport + topology: intra-node + component: nodeport-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + template: + metadata: + labels: + name: pod-to-b-intra-node-nodeport + spec: + hostNetwork: false + containers: + - name: pod-to-b-intra-node-nodeport-container + ports: [] + image: docker.io/curlimages/curl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - sleep 1000000000 + readinessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-host-headless:31313/public + livenessProbe: + exec: + command: + - curl + - -sS + - --fail + - --connect-timeout + - '5' + - -o + - /dev/null + - echo-b-host-headless:31313/public + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - echo-b + topologyKey: kubernetes.io/hostname + selector: + matchLabels: + name: pod-to-b-intra-node-nodeport + replicas: 1 +apiVersion: apps/v1 +kind: Deployment +--- +metadata: + name: echo-a + labels: + name: echo-a + topology: any + component: network-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + ports: + - name: http + port: 8080 + type: ClusterIP + selector: + name: echo-a +apiVersion: v1 +kind: Service +--- +metadata: + name: echo-b + labels: + name: echo-b + topology: any + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + ports: + - name: http + port: 8080 + nodePort: 31313 + type: NodePort + selector: + name: echo-b +apiVersion: v1 +kind: Service +--- +metadata: + name: echo-b-headless + labels: + name: echo-b-headless + topology: any + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + ports: + - name: http + port: 8080 + type: ClusterIP + selector: + name: echo-b + clusterIP: None +apiVersion: v1 +kind: Service +--- +metadata: + name: echo-b-host-headless + labels: + name: echo-b-host-headless + topology: any + component: services-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + ports: [] + type: ClusterIP + selector: + name: echo-b-host + clusterIP: None +apiVersion: v1 +kind: Service +--- +metadata: + name: pod-to-a-denied-cnp + labels: + name: pod-to-a-denied-cnp + topology: any + component: policy-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + endpointSelector: + matchLabels: + name: pod-to-a-denied-cnp + egress: + - toPorts: + - ports: + - port: '53' + protocol: ANY + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + - toPorts: + - ports: + - port: '5353' + protocol: UDP + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: openshift-dns + k8s:dns.operator.openshift.io/daemonset-dns: default +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +--- +metadata: + name: pod-to-a-allowed-cnp + labels: + name: pod-to-a-allowed-cnp + topology: any + component: policy-check + traffic: internal + quarantine: 'false' + type: autocheck +spec: + endpointSelector: + matchLabels: + name: pod-to-a-allowed-cnp + egress: + - toPorts: + - ports: + - port: '8080' + protocol: TCP + toEndpoints: + - matchLabels: + name: echo-a + - toPorts: + - ports: + - port: '53' + protocol: ANY + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + - toPorts: + - ports: + - port: '5353' + protocol: UDP + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: openshift-dns + k8s:dns.operator.openshift.io/daemonset-dns: default +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +--- +metadata: + name: pod-to-external-fqdn-allow-google-cnp + labels: + name: pod-to-external-fqdn-allow-google-cnp + topology: any + component: policy-check + traffic: external + quarantine: 'false' + type: autocheck +spec: + endpointSelector: + matchLabels: + name: pod-to-external-fqdn-allow-google-cnp + egress: + - toFQDNs: + - matchPattern: '*.google.com' + - toPorts: + - ports: + - port: '53' + protocol: ANY + rules: + dns: + - matchPattern: '*' + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + - toPorts: + - ports: + - port: '5353' + protocol: UDP + rules: + dns: + - matchPattern: '*' + toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: openshift-dns + k8s:dns.operator.openshift.io/daemonset-dns: default +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy diff --git a/cilium/calico-chaining/values.yaml b/cilium/calico-chaining/values.yaml new file mode 100644 index 0000000000..b4c05eeedd --- /dev/null +++ b/cilium/calico-chaining/values.yaml @@ -0,0 +1,25 @@ +# https://github.com/cilium/cilium/blob/v1.9.0-rc0/install/kubernetes/cilium/values.yaml +operator: + image: docker.io/cilium/operator-dev:v1.9.0-rc0 +agent: + image: docker.io/cilium/cilium-dev:v1.9.0-rc0 +config: + enableIdentityMark: false + disableEnvoyVersionCheck: true +global: + cni: + chainingMode: generic-veth + customConf: true + configMap: cni-configuration + tunnel: disabled + masquerade: false +# hubble: +# relay: +# enabled: true +# hubble-relay: +# image: +# name: hubble-relay +# tag: latest +# pullPolicy: Always +# numReplicas: 1 +# servicePort: 80 diff --git a/config/flux/values.yaml b/config/flux/values.yaml deleted file mode 100644 index 4245c5e4df..0000000000 --- a/config/flux/values.yaml +++ /dev/null @@ -1,43 +0,0 @@ -image: - repository: docker.io/raspbernetes/flux - -env: - secretName: flux-git-ssh-private-key - -rbac: - create: true - pspEnabled: true - -git: - url: git@github.com:raspbernetes/k8s-gitops.git - readonly: true - branch: master - path: namespaces - secretName: flux-git-ssh-private-key - -registry: - disableScanning: true - -# Disabled due to circular dependency with prometheus-operator being deployed via Flux -prometheus: - enabled: false - serviceMonitor: - # Enables ServiceMonitor creation for the Prometheus Operator - create: false - interval: 30s - scrapeTimeout: 10s - namespace: flux - additionalLabels: {} - -syncGarbageCollection: - enabled: true - dry: false - -dashboards: - # If enabled, flux will create a configmap with a dashboard in json that's going to be picked up by grafana - # See https://github.com/helm/charts/tree/master/stable/grafana#configuration - `sidecar.dashboards.enabled` - enabled: true - # # The namespace where the dashboard is deployed, defaults to the installation namespace - # namespace: - # # The prefix of the generated configmaps - # nameprefix: dashboard diff --git a/config/helm-operator/values.yaml b/config/helm-operator/values.yaml deleted file mode 100644 index ce4c2b584c..0000000000 --- a/config/helm-operator/values.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -helm: - versions: v3 - -image: - repository: docker.io/raspbernetes/helm-operator - tag: v1.2.0 - -chartsSyncInterval: "3m" -statusUpdateInterval: "30s" -createCRD: true - -rbac: - pspEnabled: true - -git: - pollInterval: "1800m" - ssh: - secretName: flux-git-ssh-private-key - -resources: - limits: - cpu: 0.5 - memory: 2Gi - requests: - cpu: 50m - memory: 64Mi - -# Disabled due to circular dependency with prometheus-operator being deployed via Flux -prometheus: - enabled: false - serviceMonitor: - # Enables ServiceMonitor creation for the Prometheus Operator - create: false - interval: - scrapeTimeout: - namespace: - additionalLabels: {} - -dashboards: - # If enabled, helm-operator will create a configmap with a dashboard in json that's going to be picked up by grafana - # See https://github.com/helm/charts/tree/master/stable/grafana#configuration - `sidecar.dashboards.enabled` - enabled: true diff --git a/namespaces/actions-runner-system/actions-runner-controller.yaml b/namespaces/actions-runner-system/actions-runner-controller.yaml index f5d6aa33a4..c2153ef012 100644 --- a/namespaces/actions-runner-system/actions-runner-controller.yaml +++ b/namespaces/actions-runner-system/actions-runner-controller.yaml @@ -14,15 +14,15 @@ metadata: name: horizontalrunnerautoscalers.actions.summerwind.dev spec: additionalPrinterColumns: - - JSONPath: .spec.minReplicas - name: Min - type: number - - JSONPath: .spec.maxReplicas - name: Max - type: number - - JSONPath: .status.desiredReplicas - name: Desired - type: number + - JSONPath: .spec.minReplicas + name: Min + type: number + - JSONPath: .spec.maxReplicas + name: Max + type: number + - JSONPath: .status.desiredReplicas + name: Desired + type: number group: actions.summerwind.dev names: kind: HorizontalRunnerAutoscaler @@ -93,13 +93,13 @@ spec: type: object version: v1alpha1 versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true status: acceptedNames: - kind: "" - plural: "" + kind: '' + plural: '' conditions: [] storedVersions: [] --- @@ -112,15 +112,15 @@ metadata: name: runnerdeployments.actions.summerwind.dev spec: additionalPrinterColumns: - - JSONPath: .spec.replicas - name: Desired - type: number - - JSONPath: .status.availableReplicas - name: Current - type: number - - JSONPath: .status.readyReplicas - name: Ready - type: number + - JSONPath: .spec.replicas + name: Desired + type: number + - JSONPath: .status.availableReplicas + name: Current + type: number + - JSONPath: .status.readyReplicas + name: Ready + type: number group: actions.summerwind.dev names: kind: RunnerDeployment @@ -185,8 +185,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -206,8 +206,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object @@ -216,8 +216,8 @@ spec: format: int32 type: integer required: - - preference - - weight + - preference + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -245,8 +245,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -266,14 +266,14 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object type: array required: - - nodeSelectorTerms + - nodeSelectorTerms type: object type: object podAffinity: @@ -307,8 +307,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -326,15 +326,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -362,8 +362,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -381,7 +381,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -416,8 +416,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -435,15 +435,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -471,8 +471,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -490,7 +490,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -502,12 +502,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -538,7 +538,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -550,7 +550,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -565,7 +565,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -580,11 +580,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -656,8 +656,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -665,15 +665,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -683,16 +683,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -721,8 +721,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -730,15 +730,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -748,12 +748,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -791,8 +791,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -800,15 +800,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -830,12 +830,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -868,7 +868,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -905,8 +905,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -914,15 +914,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -944,12 +944,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1043,7 +1043,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -1076,8 +1076,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1085,15 +1085,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1115,12 +1115,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1134,7 +1134,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -1154,8 +1154,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -1182,15 +1182,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array env: @@ -1219,7 +1219,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -1231,7 +1231,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -1246,7 +1246,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1261,11 +1261,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -1302,12 +1302,12 @@ spec: description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -1338,7 +1338,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -1350,7 +1350,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -1365,7 +1365,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1380,11 +1380,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -1456,8 +1456,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1465,15 +1465,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -1483,16 +1483,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -1521,8 +1521,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1530,15 +1530,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -1548,12 +1548,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -1591,8 +1591,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1600,15 +1600,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1630,12 +1630,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1668,7 +1668,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -1705,8 +1705,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1714,15 +1714,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1744,12 +1744,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1876,8 +1876,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1885,15 +1885,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1915,12 +1915,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -1937,7 +1937,7 @@ spec: description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. type: string terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -1957,8 +1957,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -1985,15 +1985,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array image: @@ -2015,12 +2015,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -2051,7 +2051,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -2063,7 +2063,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -2078,7 +2078,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2093,11 +2093,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -2169,8 +2169,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2178,15 +2178,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -2196,16 +2196,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -2234,8 +2234,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2243,15 +2243,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -2261,12 +2261,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -2304,8 +2304,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2313,15 +2313,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2343,12 +2343,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2381,7 +2381,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -2418,8 +2418,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2427,15 +2427,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2457,12 +2457,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2556,7 +2556,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -2589,8 +2589,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2598,15 +2598,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2628,12 +2628,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -2647,7 +2647,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -2667,8 +2667,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -2695,15 +2695,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array labels: @@ -2786,8 +2786,8 @@ spec: description: Value of a property to set type: string required: - - name - - value + - name + - value type: object type: array windowsOptions: @@ -2811,12 +2811,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -2847,7 +2847,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -2859,7 +2859,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -2874,7 +2874,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2889,11 +2889,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -2965,8 +2965,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -2974,15 +2974,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -2992,16 +2992,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -3030,8 +3030,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -3039,15 +3039,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -3057,12 +3057,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -3100,8 +3100,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -3109,15 +3109,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3139,12 +3139,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3177,7 +3177,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -3214,8 +3214,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -3223,15 +3223,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3253,12 +3253,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3352,7 +3352,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -3385,8 +3385,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -3394,15 +3394,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3424,12 +3424,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -3443,7 +3443,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -3463,8 +3463,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -3491,15 +3491,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array terminationGracePeriodSeconds: @@ -3550,8 +3550,8 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array volumes: @@ -3559,7 +3559,7 @@ spec: description: Volume represents a named volume in a pod that may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -3575,7 +3575,7 @@ spec: description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - - volumeID + - volumeID type: object azureDisk: description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. @@ -3599,8 +3599,8 @@ spec: description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean required: - - diskName - - diskURI + - diskName + - diskURI type: object azureFile: description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod. @@ -3615,8 +3615,8 @@ spec: description: Share Name type: string required: - - secretName - - shareName + - secretName + - shareName type: object cephfs: description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime @@ -3646,7 +3646,7 @@ spec: description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - - monitors + - monitors type: object cinder: description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -3668,7 +3668,7 @@ spec: description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - - volumeID + - volumeID type: object configMap: description: ConfigMap represents a configMap that should populate this volume @@ -3693,8 +3693,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -3729,7 +3729,7 @@ spec: description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. type: object required: - - driver + - driver type: object downwardAPI: description: DownwardAPI represents downward API about the pod that should populate this volume @@ -3753,14 +3753,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -3775,15 +3775,15 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: "EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" properties: medium: description: 'What type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' @@ -3841,7 +3841,7 @@ spec: type: string type: object required: - - driver + - driver type: object flocker: description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running @@ -3854,7 +3854,7 @@ spec: type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -3870,10 +3870,10 @@ spec: description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - - pdName + - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.' + description: "GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." properties: directory: description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. @@ -3885,10 +3885,10 @@ spec: description: Commit hash for the specified revision. type: string required: - - repository + - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" properties: endpoints: description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -3900,8 +3900,8 @@ spec: description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - - endpoints - - path + - endpoints + - path type: object hostPath: description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.' @@ -3913,10 +3913,10 @@ spec: description: 'Type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - - path + - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md" properties: chapAuthDiscovery: description: whether support iSCSI Discovery CHAP authentication @@ -3959,15 +3959,15 @@ spec: description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). type: string required: - - iqn - - lun - - targetPortal + - iqn + - lun + - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: "Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: string nfs: - description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: "NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" properties: path: description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' @@ -3979,8 +3979,8 @@ spec: description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - - path - - server + - path + - server type: object persistentVolumeClaim: description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' @@ -3992,7 +3992,7 @@ spec: description: Will force the ReadOnly setting in VolumeMounts. Default false. type: boolean required: - - claimName + - claimName type: object photonPersistentDisk: description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine @@ -4004,7 +4004,7 @@ spec: description: ID that identifies Photon Controller persistent disk type: string required: - - pdID + - pdID type: object portworxVolume: description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine @@ -4019,7 +4019,7 @@ spec: description: VolumeID uniquely identifies a Portworx volume type: string required: - - volumeID + - volumeID type: object projected: description: Items for all in one resources secrets, configmaps, and downward API @@ -4052,8 +4052,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -4081,14 +4081,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -4103,10 +4103,10 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object @@ -4129,8 +4129,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -4154,12 +4154,12 @@ spec: description: Path is the path relative to the mount point of the file to project the token into. type: string required: - - path + - path type: object type: object type: array required: - - sources + - sources type: object quobyte: description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime @@ -4183,11 +4183,11 @@ spec: description: Volume is a string that references an already created Quobyte volume by name. type: string required: - - registry - - volume + - registry + - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' + description: "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -4220,8 +4220,8 @@ spec: description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - - image - - monitors + - image + - monitors type: object scaleIO: description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. @@ -4261,9 +4261,9 @@ spec: description: The name of a volume already created in the ScaleIO system that is associated with this volume source. type: string required: - - gateway - - secretRef - - system + - gateway + - secretRef + - system type: object secret: description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' @@ -4288,15 +4288,15 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array optional: description: Specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: "Name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret" type: string type: object storageos: @@ -4338,16 +4338,16 @@ spec: description: Path that identifies vSphere volume vmdk type: string required: - - volumePath + - volumePath type: object required: - - name + - name type: object type: array type: object type: object required: - - template + - template type: object status: properties: @@ -4359,19 +4359,19 @@ spec: readyReplicas: type: integer required: - - availableReplicas - - readyReplicas + - availableReplicas + - readyReplicas type: object type: object version: v1alpha1 versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true status: acceptedNames: - kind: "" - plural: "" + kind: '' + plural: '' conditions: [] storedVersions: [] --- @@ -4384,15 +4384,15 @@ metadata: name: runnerreplicasets.actions.summerwind.dev spec: additionalPrinterColumns: - - JSONPath: .spec.replicas - name: Desired - type: number - - JSONPath: .status.availableReplicas - name: Current - type: number - - JSONPath: .status.readyReplicas - name: Ready - type: number + - JSONPath: .spec.replicas + name: Desired + type: number + - JSONPath: .status.availableReplicas + name: Current + type: number + - JSONPath: .status.readyReplicas + name: Ready + type: number group: actions.summerwind.dev names: kind: RunnerReplicaSet @@ -4457,8 +4457,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -4478,8 +4478,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object @@ -4488,8 +4488,8 @@ spec: format: int32 type: integer required: - - preference - - weight + - preference + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -4517,8 +4517,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -4538,14 +4538,14 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object type: array required: - - nodeSelectorTerms + - nodeSelectorTerms type: object type: object podAffinity: @@ -4579,8 +4579,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -4598,15 +4598,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -4634,8 +4634,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -4653,7 +4653,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -4688,8 +4688,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -4707,15 +4707,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -4743,8 +4743,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -4762,7 +4762,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -4774,12 +4774,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -4810,7 +4810,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -4822,7 +4822,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -4837,7 +4837,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4852,11 +4852,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -4928,8 +4928,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -4937,15 +4937,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -4955,16 +4955,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -4993,8 +4993,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5002,15 +5002,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -5020,12 +5020,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -5063,8 +5063,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5072,15 +5072,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5102,12 +5102,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5140,7 +5140,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -5177,8 +5177,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5186,15 +5186,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5216,12 +5216,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5315,7 +5315,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -5348,8 +5348,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5357,15 +5357,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5387,12 +5387,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5406,7 +5406,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -5426,8 +5426,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -5454,15 +5454,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array env: @@ -5491,7 +5491,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -5503,7 +5503,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -5518,7 +5518,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -5533,11 +5533,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -5574,12 +5574,12 @@ spec: description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -5610,7 +5610,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -5622,7 +5622,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -5637,7 +5637,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -5652,11 +5652,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -5728,8 +5728,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5737,15 +5737,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -5755,16 +5755,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -5793,8 +5793,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5802,15 +5802,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -5820,12 +5820,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -5863,8 +5863,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5872,15 +5872,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5902,12 +5902,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -5940,7 +5940,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -5977,8 +5977,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -5986,15 +5986,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6016,12 +6016,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6148,8 +6148,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6157,15 +6157,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6187,12 +6187,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6209,7 +6209,7 @@ spec: description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. type: string terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -6229,8 +6229,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -6257,15 +6257,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array image: @@ -6287,12 +6287,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -6323,7 +6323,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -6335,7 +6335,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -6350,7 +6350,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -6365,11 +6365,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -6441,8 +6441,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6450,15 +6450,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -6468,16 +6468,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -6506,8 +6506,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6515,15 +6515,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -6533,12 +6533,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -6576,8 +6576,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6585,15 +6585,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6615,12 +6615,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6653,7 +6653,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -6690,8 +6690,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6699,15 +6699,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6729,12 +6729,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6828,7 +6828,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -6861,8 +6861,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -6870,15 +6870,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6900,12 +6900,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -6919,7 +6919,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -6939,8 +6939,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -6967,15 +6967,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array labels: @@ -7058,8 +7058,8 @@ spec: description: Value of a property to set type: string required: - - name - - value + - name + - value type: object type: array windowsOptions: @@ -7083,12 +7083,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -7119,7 +7119,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -7131,7 +7131,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -7146,7 +7146,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -7161,11 +7161,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -7237,8 +7237,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -7246,15 +7246,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -7264,16 +7264,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -7302,8 +7302,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -7311,15 +7311,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -7329,12 +7329,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -7372,8 +7372,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -7381,15 +7381,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7411,12 +7411,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7449,7 +7449,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -7486,8 +7486,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -7495,15 +7495,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7525,12 +7525,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7624,7 +7624,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -7657,8 +7657,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -7666,15 +7666,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7696,12 +7696,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -7715,7 +7715,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -7735,8 +7735,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -7763,15 +7763,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array terminationGracePeriodSeconds: @@ -7822,8 +7822,8 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array volumes: @@ -7831,7 +7831,7 @@ spec: description: Volume represents a named volume in a pod that may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -7847,7 +7847,7 @@ spec: description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - - volumeID + - volumeID type: object azureDisk: description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. @@ -7871,8 +7871,8 @@ spec: description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean required: - - diskName - - diskURI + - diskName + - diskURI type: object azureFile: description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod. @@ -7887,8 +7887,8 @@ spec: description: Share Name type: string required: - - secretName - - shareName + - secretName + - shareName type: object cephfs: description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime @@ -7918,7 +7918,7 @@ spec: description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - - monitors + - monitors type: object cinder: description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -7940,7 +7940,7 @@ spec: description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - - volumeID + - volumeID type: object configMap: description: ConfigMap represents a configMap that should populate this volume @@ -7965,8 +7965,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -8001,7 +8001,7 @@ spec: description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. type: object required: - - driver + - driver type: object downwardAPI: description: DownwardAPI represents downward API about the pod that should populate this volume @@ -8025,14 +8025,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -8047,15 +8047,15 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: "EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" properties: medium: description: 'What type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' @@ -8113,7 +8113,7 @@ spec: type: string type: object required: - - driver + - driver type: object flocker: description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running @@ -8126,7 +8126,7 @@ spec: type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -8142,10 +8142,10 @@ spec: description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - - pdName + - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.' + description: "GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." properties: directory: description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. @@ -8157,10 +8157,10 @@ spec: description: Commit hash for the specified revision. type: string required: - - repository + - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" properties: endpoints: description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -8172,8 +8172,8 @@ spec: description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - - endpoints - - path + - endpoints + - path type: object hostPath: description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.' @@ -8185,10 +8185,10 @@ spec: description: 'Type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - - path + - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md" properties: chapAuthDiscovery: description: whether support iSCSI Discovery CHAP authentication @@ -8231,15 +8231,15 @@ spec: description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). type: string required: - - iqn - - lun - - targetPortal + - iqn + - lun + - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: "Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: string nfs: - description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: "NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" properties: path: description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' @@ -8251,8 +8251,8 @@ spec: description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - - path - - server + - path + - server type: object persistentVolumeClaim: description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' @@ -8264,7 +8264,7 @@ spec: description: Will force the ReadOnly setting in VolumeMounts. Default false. type: boolean required: - - claimName + - claimName type: object photonPersistentDisk: description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine @@ -8276,7 +8276,7 @@ spec: description: ID that identifies Photon Controller persistent disk type: string required: - - pdID + - pdID type: object portworxVolume: description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine @@ -8291,7 +8291,7 @@ spec: description: VolumeID uniquely identifies a Portworx volume type: string required: - - volumeID + - volumeID type: object projected: description: Items for all in one resources secrets, configmaps, and downward API @@ -8324,8 +8324,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -8353,14 +8353,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -8375,10 +8375,10 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object @@ -8401,8 +8401,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -8426,12 +8426,12 @@ spec: description: Path is the path relative to the mount point of the file to project the token into. type: string required: - - path + - path type: object type: object type: array required: - - sources + - sources type: object quobyte: description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime @@ -8455,11 +8455,11 @@ spec: description: Volume is a string that references an already created Quobyte volume by name. type: string required: - - registry - - volume + - registry + - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' + description: "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -8492,8 +8492,8 @@ spec: description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - - image - - monitors + - image + - monitors type: object scaleIO: description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. @@ -8533,9 +8533,9 @@ spec: description: The name of a volume already created in the ScaleIO system that is associated with this volume source. type: string required: - - gateway - - secretRef - - system + - gateway + - secretRef + - system type: object secret: description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' @@ -8560,15 +8560,15 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array optional: description: Specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: "Name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret" type: string type: object storageos: @@ -8610,17 +8610,17 @@ spec: description: Path that identifies vSphere volume vmdk type: string required: - - volumePath + - volumePath type: object required: - - name + - name type: object type: array type: object type: object required: - - replicas - - template + - replicas + - template type: object status: properties: @@ -8629,19 +8629,19 @@ spec: readyReplicas: type: integer required: - - availableReplicas - - readyReplicas + - availableReplicas + - readyReplicas type: object type: object version: v1alpha1 versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true status: acceptedNames: - kind: "" - plural: "" + kind: '' + plural: '' conditions: [] storedVersions: [] --- @@ -8654,18 +8654,18 @@ metadata: name: runners.actions.summerwind.dev spec: additionalPrinterColumns: - - JSONPath: .spec.organization - name: Organization - type: string - - JSONPath: .spec.repository - name: Repository - type: string - - JSONPath: .spec.labels - name: Labels - type: string - - JSONPath: .status.phase - name: Status - type: string + - JSONPath: .spec.organization + name: Organization + type: string + - JSONPath: .spec.repository + name: Repository + type: string + - JSONPath: .spec.labels + name: Labels + type: string + - JSONPath: .status.phase + name: Status + type: string group: actions.summerwind.dev names: kind: Runner @@ -8721,8 +8721,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -8742,8 +8742,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object @@ -8752,8 +8752,8 @@ spec: format: int32 type: integer required: - - preference - - weight + - preference + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -8781,8 +8781,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: @@ -8802,14 +8802,14 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object type: array required: - - nodeSelectorTerms + - nodeSelectorTerms type: object type: object podAffinity: @@ -8843,8 +8843,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -8862,15 +8862,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -8898,8 +8898,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -8917,7 +8917,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -8952,8 +8952,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -8971,15 +8971,15 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: @@ -9007,8 +9007,8 @@ spec: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -9026,7 +9026,7 @@ spec: description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object @@ -9038,12 +9038,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -9074,7 +9074,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -9086,7 +9086,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -9101,7 +9101,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -9116,11 +9116,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -9192,8 +9192,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -9201,15 +9201,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -9219,16 +9219,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -9257,8 +9257,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -9266,15 +9266,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -9284,12 +9284,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -9327,8 +9327,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -9336,15 +9336,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9366,12 +9366,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9404,7 +9404,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -9441,8 +9441,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -9450,15 +9450,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9480,12 +9480,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9579,7 +9579,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -9612,8 +9612,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -9621,15 +9621,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9651,12 +9651,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -9670,7 +9670,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -9690,8 +9690,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -9718,15 +9718,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array env: @@ -9755,7 +9755,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -9767,7 +9767,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -9782,7 +9782,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -9797,11 +9797,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -9838,12 +9838,12 @@ spec: description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -9874,7 +9874,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -9886,7 +9886,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -9901,7 +9901,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -9916,11 +9916,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -9992,8 +9992,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10001,15 +10001,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -10019,16 +10019,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -10057,8 +10057,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10066,15 +10066,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -10084,12 +10084,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -10127,8 +10127,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10136,15 +10136,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10166,12 +10166,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10204,7 +10204,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -10241,8 +10241,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10250,15 +10250,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10280,12 +10280,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10412,8 +10412,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10421,15 +10421,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10451,12 +10451,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10473,7 +10473,7 @@ spec: description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. type: string terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -10493,8 +10493,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -10521,15 +10521,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array image: @@ -10551,12 +10551,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -10587,7 +10587,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -10599,7 +10599,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -10614,7 +10614,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -10629,11 +10629,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -10705,8 +10705,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10714,15 +10714,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -10732,16 +10732,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -10770,8 +10770,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10779,15 +10779,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -10797,12 +10797,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -10840,8 +10840,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10849,15 +10849,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10879,12 +10879,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10917,7 +10917,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -10954,8 +10954,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -10963,15 +10963,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -10993,12 +10993,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11092,7 +11092,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -11125,8 +11125,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11134,15 +11134,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11164,12 +11164,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11183,7 +11183,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -11203,8 +11203,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -11231,15 +11231,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array labels: @@ -11322,8 +11322,8 @@ spec: description: Value of a property to set type: string required: - - name - - value + - name + - value type: object type: array windowsOptions: @@ -11347,12 +11347,12 @@ spec: description: A single application container that you want to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell" items: type: string type: array @@ -11383,7 +11383,7 @@ spec: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - - key + - key type: object fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' @@ -11395,7 +11395,7 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' @@ -11410,7 +11410,7 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -11425,11 +11425,11 @@ spec: description: Specify whether the Secret or its key must be defined type: boolean required: - - key + - key type: object type: object required: - - name + - name type: object type: array envFrom: @@ -11501,8 +11501,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11510,15 +11510,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -11528,16 +11528,16 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -11566,8 +11566,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11575,15 +11575,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object tcpSocket: description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' @@ -11593,12 +11593,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object @@ -11636,8 +11636,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11645,15 +11645,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11675,12 +11675,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11713,7 +11713,7 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array readinessProbe: @@ -11750,8 +11750,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11759,15 +11759,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11789,12 +11789,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11888,7 +11888,7 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" properties: exec: description: One and only one of the following should be specified. Exec specifies the action to take. @@ -11921,8 +11921,8 @@ spec: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -11930,15 +11930,15 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11960,12 +11960,12 @@ spec: type: string port: anyOf: - - type: integer - - type: string + - type: integer + - type: string description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' @@ -11979,7 +11979,7 @@ spec: description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated." type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. @@ -11999,8 +11999,8 @@ spec: description: name must match the name of a persistentVolumeClaim in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: @@ -12027,15 +12027,15 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string required: - - name + - name type: object type: array terminationGracePeriodSeconds: @@ -12086,8 +12086,8 @@ spec: description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array volumes: @@ -12095,7 +12095,7 @@ spec: description: Volume represents a named volume in a pod that may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -12111,7 +12111,7 @@ spec: description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - - volumeID + - volumeID type: object azureDisk: description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. @@ -12135,8 +12135,8 @@ spec: description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean required: - - diskName - - diskURI + - diskName + - diskURI type: object azureFile: description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod. @@ -12151,8 +12151,8 @@ spec: description: Share Name type: string required: - - secretName - - shareName + - secretName + - shareName type: object cephfs: description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime @@ -12182,7 +12182,7 @@ spec: description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - - monitors + - monitors type: object cinder: description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -12204,7 +12204,7 @@ spec: description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - - volumeID + - volumeID type: object configMap: description: ConfigMap represents a configMap that should populate this volume @@ -12229,8 +12229,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -12265,7 +12265,7 @@ spec: description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. type: object required: - - driver + - driver type: object downwardAPI: description: DownwardAPI represents downward API about the pod that should populate this volume @@ -12289,14 +12289,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -12311,15 +12311,15 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: "EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" properties: medium: description: 'What type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' @@ -12377,7 +12377,7 @@ spec: type: string type: object required: - - driver + - driver type: object flocker: description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running @@ -12390,7 +12390,7 @@ spec: type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -12406,10 +12406,10 @@ spec: description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - - pdName + - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.' + description: "GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." properties: directory: description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. @@ -12421,10 +12421,10 @@ spec: description: Commit hash for the specified revision. type: string required: - - repository + - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" properties: endpoints: description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -12436,8 +12436,8 @@ spec: description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - - endpoints - - path + - endpoints + - path type: object hostPath: description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.' @@ -12449,10 +12449,10 @@ spec: description: 'Type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - - path + - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md" properties: chapAuthDiscovery: description: whether support iSCSI Discovery CHAP authentication @@ -12495,15 +12495,15 @@ spec: description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). type: string required: - - iqn - - lun - - targetPortal + - iqn + - lun + - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: "Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" type: string nfs: - description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: "NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" properties: path: description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' @@ -12515,8 +12515,8 @@ spec: description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - - path - - server + - path + - server type: object persistentVolumeClaim: description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' @@ -12528,7 +12528,7 @@ spec: description: Will force the ReadOnly setting in VolumeMounts. Default false. type: boolean required: - - claimName + - claimName type: object photonPersistentDisk: description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine @@ -12540,7 +12540,7 @@ spec: description: ID that identifies Photon Controller persistent disk type: string required: - - pdID + - pdID type: object portworxVolume: description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine @@ -12555,7 +12555,7 @@ spec: description: VolumeID uniquely identifies a Portworx volume type: string required: - - volumeID + - volumeID type: object projected: description: Items for all in one resources secrets, configmaps, and downward API @@ -12588,8 +12588,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -12617,14 +12617,14 @@ spec: description: Path of the field to select in the specified API version. type: string required: - - fieldPath + - fieldPath type: object mode: description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" type: string resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' @@ -12639,10 +12639,10 @@ spec: description: 'Required: resource to select' type: string required: - - resource + - resource type: object required: - - path + - path type: object type: array type: object @@ -12665,8 +12665,8 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array name: @@ -12690,12 +12690,12 @@ spec: description: Path is the path relative to the mount point of the file to project the token into. type: string required: - - path + - path type: object type: object type: array required: - - sources + - sources type: object quobyte: description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime @@ -12719,11 +12719,11 @@ spec: description: Volume is a string that references an already created Quobyte volume by name. type: string required: - - registry - - volume + - registry + - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' + description: "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" properties: fsType: description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' @@ -12756,8 +12756,8 @@ spec: description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - - image - - monitors + - image + - monitors type: object scaleIO: description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. @@ -12797,9 +12797,9 @@ spec: description: The name of a volume already created in the ScaleIO system that is associated with this volume source. type: string required: - - gateway - - secretRef - - system + - gateway + - secretRef + - system type: object secret: description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' @@ -12824,15 +12824,15 @@ spec: description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string required: - - key - - path + - key + - path type: object type: array optional: description: Specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: "Name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret" type: string type: object storageos: @@ -12874,10 +12874,10 @@ spec: description: Path that identifies vSphere volume vmdk type: string required: - - volumePath + - volumePath type: object required: - - name + - name type: object type: array type: object @@ -12907,25 +12907,25 @@ spec: token: type: string required: - - expiresAt - - token + - expiresAt + - token type: object required: - - message - - phase - - reason - - registration + - message + - phase + - reason + - registration type: object type: object version: v1alpha1 versions: - - name: v1alpha1 - served: true - storage: true + - name: v1alpha1 + served: true + storage: true status: acceptedNames: - kind: "" - plural: "" + kind: '' + plural: '' conditions: [] storedVersions: [] --- @@ -12935,32 +12935,32 @@ metadata: name: leader-election-role namespace: actions-runner-system rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -12968,123 +12968,123 @@ metadata: creationTimestamp: null name: manager-role rules: -- apiGroups: - - actions.summerwind.dev - resources: - - horizontalrunnerautoscalers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - actions.summerwind.dev - resources: - - horizontalrunnerautoscalers/status - verbs: - - get - - patch - - update -- apiGroups: - - actions.summerwind.dev - resources: - - runnerdeployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - actions.summerwind.dev - resources: - - runnerdeployments/status - verbs: - - get - - patch - - update -- apiGroups: - - actions.summerwind.dev - resources: - - runnerreplicasets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - actions.summerwind.dev - resources: - - runnerreplicasets/status - verbs: - - get - - patch - - update -- apiGroups: - - actions.summerwind.dev - resources: - - runners - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - actions.summerwind.dev - resources: - - runners/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers/status + verbs: + - get + - patch + - update + - apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments/status + verbs: + - get + - patch + - update + - apiGroups: + - actions.summerwind.dev + resources: + - runnerreplicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runnerreplicasets/status + verbs: + - get + - patch + - update + - apiGroups: + - actions.summerwind.dev + resources: + - runners + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runners/status + verbs: + - get + - patch + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - '' + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -13096,9 +13096,9 @@ roleRef: kind: Role name: leader-election-role subjects: -- kind: ServiceAccount - name: default - namespace: actions-runner-system + - kind: ServiceAccount + name: default + namespace: actions-runner-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -13109,9 +13109,9 @@ roleRef: kind: ClusterRole name: manager-role subjects: -- kind: ServiceAccount - name: default - namespace: actions-runner-system + - kind: ServiceAccount + name: default + namespace: actions-runner-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -13122,9 +13122,9 @@ roleRef: kind: ClusterRole name: proxy-role subjects: -- kind: ServiceAccount - name: default - namespace: actions-runner-system + - kind: ServiceAccount + name: default + namespace: actions-runner-system --- apiVersion: v1 kind: Service @@ -13135,9 +13135,9 @@ metadata: namespace: actions-runner-system spec: ports: - - name: https - port: 8443 - targetPort: https + - name: https + port: 8443 + targetPort: https selector: control-plane: controller-manager --- @@ -13148,8 +13148,8 @@ metadata: namespace: actions-runner-system spec: ports: - - port: 443 - targetPort: 9443 + - port: 443 + targetPort: 9443 selector: control-plane: controller-manager --- @@ -13171,71 +13171,71 @@ spec: control-plane: controller-manager spec: containers: - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - env: - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - key: github_token - name: controller-manager - optional: true - - name: GITHUB_APP_ID - valueFrom: - secretKeyRef: - key: github_app_id + - args: + - --metrics-addr=127.0.0.1:8080 + - --enable-leader-election + command: + - /manager + env: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + key: github_token + name: controller-manager + optional: true + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + key: github_app_id + name: controller-manager + optional: true + - name: GITHUB_APP_INSTALLATION_ID + valueFrom: + secretKeyRef: + key: github_app_installation_id + name: controller-manager + optional: true + - name: GITHUB_APP_PRIVATE_KEY + value: /etc/actions-runner-controller/github_app_private_key + image: xunholy/actions-runner-controller:v0.7.2 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /etc/actions-runner-controller name: controller-manager - optional: true - - name: GITHUB_APP_INSTALLATION_ID - valueFrom: - secretKeyRef: - key: github_app_installation_id - name: controller-manager - optional: true - - name: GITHUB_APP_PRIVATE_KEY - value: /etc/actions-runner-controller/github_app_private_key - image: xunholy/actions-runner-controller:latest - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /etc/actions-runner-controller - name: controller-manager - readOnly: true - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: quay.io/brancz/kube-rbac-proxy:v0.6.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https + readOnly: true + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: quay.io/brancz/kube-rbac-proxy:v0.7.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https terminationGracePeriodSeconds: 10 volumes: - - name: controller-manager - secret: - secretName: controller-manager - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert + - name: controller-manager + secret: + secretName: controller-manager + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate @@ -13244,8 +13244,8 @@ metadata: namespace: actions-runner-system spec: dnsNames: - - webhook-service.actions-runner-system.svc - - webhook-service.actions-runner-system.svc.cluster.local + - webhook-service.actions-runner-system.svc + - webhook-service.actions-runner-system.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer @@ -13266,60 +13266,60 @@ metadata: cert-manager.io/inject-ca-from: actions-runner-system/serving-cert name: mutating-webhook-configuration webhooks: -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /mutate-actions-summerwind-dev-v1alpha1-runner - failurePolicy: Fail - name: mutate.runner.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runners -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment - failurePolicy: Fail - name: mutate.runnerdeployment.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runnerdeployments -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset - failurePolicy: Fail - name: mutate.runnerreplicaset.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runnerreplicasets + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /mutate-actions-summerwind-dev-v1alpha1-runner + failurePolicy: Fail + name: mutate.runner.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runners + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment + failurePolicy: Fail + name: mutate.runnerdeployment.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerdeployments + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset + failurePolicy: Fail + name: mutate.runnerreplicaset.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerreplicasets --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration @@ -13328,57 +13328,57 @@ metadata: cert-manager.io/inject-ca-from: actions-runner-system/serving-cert name: validating-webhook-configuration webhooks: -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /validate-actions-summerwind-dev-v1alpha1-runner - failurePolicy: Fail - name: validate.runner.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runners -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment - failurePolicy: Fail - name: validate.runnerdeployment.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runnerdeployments -- clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: actions-runner-system - path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset - failurePolicy: Fail - name: validate.runnerreplicaset.actions.summerwind.dev - rules: - - apiGroups: - - actions.summerwind.dev - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - runnerreplicasets + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /validate-actions-summerwind-dev-v1alpha1-runner + failurePolicy: Fail + name: validate.runner.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runners + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment + failurePolicy: Fail + name: validate.runnerdeployment.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerdeployments + - clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: actions-runner-system + path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset + failurePolicy: Fail + name: validate.runnerreplicaset.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerreplicasets diff --git a/namespaces/actions-runner-system/runner.yaml b/namespaces/actions-runner-system/runner.yaml index e3c6b7d9b2..b858ab714b 100644 --- a/namespaces/actions-runner-system/runner.yaml +++ b/namespaces/actions-runner-system/runner.yaml @@ -4,5 +4,6 @@ metadata: name: runner namespace: actions-runner-system spec: - repository: raspbernetes/k8s-gitops + organization: raspbernetes + image: docker.io/xunholy/actions-runner:v2.273.4 env: [] diff --git a/namespaces/backups/velero/velero.yaml b/namespaces/backups/velero/velero.yaml index 0d8438ac9f..4cd517911b 100644 --- a/namespaces/backups/velero/velero.yaml +++ b/namespaces/backups/velero/velero.yaml @@ -1,19 +1,39 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: velero namespace: backups - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: velero - helmVersion: v3 + interval: 5m chart: - repository: https://vmware-tanzu.github.io/helm-charts - name: velero - version: 2.12.0 + spec: + chart: velero + version: 2.12.0 + sourceRef: + kind: HelmRepository + name: vmware-charts + namespace: gitops-system + interval: 1m + test: + enable: true + install: + remediation: + retries: 3 + upgrade: + remediation: + remediateLastFailure: true + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having the sealed secret cloud-credentials un-encrypted. Also depends on prometheus-operator + # due to service monitor resources. + dependsOn: + - name: sealed-secrets + namespace: kube-system + - name: kube-prometheus-stack + namespace: observability values: image: repository: twoequaldots/velero-arm64 diff --git a/namespaces/flux/flagger/flagger.yaml b/namespaces/flux/flagger/flagger.yaml deleted file mode 100644 index 5095dd543b..0000000000 --- a/namespaces/flux/flagger/flagger.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: helm.fluxcd.io/v1 -kind: HelmRelease -metadata: - name: flagger - namespace: flux - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' -spec: - releaseName: flagger - helmVersion: v3 - chart: - repository: https://flagger.app - name: flagger - version: 1.0.1 - values: - image: - repository: raspbernetes/flagger - tag: v1.0.1 - rbac: - pspEnabled: true - crd: - create: false - meshProvider: nginx - metricsServer: http://z-prometheus.observability.svc.cluster.local:9090 diff --git a/namespaces/flux/helm-operator/helm-operator.yaml b/namespaces/flux/helm-operator/helm-operator.yaml deleted file mode 100644 index 74fc042b6a..0000000000 --- a/namespaces/flux/helm-operator/helm-operator.yaml +++ /dev/null @@ -1,794 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: helmreleases.helm.fluxcd.io -spec: - additionalPrinterColumns: - - JSONPath: .status.releaseName - description: ReleaseName is the name of the Helm release managed by the HelmRelease, - as given by Helm. - name: Release - type: string - - JSONPath: .status.phase - description: Phase is the current release phase being performed for the HelmRelease. - name: Phase - type: string - - JSONPath: .status.releaseStatus - description: ReleaseStatus is the status of the Helm release managed by the HelmRelease, - as given by Helm. - name: Status - type: string - - JSONPath: .status.conditions[?(@.type=="Released")].message - name: Message - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: helm.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - - hrs - singular: helmrelease - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: HelmRelease is a type to represent a Helm release. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - chart: - properties: - chartPullSecret: - description: ChartPullSecret holds the reference to the authentication - secret for accessing the Helm repository using HTTPS basic auth. - NOT IMPLEMENTED! - properties: - name: - type: string - required: - - name - type: object - git: - description: Git URL is the URL of the Git repository, e.g. `git@github.com:org/repo`, - `http://github.com/org/repo`, or `ssh://git@example.com:2222/org/repo.git`. - type: string - name: - description: Name is the name of the Helm chart _without_ an alias, - e.g. redis (for `helm upgrade [flags] stable/redis`). - type: string - path: - description: Path is the path to the chart relative to the repository - root. - type: string - ref: - description: Ref is the Git branch (or other reference) to use. - Defaults to 'master', or the configured default Git ref. - type: string - repository: - description: RepoURL is the URL of the Helm repository, e.g. `https://kubernetes-charts.storage.googleapis.com` - or `https://charts.example.com`. - type: string - secretRef: - description: SecretRef holds the authentication secret for accessing - the Git repository (over HTTPS). The credentials will be added - to an HTTPS GitURL before the mirror is started. - properties: - name: - type: string - namespace: - type: string - required: - - name - type: object - skipDepUpdate: - description: SkipDepUpdate will tell the operator to skip running - 'helm dep update' before installing or upgrading the chart, the - chart dependencies _must_ be present for this to succeed. - type: boolean - version: - description: Version is the targeted Helm chart version, e.g. 7.0.1. - type: string - type: object - disableOpenAPIValidation: - description: DisableOpenAPIValidation controls whether OpenAPI validation - is enforced. - type: boolean - forceUpgrade: - description: Force will mark this Helm release to `--force` upgrades. - This forces the resource updates through delete/recreate if needed. - type: boolean - helmVersion: - description: 'HelmVersion is the version of Helm to target. If not supplied, - the lowest _enabled Helm version_ will be targeted. Valid HelmVersion - values are: "v2", "v3"' - enum: - - v2 - - v3 - type: string - maxHistory: - description: MaxHistory is the maximum amount of revisions to keep for - the Helm release. If not supplied, it defaults to 10. - type: integer - releaseName: - description: ReleaseName is the name of the The Helm release. If not - supplied, it will be generated by affixing the namespace to the resource - name. - type: string - resetValues: - description: ResetValues will mark this Helm release to reset the values - to the defaults of the targeted chart before performing an upgrade. - Not explicitly setting this to `false` equals to `true` due to the - declarative nature of the operator. - type: boolean - rollback: - description: The rollback settings for this Helm release. - properties: - disableHooks: - description: DisableHooks will mark this Helm release to prevent - hooks from running during the rollback. - type: boolean - enable: - description: Enable will mark this Helm release for rollbacks. - type: boolean - force: - description: Force will mark this Helm release to `--force` rollbacks. - This forces the resource updates through delete/recreate if needed. - type: boolean - maxRetries: - description: MaxRetries is the maximum amount of upgrade retries - the operator should make before bailing. - format: int64 - type: integer - recreate: - description: Recreate will mark this Helm release to `--recreate-pods` - for if applicable. This performs pod restarts. - type: boolean - retry: - description: Retry will mark this Helm release for upgrade retries - after a rollback. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during rollback. - format: int64 - type: integer - wait: - description: Wait will mark this Helm release to wait until all - Pods, PVCs, Services, and minimum number of Pods of a Deployment, - StatefulSet, or ReplicaSet are in a ready state before marking - the release as successful. - type: boolean - type: object - skipCRDs: - description: SkipCRDs will mark this Helm release to skip the creation - of CRDs during a Helm 3 installation. - type: boolean - targetNamespace: - description: TargetNamespace overrides the targeted namespace for the - Helm release. The default namespace equals to the namespace of the - HelmRelease resource. - type: string - test: - description: The test settings for this Helm release. - properties: - cleanup: - description: Cleanup, when targeting Helm 2, determines whether - to delete test pods between each test run initiated by the Helm - Operator. - type: boolean - enable: - description: Enable will mark this Helm release for tests. - type: boolean - ignoreFailures: - description: IgnoreFailures will cause a Helm release to be rolled - back if it fails otherwise it will be left in a released state - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during test. - format: int64 - type: integer - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during installation and upgrade operations. - format: int64 - type: integer - valueFileSecrets: - description: ValueFileSecrets holds the local name references to secrets. - DEPRECATED, use ValuesFrom.secretKeyRef instead. - items: - properties: - name: - type: string - required: - - name - type: object - type: array - values: - description: Values holds the values for this Helm release. - type: object - valuesFrom: - items: - properties: - chartFileRef: - description: The reference to a local chart file with release - values. - properties: - optional: - description: Optional will mark this ChartFileSelector as - optional. The result of this are that operations are permitted - without the source, due to it e.g. being temporarily unavailable. - type: boolean - path: - description: Path is the file path to the source relative - to the chart root. - type: string - required: - - path - type: object - configMapKeyRef: - description: The reference to a config map with release values. - properties: - key: - type: string - name: - type: string - namespace: - type: string - optional: - type: boolean - required: - - name - type: object - externalSourceRef: - description: The reference to an external source with release - values. - properties: - optional: - description: Optional will mark this ExternalSourceSelector - as optional. The result of this are that operations are - permitted without the source, due to it e.g. being temporarily - unavailable. - type: boolean - url: - description: URL is the URL of the external source. - type: string - required: - - url - type: object - secretKeyRef: - description: The reference to a secret with release values. - properties: - key: - type: string - name: - type: string - namespace: - type: string - optional: - type: boolean - required: - - name - type: object - type: object - type: array - wait: - description: Wait will mark this Helm release to wait until all Pods, - PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, - or ReplicaSet are in a ready state before marking the release as successful. - type: boolean - required: - - chart - type: object - status: - description: HelmReleaseStatus contains status information about an HelmRelease. - properties: - conditions: - description: Conditions contains observations of the resource's state, - e.g., has the chart which it refers to been fetched. - items: - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last status update of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, one of ('ChartFetched', 'Deployed', - 'Released', 'RolledBack', 'Tested'). - enum: - - ChartFetched - - Deployed - - Released - - RolledBack - - Tested - type: string - required: - - status - - type - type: object - type: array - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the latest chart - sync, and may be of a failed release. - type: string - observedGeneration: - description: ObservedGeneration is the most recent generation observed - by the operator. - format: int64 - type: integer - phase: - description: Phase the release is in, one of ('ChartFetched', 'ChartFetchFailed', - 'Installing', 'Upgrading', 'Deployed', 'DeployFailed', 'Testing', - 'TestFailed', 'Tested', 'Succeeded', 'RollingBack', 'RolledBack', - 'RollbackFailed') - enum: - - ChartFetched - - ChartFetchFailed - - Installing - - Upgrading - - Deployed - - DeployFailed - - Testing - - TestFailed - - Tested - - Succeeded - - Failed - - RollingBack - - RolledBack - - RollbackFailed - type: string - releaseName: - description: ReleaseName is the name as either supplied or generated. - type: string - releaseStatus: - description: ReleaseStatus is the status as given by Helm for the release - managed by this resource. - type: string - revision: - description: Revision holds the Git hash or version of the chart currently - deployed. - type: string - rollbackCount: - description: RollbackCount records the amount of rollback attempts made, - it is incremented after a rollback failure and reset after a successful - upgrade or revision change. - format: int64 - type: integer - type: object - required: - - metadata - - spec - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator - namespace: flux ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - fsGroup: - rule: RunAsAny - hostIPC: false - hostNetwork: false - hostPID: false - privileged: false - readOnlyRootFilesystem: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator-psp -rules: -- apiGroups: - - policy - resourceNames: - - default-helm-operator - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -- nonResourceURLs: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator-psp -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: default-helm-operator-psp -subjects: -- kind: ServiceAccount - name: default-helm-operator - namespace: flux ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: default-helm-operator -subjects: -- kind: ServiceAccount - name: default-helm-operator - namespace: flux ---- -apiVersion: v1 -data: - config: | - apiVersion: v1 - clusters: [] - contexts: - - context: - cluster: "" - namespace: default - user: "" - name: default - current-context: default - kind: Config - preferences: {} - users: [] -kind: ConfigMap -metadata: - name: default-helm-operator-kube-config - namespace: flux ---- -apiVersion: v1 -data: - helm-operator-dashboard.json: '{ "__inputs": [ { "name": "DS_PROMETHEUS", "label": - "Prometheus", "description": "", "type": "datasource", "pluginId": "prometheus", - "pluginName": "Prometheus" }, { "name": "DS_LOKI", "label": "Loki", "description": - "", "type": "datasource", "pluginId": "loki", "pluginName": "Loki" } ], "__requires": - [ { "type": "grafana", "id": "grafana", "name": "Grafana", "version": "7.0.5" - }, { "type": "panel", "id": "graph", "name": "Graph", "version": "" }, { "type": - "panel", "id": "logs", "name": "Logs", "version": "" }, { "type": "datasource", - "id": "loki", "name": "Loki", "version": "1.0.0" }, { "type": "datasource", "id": - "prometheus", "name": "Prometheus", "version": "1.0.0" }, { "type": "panel", "id": - "stat", "name": "Stat", "version": "" }, { "type": "panel", "id": "table", "name": - "Table", "version": "" } ], "annotations": { "list": [ { "builtIn": 1, "datasource": - "-- Grafana --", "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, - 1)", "name": "Annotations & Alerts", "type": "dashboard" } ] }, "editable": true, - "gnetId": null, "graphTooltip": 0, "id": null, "iteration": 1594295805662, "links": - [], "panels": [ { "collapsed": false, "datasource": "${DS_PROMETHEUS}", "gridPos": - { "h": 1, "w": 24, "x": 0, "y": 0 }, "id": 24, "panels": [], "title": "Main Metrics", - "type": "row" }, { "datasource": "${DS_PROMETHEUS}", "fieldConfig": { "defaults": - { "custom": {}, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ - { "color": "green", "value": null }, { "color": "red", "value": 80 } ] } }, "overrides": - [] }, "gridPos": { "h": 6, "w": 4, "x": 0, "y": 1 }, "id": 6, "options": { "colorMode": - "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": - { "calcs": [ "mean" ], "fields": "", "values": false } }, "pluginVersion": "7.0.5", - "targets": [ { "expr": "flux_helm_operator_release_count{}", "interval": "", "legendFormat": - "Synced Manifests", "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": - "Helm Releases Synced", "type": "stat" }, { "aliasColors": { "Sync Duration": - "semi-dark-green" }, "bars": false, "dashLength": 10, "dashes": false, "datasource": - "${DS_PROMETHEUS}", "fieldConfig": { "defaults": { "custom": {} }, "overrides": - [] }, "fill": 1, "fillGradient": 0, "gridPos": { "h": 12, "w": 20, "x": 4, "y": - 1 }, "hiddenSeries": false, "id": 8, "legend": { "avg": false, "current": false, - "max": false, "min": false, "show": true, "total": false, "values": false }, "lines": - true, "linewidth": 1, "nullPointMode": "null", "options": { "dataLinks": [] }, - "percentage": false, "pointradius": 2, "points": false, "renderer": "flot", "seriesOverrides": - [], "spaceLength": 10, "stack": false, "steppedLine": false, "targets": [ { "expr": - "delta(flux_helm_operator_release_action_duration_seconds_sum{action=\"sync\"}[5m]) - > 0", "interval": "", "legendFormat": "{{release_name}} sync", "refId": "A" } - ], "thresholds": [], "timeFrom": null, "timeRegions": [], "timeShift": null, "title": - "Helm Release Sync Duration", "tooltip": { "shared": true, "sort": 0, "value_type": - "individual" }, "type": "graph", "xaxis": { "buckets": null, "mode": "time", "name": - null, "show": true, "values": [] }, "yaxes": [ { "format": "s", "label": null, - "logBase": 1, "max": null, "min": null, "show": true }, { "format": "s", "label": - null, "logBase": 1, "max": null, "min": null, "show": true } ], "yaxis": { "align": - false, "alignLevel": null } }, { "datasource": "${DS_PROMETHEUS}", "description": - "", "fieldConfig": { "defaults": { "custom": {}, "mappings": [], "thresholds": - { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": - "red", "value": 80 } ] } }, "overrides": [] }, "gridPos": { "h": 6, "w": 4, "x": - 0, "y": 7 }, "id": 14, "options": { "colorMode": "value", "graphMode": "area", - "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "mean" - ], "fields": "", "values": false } }, "pluginVersion": "7.0.5", "targets": [ { - "expr": "flux_helm_operator_release_queue_length_count{}", "interval": "", "legendFormat": - "", "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": "Helm Releases - Not Synced", "type": "stat" }, { "collapsed": false, "datasource": "${DS_PROMETHEUS}", - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 13 }, "id": 22, "panels": [], "title": - "Releases", "type": "row" }, { "datasource": "${DS_PROMETHEUS}", "fieldConfig": - { "defaults": { "custom": { "align": null }, "mappings": [], "thresholds": { "mode": - "absolute", "steps": [ { "color": "green", "value": null }, { "color": "red", - "value": 80 } ] } }, "overrides": [] }, "gridPos": { "h": 12, "w": 8, "x": 0, - "y": 14 }, "id": 12, "options": { "frameIndex": 0, "showHeader": true, "sortBy": - [] }, "pluginVersion": "7.0.5", "targets": [ { "expr": "flux_helm_operator_release_condition_info{condition=\"Released\"} - == 1", "format": "table", "instant": true, "interval": "", "legendFormat": "", - "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": "Helm Releases - - Released", "transformations": [ { "id": "organize", "options": { "excludeByName": - { "Value": true, "__name__": true, "app": true, "condition": true, "instance": - true, "job": true, "kubernetes_namespace": true, "kubernetes_pod_name": true, - "pod_template_hash": true, "endpoint": true, "namespace": true, "pod": true, "service": - true, "release": true }, "indexByName": {}, "renameByName": { "Time": "Latest - Update", "release_name": "Release", "target_namespace": "Namespace" } } } ], "type": - "table" }, { "datasource": "${DS_PROMETHEUS}", "fieldConfig": { "defaults": { - "custom": { "align": null }, "mappings": [], "thresholds": { "mode": "absolute", - "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 80 - } ] } }, "overrides": [] }, "gridPos": { "h": 12, "w": 8, "x": 8, "y": 14 }, "id": - 17, "options": { "frameIndex": 0, "showHeader": true, "sortBy": [] }, "pluginVersion": - "7.0.5", "targets": [ { "expr": "flux_helm_operator_release_condition_info{condition=\"Released\"} - == -1", "format": "table", "instant": true, "interval": "", "legendFormat": "", - "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": "Helm Releases - - Failed", "transformations": [ { "id": "organize", "options": { "excludeByName": - { "Value": true, "__name__": true, "app": true, "condition": true, "instance": - true, "job": true, "kubernetes_namespace": true, "kubernetes_pod_name": true, - "pod_template_hash": true, "endpoint": true, "namespace": true, "pod": true, "service": - true, "release": true }, "indexByName": {}, "renameByName": { "Time": "Latest - Update", "release_name": "Release", "target_namespace": "Namespace" } } } ], "type": - "table" }, { "datasource": "${DS_PROMETHEUS}", "fieldConfig": { "defaults": { - "custom": { "align": null }, "mappings": [], "thresholds": { "mode": "absolute", - "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 80 - } ] } }, "overrides": [] }, "gridPos": { "h": 12, "w": 8, "x": 16, "y": 14 }, - "id": 18, "options": { "frameIndex": 0, "showHeader": true, "sortBy": [] }, "pluginVersion": - "7.0.5", "targets": [ { "expr": "flux_helm_operator_release_condition_info{condition=\"RolledBack\"} - == 1", "format": "table", "instant": true, "interval": "", "legendFormat": "", - "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": "Helm Releases - - RolledBack", "transformations": [ { "id": "organize", "options": { "excludeByName": - { "Value": true, "__name__": true, "app": true, "condition": true, "instance": - true, "job": true, "kubernetes_namespace": true, "kubernetes_pod_name": true, - "pod_template_hash": true, "endpoint": true, "namespace": true, "pod": true, "service": - true, "release": true }, "indexByName": {}, "renameByName": { "Time": "Latest - Update", "release_name": "Release", "target_namespace": "Namespace" } } } ], "type": - "table" }, { "collapsed": false, "datasource": "${DS_PROMETHEUS}", "gridPos": - { "h": 1, "w": 24, "x": 0, "y": 26 }, "id": 20, "panels": [], "title": "Logs", - "type": "row" }, { "datasource": "${DS_LOKI}", "fieldConfig": { "defaults": { - "custom": { "align": null }, "mappings": [], "thresholds": { "mode": "absolute", - "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 80 - } ] } }, "overrides": [] }, "gridPos": { "h": 20, "w": 24, "x": 0, "y": 27 }, - "id": 2, "options": { "showLabels": false, "showTime": false, "sortOrder": "Descending", - "wrapLogMessage": false }, "pluginVersion": "7.0.3", "targets": [ { "expr": "{app=\"helm-operator\"} - |~ \"$logs_search\"", "refId": "A" } ], "timeFrom": null, "timeShift": null, "title": - "Helm Operator Logs", "type": "logs" } ], "schemaVersion": 25, "style": "dark", - "tags": [], "templating": { "list": [ { "current": { "selected": false, "text": - "Prometheus", "value": "Prometheus" }, "hide": 0, "includeAll": false, "label": - null, "multi": false, "name": "DS_PROMETHEUS", "options": [], "query": "prometheus", - "refresh": 1, "regex": "", "skipUrlSync": false, "type": "datasource" }, { "current": - { "selected": true, "text": "Loki", "value": "Loki" }, "hide": 0, "includeAll": - false, "label": null, "multi": false, "name": "DS_LOKI", "options": [], "query": - "loki", "queryValue": "", "refresh": 1, "regex": "", "skipUrlSync": false, "type": - "datasource" }, { "current": { "selected": false, "text": "", "value": "" }, "hide": - 0, "label": null, "name": "logs_search", "options": [ { "selected": true, "text": - "", "value": "" } ], "query": "", "skipUrlSync": false, "type": "textbox" } ] - }, "time": { "from": "now-6h", "to": "now" }, "timepicker": { "refresh_intervals": - [ "10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d" ] }, "timezone": "", - "title": "Helm Operator Dashboard", "uid": "Q2SrQyMGk", "version": 1 }' -kind: ConfigMap -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - grafana_dashboard: "1" - heritage: Helm - release: default - name: helm-operator-dashboards-helm-operator-dashboard - namespace: flux ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator - namespace: flux -spec: - ports: - - name: http - port: 3030 - protocol: TCP - targetPort: http - selector: - app: helm-operator - release: default - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: helm-operator - chart: helm-operator-1.2.0 - heritage: Helm - release: default - name: default-helm-operator - namespace: flux -spec: - replicas: 1 - selector: - matchLabels: - app: helm-operator - release: default - strategy: - type: Recreate - template: - metadata: - annotations: - checksum/repositories: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - labels: - app: helm-operator - release: default - spec: - containers: - - args: - - --enabled-helm-versions=v3 - - --kubeconfig=/root/.kube/config - - --log-format=fmt - - --git-timeout=20s - - --git-poll-interval=1800m - - --charts-sync-interval=3m - - --status-update-interval=30s - - --update-chart-deps=true - - --log-release-diffs=false - - --workers=4 - - --tiller-namespace=kube-system - image: docker.io/raspbernetes/helm-operator:v1.2.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 3030 - initialDelaySeconds: 1 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: flux-helm-operator - ports: - - containerPort: 3030 - name: http - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 3030 - initialDelaySeconds: 1 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - resources: - limits: - cpu: 0.5 - memory: 2Gi - requests: - cpu: 50m - memory: 64Mi - volumeMounts: - - mountPath: /root/.kube - name: config - readOnly: true - - mountPath: /etc/fluxd/ssh - name: git-key - readOnly: true - serviceAccountName: default-helm-operator - volumes: - - configMap: - defaultMode: 384 - name: default-helm-operator-kube-config - name: config - - name: git-key - secret: - defaultMode: 256 - secretName: flux-git-ssh-private-key diff --git a/namespaces/flux/namespace.yaml b/namespaces/flux/namespace.yaml deleted file mode 100644 index 07a9e1336d..0000000000 --- a/namespaces/flux/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# This file is being created initially via the fluxctl installation. -apiVersion: v1 -kind: Namespace -metadata: - name: flux - labels: - namespace: flux diff --git a/namespaces/gitops-system/README.md b/namespaces/gitops-system/README.md new file mode 100644 index 0000000000..725aacdc6b --- /dev/null +++ b/namespaces/gitops-system/README.md @@ -0,0 +1,30 @@ +By default, the source-controller watches for sources only in the gitops-system namespace, this way cluster admins can prevent untrusted sources from being registered by users. + +```bash +export GITHUB_TOKEN="" +``` + +```bash +gotk bootstrap github \ + --components=source-controller,kustomize-controller,helm-controller,notification-controller \ + --path=cluster \ + --version=latest \ + --owner=raspbernetes \ + --repository=k8s-gitops \ + --arch=arm64 +``` + +```bash +gotk create source git k8s-gitops \ + --url=https://github.com/raspbernetes/k8s-gitops \ + --branch=fluxv2-init \ + --interval=30s \ + --export > ./k8s-gitop.yaml +``` + +```bash +gotk install \ + --components=source-controller,kustomize-controller,helm-controller,notification-controller \ + --namespace=gitops-system \ + --arch=arm64 +``` diff --git a/namespaces/gitops-system/helm-chart-repositories/bitnami-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/bitnami-charts.yaml new file mode 100644 index 0000000000..5522f5b0f8 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/bitnami-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: bitnami-charts + namespace: gitops-system +spec: + interval: 24h + url: https://charts.bitnami.com/bitnami + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/flagger-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/flagger-charts.yaml new file mode 100644 index 0000000000..1ca7538d2e --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/flagger-charts.yaml @@ -0,0 +1,10 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: flagger-charts + namespace: gitops-system + creationTimestamp: null +spec: + interval: 24h + url: https://flagger.app + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/grafana-loki.yaml b/namespaces/gitops-system/helm-chart-repositories/grafana-loki.yaml new file mode 100644 index 0000000000..b52bf8214e --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/grafana-loki.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: grafana-loki-charts + namespace: gitops-system +spec: + interval: 24h + url: https://grafana.github.io/loki/charts + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/jetstack-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/jetstack-charts.yaml new file mode 100644 index 0000000000..f21330bab7 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/jetstack-charts.yaml @@ -0,0 +1,21 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: jetstack-charts + namespace: gitops-system +spec: + interval: 24h + url: https://charts.jetstack.io/ + timeout: 3m +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmChart +metadata: + name: cert-manager +spec: + chart: cert-manager + version: v1.0.1 + sourceRef: + name: jetstack-charts + kind: HelmRepository + interval: 24h diff --git a/namespaces/gitops-system/helm-chart-repositories/k8s-at-home-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/k8s-at-home-charts.yaml new file mode 100644 index 0000000000..b6c5d39a40 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/k8s-at-home-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: k8s-at-home-charts + namespace: gitops-system +spec: + interval: 24h + url: https://k8s-at-home.com/charts/ + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/kubernetes-stable-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/kubernetes-stable-charts.yaml new file mode 100644 index 0000000000..b763f07973 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/kubernetes-stable-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: kubernetes-stable-charts + namespace: gitops-system +spec: + interval: 24h + url: https://kubernetes-charts.storage.googleapis.com/ + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/openebs-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/openebs-charts.yaml new file mode 100644 index 0000000000..5091e5163e --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/openebs-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: openebs-charts + namespace: gitops-system +spec: + interval: 24h + url: https://openebs.github.io/charts + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/openfaas-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/openfaas-charts.yaml new file mode 100644 index 0000000000..c4ce594e85 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/openfaas-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: openfaas-charts + namespace: gitops-system +spec: + interval: 24h + url: https://openfaas.github.io/faas-netes/ + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/prometheus-community-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/prometheus-community-charts.yaml new file mode 100644 index 0000000000..c5d2071373 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/prometheus-community-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: prometheus-community-charts + namespace: gitops-system +spec: + interval: 24h + url: https://prometheus-community.github.io/helm-charts + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/vmware-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/vmware-charts.yaml new file mode 100644 index 0000000000..4f48563277 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/vmware-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: vmware-charts + namespace: gitops-system +spec: + interval: 24h + url: https://vmware-tanzu.github.io/helm-charts + timeout: 3m diff --git a/namespaces/gitops-system/helm-chart-repositories/weaveworks-kured-charts.yaml b/namespaces/gitops-system/helm-chart-repositories/weaveworks-kured-charts.yaml new file mode 100644 index 0000000000..a924551f59 --- /dev/null +++ b/namespaces/gitops-system/helm-chart-repositories/weaveworks-kured-charts.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: weaveworks-kured-charts + namespace: gitops-system +spec: + interval: 24h + url: https://weaveworks.github.io/kured + timeout: 3m diff --git a/namespaces/gitops-system/namespace.yaml b/namespaces/gitops-system/namespace.yaml new file mode 100644 index 0000000000..b8e62705f4 --- /dev/null +++ b/namespaces/gitops-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gitops-system + labels: + namespace: gitops-system diff --git a/namespaces/gitops-system/notifications/slack-alert.yaml b/namespaces/gitops-system/notifications/slack-alert.yaml new file mode 100644 index 0000000000..4ca70436a6 --- /dev/null +++ b/namespaces/gitops-system/notifications/slack-alert.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1beta1 +kind: Alert +metadata: + name: k8s-gitops + namespace: gitops-system +spec: + providerRef: + name: slack + eventSeverity: info + eventSources: + - kind: GitRepository + name: k8s-gitops + - kind: Kustomization + name: k8s-gitops diff --git a/namespaces/gitops-system/notifications/slack-provider.yaml b/namespaces/gitops-system/notifications/slack-provider.yaml new file mode 100644 index 0000000000..bd81328de5 --- /dev/null +++ b/namespaces/gitops-system/notifications/slack-provider.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1beta1 +kind: Provider +metadata: + name: slack + namespace: gitops-system +spec: + type: slack + channel: general + # secret containing the webhook address + address: https://hooks.slack.com/services/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 diff --git a/namespaces/istio-operator/operator-1.6.5.yaml b/namespaces/istio-operator/operator-v1.7.2.yaml similarity index 99% rename from namespaces/istio-operator/operator-1.6.5.yaml rename to namespaces/istio-operator/operator-v1.7.2.yaml index 716b65d6b1..b7a6540e4c 100644 --- a/namespaces/istio-operator/operator-1.6.5.yaml +++ b/namespaces/istio-operator/operator-v1.7.2.yaml @@ -229,7 +229,7 @@ spec: serviceAccountName: istio-operator containers: - name: istio-operator - image: docker.io/raspbernetes/istio-operator:1.6.5 + image: docker.io/raspbernetes/istio-operator:1.7.2 command: - operator - server diff --git a/namespaces/istio-system/certificate.yaml b/namespaces/istio-system/certificate.yaml index a2eccf97e9..5168ae5df2 100644 --- a/namespaces/istio-system/certificate.yaml +++ b/namespaces/istio-system/certificate.yaml @@ -1,5 +1,5 @@ --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-cert diff --git a/namespaces/istio-system/istio/istio-1.6.5.yaml b/namespaces/istio-system/istio/istio-1.6.5.yaml new file mode 100644 index 0000000000..9cc0681cb8 --- /dev/null +++ b/namespaces/istio-system/istio/istio-1.6.5.yaml @@ -0,0 +1,592 @@ +# apiVersion: install.istio.io/v1alpha1 +# kind: IstioOperator +# metadata: +# name: istio +# namespace: istio-system +# spec: +# # TODO +# # revision: canary +# addonComponents: +# grafana: +# enabled: false +# k8s: +# replicaCount: 1 +# istiocoredns: +# enabled: false +# kiali: +# enabled: false +# namespace: observability +# k8s: +# replicaCount: 1 +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# podAnnotations: +# sidecar.istio.io/inject: 'true' +# serviceAnnotations: +# sidecar.istio.io/inject: 'true' +# prometheus: +# enabled: false +# k8s: +# replicaCount: 1 +# tracing: +# enabled: false +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# components: +# base: +# enabled: true +# citadel: +# enabled: false +# k8s: +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# cni: +# enabled: false +# egressGateways: +# - enabled: true +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# resources: +# requests: +# cpu: 10m +# memory: 40Mi +# name: istio-egressgateway +# ingressGateways: +# - enabled: true +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# resources: +# requests: +# cpu: 10m +# memory: 40Mi +# service: +# loadBalancerIP: 192.168.1.150 +# ports: +# - name: status-port +# port: 15020 +# targetPort: 15020 +# - name: http2 +# port: 80 +# targetPort: 8080 +# - name: https +# port: 443 +# targetPort: 8443 +# - name: tcp +# port: 31400 +# targetPort: 31400 +# - name: tls +# port: 15443 +# targetPort: 15443 +# name: istio-ingressgateway +# istiodRemote: +# enabled: false +# pilot: +# enabled: true +# k8s: +# env: +# - name: POD_NAME +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.name +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# - name: GODEBUG +# value: gctrace=1 +# - name: PILOT_TRACE_SAMPLING +# value: '100' +# - name: CONFIG_NAMESPACE +# value: istio-config +# readinessProbe: +# httpGet: +# path: /ready +# port: 8080 +# initialDelaySeconds: 5 +# periodSeconds: 3 +# timeoutSeconds: 5 +# resources: +# requests: +# cpu: 10m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# policy: +# enabled: false +# k8s: +# env: +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# hpaSpec: +# maxReplicas: 5 +# metrics: +# - resource: +# name: cpu +# targetAverageUtilization: 80 +# type: Resource +# minReplicas: 1 +# scaleTargetRef: +# apiVersion: apps/v1 +# kind: Deployment +# name: istio-policy +# resources: +# requests: +# cpu: 10m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# telemetry: +# enabled: false +# k8s: +# env: +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# - name: GOMAXPROCS +# value: '6' +# hpaSpec: +# maxReplicas: 5 +# metrics: +# - resource: +# name: cpu +# targetAverageUtilization: 80 +# type: Resource +# minReplicas: 1 +# scaleTargetRef: +# apiVersion: apps/v1 +# kind: Deployment +# name: istio-telemetry +# replicaCount: 1 +# resources: +# limits: +# cpu: 4800m +# memory: 4G +# requests: +# cpu: 50m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# hub: docker.io/querycapistio +# meshConfig: +# enableAutoMtls: true +# accessLogFile: /dev/stdout +# defaultConfig: +# proxyMetadata: {} +# disablePolicyChecks: false +# enablePrometheusMerge: false +# # TODO: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig +# # enableTracing: true +# # enableEnvoyAccessLogService: true +# # outboundTrafficPolicy: +# # mode: 'REGISTRY_ONLY' +# # defaultServiceExportTo: +# # defaultVirtualServiceExportTo: +# # defaultDestinationRuleExportTo: +# tag: 1.6.5 +# values: +# base: +# validationURL: '' +# clusterResources: true +# gateways: +# istio-egressgateway: +# autoscaleEnabled: false +# env: {} +# name: istio-egressgateway +# secretVolumes: +# - mountPath: /etc/istio/egressgateway-certs +# name: egressgateway-certs +# secretName: istio-egressgateway-certs +# - mountPath: /etc/istio/egressgateway-ca-certs +# name: egressgateway-ca-certs +# secretName: istio-egressgateway-ca-certs +# type: ClusterIP +# zvpn: {} +# istio-ingressgateway: +# applicationPorts: '' +# autoscaleEnabled: false +# debug: info +# domain: '' +# env: {} +# meshExpansionPorts: +# - name: tcp-pilot-grpc-tls +# port: 15011 +# targetPort: 15011 +# - name: tcp-istiod +# port: 15012 +# targetPort: 15012 +# - name: tcp-citadel-grpc-tls +# port: 8060 +# targetPort: 8060 +# - name: tcp-dns-tls +# port: 853 +# targetPort: 8853 +# name: istio-ingressgateway +# secretVolumes: +# - mountPath: /etc/istio/ingressgateway-certs +# name: ingressgateway-certs +# secretName: istio-ingressgateway-certs +# - mountPath: /etc/istio/ingressgateway-ca-certs +# name: ingressgateway-ca-certs +# secretName: istio-ingressgateway-ca-certs +# type: LoadBalancer +# zvpn: {} +# global: +# # outboundTrafficPolicy: +# # mode: 'REGISTRY_ONLY' +# # arch: +# # amd64: 2 +# # ppc64le: 2 +# # s390x: 2 +# configValidation: true +# controlPlaneSecurityEnabled: true +# defaultNodeSelector: {} +# defaultPodDisruptionBudget: +# enabled: true +# defaultResources: +# requests: +# cpu: 10m +# enableHelmTest: false +# imagePullPolicy: 'Always' +# imagePullSecrets: [] +# istioNamespace: istio-system +# istiod: +# enableAnalysis: false +# enabled: true +# # TODO: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens +# # third-party-jwt may not be available with current cluster configuration +# jwtPolicy: third-party-jwt +# logAsJson: false +# logging: +# level: default:info +# meshExpansion: +# enabled: false +# useILB: false +# meshNetworks: {} +# mountMtlsCerts: false +# multiCluster: +# clusterName: '' +# enabled: false +# network: '' +# omitSidecarInjectorConfigMap: false +# oneNamespace: false +# operatorManageWebhooks: false +# pilotCertProvider: istiod +# priorityClassName: '' +# proxy: +# autoInject: enabled +# clusterDomain: cluster.local +# componentLogLevel: misc:error +# enableCoreDump: false +# envoyStatsd: +# enabled: false +# excludeIPRanges: '' +# excludeInboundPorts: '' +# excludeOutboundPorts: '' +# image: proxyv2 +# includeIPRanges: '*' +# logLevel: warning +# privileged: false +# readinessFailureThreshold: 30 +# readinessInitialDelaySeconds: 5 +# readinessPeriodSeconds: 2 +# resources: +# limits: +# cpu: 2000m +# memory: 1024Mi +# requests: +# cpu: 10m +# memory: 40Mi +# statusPort: 15020 +# tracer: zipkin +# proxy_init: +# image: proxyv2 +# resources: +# limits: +# cpu: 100m +# memory: 50Mi +# requests: +# cpu: 10m +# memory: 10Mi +# sds: +# # enabled: true +# token: +# aud: istio-ca +# sts: +# servicePort: 0 +# tracer: +# datadog: +# address: $(HOST_IP):8126 +# lightstep: +# accessToken: '' +# address: '' +# stackdriver: +# debug: false +# maxNumberOfAnnotations: 200 +# maxNumberOfAttributes: 200 +# maxNumberOfMessageEvents: 200 +# zipkin: +# address: '' +# trustDomain: cluster.local +# useMCP: false +# grafana: +# accessMode: ReadWriteMany +# contextPath: /grafana +# dashboardProviders: +# dashboardproviders.yaml: +# apiVersion: 1 +# providers: +# - disableDeletion: false +# folder: istio +# name: istio +# options: +# path: /var/lib/grafana/dashboards/istio +# orgId: 1 +# type: file +# datasources: +# datasources.yaml: +# apiVersion: 1 +# env: {} +# envSecrets: {} +# image: +# repository: grafana/grafana +# tag: 6.7.4 +# nodeSelector: {} +# persist: false +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# security: +# enabled: false +# passphraseKey: passphrase +# secretName: grafana +# usernameKey: username +# service: +# annotations: {} +# externalPort: 3000 +# name: http +# type: ClusterIP +# storageClassName: '' +# tolerations: [] +# istiocoredns: +# coreDNSImage: coredns/coredns +# coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 +# coreDNSTag: 1.6.2 +# istiodRemote: +# injectionURL: '' +# kiali: +# contextPath: /kiali +# createDemoSecret: false +# dashboard: +# auth: +# strategy: anonymous +# grafanaInClusterURL: http://prometheus-operator-grafana.observability.svc.cluster.local +# jaegerInClusterURL: http://tracing/jaeger +# passphraseKey: passphrase +# secretName: kiali +# usernameKey: username +# viewOnlyMode: true +# hub: querycap +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# security: +# cert_file: /kiali-cert/cert-chain.pem +# # TODO: Investigate security.enabled=true +# enabled: false +# private_key_file: /kiali-cert/key.pem +# service: +# annotations: {} +# tag: v1.20.0 +# mixer: +# adapters: +# kubernetesenv: +# enabled: true +# prometheus: +# enabled: true +# metricsExpiryDuration: 10m +# stackdriver: +# auth: +# apiKey: '' +# appCredentials: false +# serviceAccountPath: '' +# enabled: false +# tracer: +# enabled: false +# sampleProbability: 1 +# stdio: +# enabled: true +# outputAsJson: false +# useAdapterCRDs: false +# policy: +# adapters: +# kubernetesenv: +# enabled: true +# useAdapterCRDs: false +# autoscaleEnabled: false +# image: mixer +# sessionAffinityEnabled: false +# telemetry: +# autoscaleEnabled: false +# env: +# GOMAXPROCS: '6' +# image: mixer +# loadshedding: +# latencyThreshold: 100ms +# mode: enforce +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# replicaCount: 1 +# sessionAffinityEnabled: false +# tolerations: [] +# pilot: +# appNamespaces: [] +# autoscaleEnabled: false +# autoscaleMax: 5 +# autoscaleMin: 1 +# configMap: true +# configNamespace: istio-config +# cpu: +# targetAverageUtilization: 80 +# enableProtocolSniffingForInbound: true +# enableProtocolSniffingForOutbound: true +# env: {} +# image: pilot +# keepaliveMaxServerConnectionAge: 30m +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# policy: +# enabled: false +# replicaCount: 1 +# tolerations: [] +# traceSampling: 1 +# prometheus: +# contextPath: /prometheus +# hub: docker.io/prom +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# provisionPrometheusCert: true +# retention: 6h +# scrapeInterval: 15s +# security: +# enabled: true +# tag: v2.15.1 +# tolerations: [] +# sidecarInjectorWebhook: +# enableNamespacesByDefault: false +# injectLabel: istio-injection +# objectSelector: +# autoInject: true +# enabled: true +# rewriteAppHTTPProbe: true +# telemetry: +# enabled: true +# v1: +# enabled: false +# v2: +# enabled: true +# metadataExchange: {} +# prometheus: +# enabled: true +# stackdriver: +# configOverride: {} +# enabled: false +# logging: false +# monitoring: false +# topology: false +# tracing: +# jaeger: +# accessMode: ReadWriteMany +# hub: docker.io/querycapjaegertracing +# memory: +# max_traces: 50000 +# persist: false +# spanStorageType: badger +# storageClassName: '' +# tag: 'latest' +# nodeSelector: {} +# opencensus: +# exporters: +# stackdriver: +# enable_tracing: true +# hub: docker.io/omnition +# resources: +# limits: +# cpu: '1' +# memory: 2Gi +# requests: +# cpu: 200m +# memory: 400Mi +# tag: 0.1.9 +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# provider: jaeger +# service: +# annotations: {} +# externalPort: 9411 +# name: http-query +# type: ClusterIP +# zipkin: +# hub: docker.io/openzipkin +# javaOptsHeap: 700 +# maxSpans: 500000 +# node: +# cpus: 2 +# probeStartupDelay: 10 +# queryPort: 9411 +# resources: +# limits: +# cpu: 1000m +# memory: 2048Mi +# requests: +# cpu: 150m +# memory: 900Mi +# tag: 2.20.0 +# version: '' diff --git a/namespaces/istio-system/istio/istio-1.6.7.yaml b/namespaces/istio-system/istio/istio-1.6.7.yaml new file mode 100644 index 0000000000..57bc3d479e --- /dev/null +++ b/namespaces/istio-system/istio/istio-1.6.7.yaml @@ -0,0 +1,591 @@ +# apiVersion: install.istio.io/v1alpha1 +# kind: IstioOperator +# metadata: +# name: istio +# namespace: istio-system +# spec: +# revision: 1.6.7 +# addonComponents: +# grafana: +# enabled: false +# k8s: +# replicaCount: 1 +# istiocoredns: +# enabled: false +# kiali: +# enabled: true +# namespace: observability +# k8s: +# replicaCount: 1 +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# podAnnotations: +# sidecar.istio.io/inject: 'true' +# serviceAnnotations: +# sidecar.istio.io/inject: 'true' +# prometheus: +# enabled: false +# k8s: +# replicaCount: 1 +# tracing: +# enabled: true +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# components: +# base: +# enabled: true +# citadel: +# enabled: false +# k8s: +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# cni: +# enabled: false +# egressGateways: +# - enabled: true +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# resources: +# requests: +# cpu: 10m +# memory: 40Mi +# name: istio-egressgateway +# ingressGateways: +# - enabled: true +# k8s: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: beta.kubernetes.io/arch +# operator: In +# values: +# - arm64 +# resources: +# requests: +# cpu: 10m +# memory: 40Mi +# service: +# loadBalancerIP: 192.168.1.150 +# ports: +# - name: status-port +# port: 15020 +# targetPort: 15020 +# - name: http2 +# port: 80 +# targetPort: 8080 +# - name: https +# port: 443 +# targetPort: 8443 +# - name: tcp +# port: 31400 +# targetPort: 31400 +# - name: tls +# port: 15443 +# targetPort: 15443 +# name: istio-ingressgateway +# istiodRemote: +# enabled: false +# pilot: +# enabled: true +# k8s: +# env: +# - name: POD_NAME +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.name +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# - name: GODEBUG +# value: gctrace=1 +# - name: PILOT_TRACE_SAMPLING +# value: '100' +# - name: CONFIG_NAMESPACE +# value: istio-config +# readinessProbe: +# httpGet: +# path: /ready +# port: 8080 +# initialDelaySeconds: 5 +# periodSeconds: 3 +# timeoutSeconds: 5 +# resources: +# requests: +# cpu: 10m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# policy: +# enabled: false +# k8s: +# env: +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# hpaSpec: +# maxReplicas: 5 +# metrics: +# - resource: +# name: cpu +# targetAverageUtilization: 80 +# type: Resource +# minReplicas: 1 +# scaleTargetRef: +# apiVersion: apps/v1 +# kind: Deployment +# name: istio-policy +# resources: +# requests: +# cpu: 10m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# telemetry: +# enabled: false +# k8s: +# env: +# - name: POD_NAMESPACE +# valueFrom: +# fieldRef: +# apiVersion: v1 +# fieldPath: metadata.namespace +# - name: GOMAXPROCS +# value: '6' +# hpaSpec: +# maxReplicas: 5 +# metrics: +# - resource: +# name: cpu +# targetAverageUtilization: 80 +# type: Resource +# minReplicas: 1 +# scaleTargetRef: +# apiVersion: apps/v1 +# kind: Deployment +# name: istio-telemetry +# replicaCount: 1 +# resources: +# limits: +# cpu: 4800m +# memory: 4G +# requests: +# cpu: 50m +# memory: 100Mi +# strategy: +# rollingUpdate: +# maxSurge: 100% +# maxUnavailable: 25% +# hub: docker.io/querycapistio +# meshConfig: +# enableAutoMtls: true +# accessLogFile: /dev/stdout +# defaultConfig: +# proxyMetadata: {} +# disablePolicyChecks: false +# enablePrometheusMerge: false +# # TODO: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig +# # enableTracing: true +# # enableEnvoyAccessLogService: true +# # outboundTrafficPolicy: +# # mode: 'REGISTRY_ONLY' +# # defaultServiceExportTo: +# # defaultVirtualServiceExportTo: +# # defaultDestinationRuleExportTo: +# tag: 1.6.7 +# values: +# base: +# validationURL: '' +# clusterResources: true +# gateways: +# istio-egressgateway: +# autoscaleEnabled: false +# env: {} +# name: istio-egressgateway +# secretVolumes: +# - mountPath: /etc/istio/egressgateway-certs +# name: egressgateway-certs +# secretName: istio-egressgateway-certs +# - mountPath: /etc/istio/egressgateway-ca-certs +# name: egressgateway-ca-certs +# secretName: istio-egressgateway-ca-certs +# type: ClusterIP +# zvpn: {} +# istio-ingressgateway: +# applicationPorts: '' +# autoscaleEnabled: false +# debug: info +# domain: '' +# env: {} +# meshExpansionPorts: +# - name: tcp-pilot-grpc-tls +# port: 15011 +# targetPort: 15011 +# - name: tcp-istiod +# port: 15012 +# targetPort: 15012 +# - name: tcp-citadel-grpc-tls +# port: 8060 +# targetPort: 8060 +# - name: tcp-dns-tls +# port: 853 +# targetPort: 8853 +# name: istio-ingressgateway +# secretVolumes: +# - mountPath: /etc/istio/ingressgateway-certs +# name: ingressgateway-certs +# secretName: istio-ingressgateway-certs +# - mountPath: /etc/istio/ingressgateway-ca-certs +# name: ingressgateway-ca-certs +# secretName: istio-ingressgateway-ca-certs +# type: LoadBalancer +# zvpn: {} +# global: +# # outboundTrafficPolicy: +# # mode: 'REGISTRY_ONLY' +# # arch: +# # amd64: 2 +# # ppc64le: 2 +# # s390x: 2 +# configValidation: true +# controlPlaneSecurityEnabled: true +# defaultNodeSelector: {} +# defaultPodDisruptionBudget: +# enabled: true +# defaultResources: +# requests: +# cpu: 10m +# enableHelmTest: false +# imagePullPolicy: 'Always' +# imagePullSecrets: [] +# istioNamespace: istio-system +# istiod: +# enableAnalysis: false +# enabled: true +# # TODO: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens +# # third-party-jwt may not be available with current cluster configuration +# jwtPolicy: third-party-jwt +# logAsJson: false +# logging: +# level: default:info +# meshExpansion: +# enabled: false +# useILB: false +# meshNetworks: {} +# mountMtlsCerts: false +# multiCluster: +# clusterName: '' +# enabled: false +# network: '' +# omitSidecarInjectorConfigMap: false +# oneNamespace: false +# operatorManageWebhooks: false +# pilotCertProvider: istiod +# priorityClassName: '' +# proxy: +# autoInject: enabled +# clusterDomain: cluster.local +# componentLogLevel: misc:error +# enableCoreDump: false +# envoyStatsd: +# enabled: false +# excludeIPRanges: '' +# excludeInboundPorts: '' +# excludeOutboundPorts: '' +# image: proxyv2 +# includeIPRanges: '*' +# logLevel: warning +# privileged: false +# readinessFailureThreshold: 30 +# readinessInitialDelaySeconds: 5 +# readinessPeriodSeconds: 2 +# resources: +# limits: +# cpu: 2000m +# memory: 1024Mi +# requests: +# cpu: 10m +# memory: 40Mi +# statusPort: 15020 +# tracer: zipkin +# proxy_init: +# image: proxyv2 +# resources: +# limits: +# cpu: 100m +# memory: 50Mi +# requests: +# cpu: 10m +# memory: 10Mi +# sds: +# # enabled: true +# token: +# aud: istio-ca +# sts: +# servicePort: 0 +# tracer: +# datadog: +# address: $(HOST_IP):8126 +# lightstep: +# accessToken: '' +# address: '' +# stackdriver: +# debug: false +# maxNumberOfAnnotations: 200 +# maxNumberOfAttributes: 200 +# maxNumberOfMessageEvents: 200 +# zipkin: +# address: '' +# trustDomain: cluster.local +# useMCP: false +# grafana: +# accessMode: ReadWriteMany +# contextPath: /grafana +# dashboardProviders: +# dashboardproviders.yaml: +# apiVersion: 1 +# providers: +# - disableDeletion: false +# folder: istio +# name: istio +# options: +# path: /var/lib/grafana/dashboards/istio +# orgId: 1 +# type: file +# datasources: +# datasources.yaml: +# apiVersion: 1 +# env: {} +# envSecrets: {} +# image: +# repository: grafana/grafana +# tag: 6.7.4 +# nodeSelector: {} +# persist: false +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# security: +# enabled: false +# passphraseKey: passphrase +# secretName: grafana +# usernameKey: username +# service: +# annotations: {} +# externalPort: 3000 +# name: http +# type: ClusterIP +# storageClassName: '' +# tolerations: [] +# istiocoredns: +# coreDNSImage: coredns/coredns +# coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 +# coreDNSTag: 1.6.2 +# istiodRemote: +# injectionURL: '' +# kiali: +# contextPath: /kiali +# createDemoSecret: false +# dashboard: +# auth: +# strategy: anonymous +# grafanaInClusterURL: http://prometheus-operator-grafana.observability.svc.cluster.local +# jaegerInClusterURL: http://tracing/jaeger +# passphraseKey: passphrase +# secretName: kiali +# usernameKey: username +# viewOnlyMode: true +# hub: querycap +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# security: +# cert_file: /kiali-cert/cert-chain.pem +# # TODO: Investigate security.enabled=true +# enabled: false +# private_key_file: /kiali-cert/key.pem +# service: +# annotations: {} +# tag: v1.20.0 +# mixer: +# adapters: +# kubernetesenv: +# enabled: true +# prometheus: +# enabled: true +# metricsExpiryDuration: 10m +# stackdriver: +# auth: +# apiKey: '' +# appCredentials: false +# serviceAccountPath: '' +# enabled: false +# tracer: +# enabled: false +# sampleProbability: 1 +# stdio: +# enabled: true +# outputAsJson: false +# useAdapterCRDs: false +# policy: +# adapters: +# kubernetesenv: +# enabled: true +# useAdapterCRDs: false +# autoscaleEnabled: false +# image: mixer +# sessionAffinityEnabled: false +# telemetry: +# autoscaleEnabled: false +# env: +# GOMAXPROCS: '6' +# image: mixer +# loadshedding: +# latencyThreshold: 100ms +# mode: enforce +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# replicaCount: 1 +# sessionAffinityEnabled: false +# tolerations: [] +# pilot: +# appNamespaces: [] +# autoscaleEnabled: false +# autoscaleMax: 5 +# autoscaleMin: 1 +# configMap: true +# configNamespace: istio-config +# cpu: +# targetAverageUtilization: 80 +# enableProtocolSniffingForInbound: true +# enableProtocolSniffingForOutbound: true +# env: {} +# image: pilot +# keepaliveMaxServerConnectionAge: 30m +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# policy: +# enabled: false +# replicaCount: 1 +# tolerations: [] +# traceSampling: 1 +# prometheus: +# contextPath: /prometheus +# hub: docker.io/prom +# nodeSelector: {} +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# provisionPrometheusCert: true +# retention: 6h +# scrapeInterval: 15s +# security: +# enabled: true +# tag: v2.15.1 +# tolerations: [] +# sidecarInjectorWebhook: +# enableNamespacesByDefault: false +# injectLabel: istio-injection +# objectSelector: +# autoInject: true +# enabled: true +# rewriteAppHTTPProbe: true +# telemetry: +# enabled: true +# v1: +# enabled: false +# v2: +# enabled: true +# metadataExchange: {} +# prometheus: +# enabled: true +# stackdriver: +# configOverride: {} +# enabled: false +# logging: false +# monitoring: false +# topology: false +# tracing: +# jaeger: +# accessMode: ReadWriteMany +# hub: docker.io/querycapjaegertracing +# memory: +# max_traces: 50000 +# persist: false +# spanStorageType: badger +# storageClassName: '' +# tag: 'latest' +# nodeSelector: {} +# opencensus: +# exporters: +# stackdriver: +# enable_tracing: true +# hub: docker.io/omnition +# resources: +# limits: +# cpu: '1' +# memory: 2Gi +# requests: +# cpu: 200m +# memory: 400Mi +# tag: 0.1.9 +# podAntiAffinityLabelSelector: [] +# podAntiAffinityTermLabelSelector: [] +# provider: jaeger +# service: +# annotations: {} +# externalPort: 9411 +# name: http-query +# type: ClusterIP +# zipkin: +# hub: docker.io/openzipkin +# javaOptsHeap: 700 +# maxSpans: 500000 +# node: +# cpus: 2 +# probeStartupDelay: 10 +# queryPort: 9411 +# resources: +# limits: +# cpu: 1000m +# memory: 2048Mi +# requests: +# cpu: 150m +# memory: 900Mi +# tag: 2.20.0 +# version: '' diff --git a/namespaces/istio-system/istio-1.6.5/istio-1.6.5.yaml b/namespaces/istio-system/istio/istio-1.7.2.yaml similarity index 78% rename from namespaces/istio-system/istio-1.6.5/istio-1.6.5.yaml rename to namespaces/istio-system/istio/istio-1.7.2.yaml index 0919e7c655..658a7d1471 100644 --- a/namespaces/istio-system/istio-1.6.5/istio-1.6.5.yaml +++ b/namespaces/istio-system/istio/istio-1.7.2.yaml @@ -4,63 +4,19 @@ metadata: name: istio namespace: istio-system spec: - # TODO - # revision: canary + # revision: 1.7.1 addonComponents: - grafana: - enabled: false - k8s: - replicaCount: 1 istiocoredns: enabled: false - kiali: - enabled: true - namespace: observability - k8s: - replicaCount: 1 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - arm64 - podAnnotations: - sidecar.istio.io/inject: 'true' - serviceAnnotations: - sidecar.istio.io/inject: 'true' prometheus: enabled: false - k8s: - replicaCount: 1 - tracing: - enabled: true - k8s: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - arm64 components: base: enabled: true - citadel: - enabled: false - k8s: - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% cni: enabled: false egressGateways: - - enabled: true + - enabled: false k8s: affinity: nodeAffinity: @@ -71,10 +27,43 @@ spec: operator: In values: - arm64 + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + hpaSpec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-egressgateway resources: + limits: + cpu: 2000m + memory: 1024Mi requests: - cpu: 10m - memory: 40Mi + cpu: 100m + memory: 128Mi + service: + ports: + - name: http2 + port: 80 + targetPort: 8080 + - name: https + port: 443 + targetPort: 8443 + - name: tls + port: 15443 + targetPort: 15443 + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% name: istio-egressgateway ingressGateways: - enabled: true @@ -88,28 +77,47 @@ spec: operator: In values: - arm64 + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + hpaSpec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway resources: + limits: + cpu: 2000m + memory: 1024Mi requests: - cpu: 10m - memory: 40Mi + cpu: 100m + memory: 128Mi service: loadBalancerIP: 192.168.1.150 ports: - name: status-port - port: 15020 - targetPort: 15020 + port: 15021 + targetPort: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 - - name: tcp - port: 31400 - targetPort: 31400 - name: tls port: 15443 targetPort: 15443 + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% name: istio-ingressgateway istiodRemote: enabled: false @@ -127,23 +135,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - - name: PILOT_TRACE_SAMPLING - value: '100' - - name: CONFIG_NAMESPACE - value: istio-config readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - requests: - cpu: 10m - memory: 100Mi + periodSeconds: 5 + timeoutSeconds: 10 strategy: rollingUpdate: maxSurge: 100% @@ -169,10 +167,6 @@ spec: apiVersion: apps/v1 kind: Deployment name: istio-policy - resources: - requests: - cpu: 10m - memory: 100Mi strategy: rollingUpdate: maxSurge: 100% @@ -206,36 +200,26 @@ spec: cpu: 4800m memory: 4G requests: - cpu: 50m - memory: 100Mi + cpu: 1000m + memory: 1G strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% hub: docker.io/querycapistio meshConfig: - enableAutoMtls: true - accessLogFile: /dev/stdout defaultConfig: proxyMetadata: {} - disablePolicyChecks: false - enablePrometheusMerge: false - # TODO: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig - # enableTracing: true - # enableEnvoyAccessLogService: true - # outboundTrafficPolicy: - # mode: 'REGISTRY_ONLY' - # defaultServiceExportTo: - # defaultVirtualServiceExportTo: - # defaultDestinationRuleExportTo: - tag: 1.6.5 + enablePrometheusMerge: true + tag: 1.7.2 values: base: + enableCRDTemplates: false validationURL: '' clusterResources: true gateways: istio-egressgateway: - autoscaleEnabled: false + autoscaleEnabled: true env: {} name: istio-egressgateway secretVolumes: @@ -249,20 +233,14 @@ spec: zvpn: {} istio-ingressgateway: applicationPorts: '' - autoscaleEnabled: false + autoscaleEnabled: true debug: info domain: '' env: {} meshExpansionPorts: - - name: tcp-pilot-grpc-tls - port: 15011 - targetPort: 15011 - name: tcp-istiod port: 15012 targetPort: 15012 - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - name: tcp-dns-tls port: 853 targetPort: 8853 @@ -277,8 +255,6 @@ spec: type: LoadBalancer zvpn: {} global: - # outboundTrafficPolicy: - # mode: 'REGISTRY_ONLY' # arch: # amd64: 2 # ppc64le: 2 @@ -292,14 +268,11 @@ spec: requests: cpu: 10m enableHelmTest: false - imagePullPolicy: 'Always' + imagePullPolicy: '' imagePullSecrets: [] istioNamespace: istio-system istiod: enableAnalysis: false - enabled: true - # TODO: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens - # third-party-jwt may not be available with current cluster configuration jwtPolicy: third-party-jwt logAsJson: false logging: @@ -323,8 +296,6 @@ spec: clusterDomain: cluster.local componentLogLevel: misc:error enableCoreDump: false - envoyStatsd: - enabled: false excludeIPRanges: '' excludeInboundPorts: '' excludeOutboundPorts: '' @@ -334,27 +305,26 @@ spec: privileged: false readinessFailureThreshold: 30 readinessInitialDelaySeconds: 5 - readinessPeriodSeconds: 2 + readinessPeriodSeconds: 5 resources: limits: cpu: 2000m memory: 1024Mi requests: - cpu: 10m - memory: 40Mi + cpu: 100m + memory: 128Mi statusPort: 15020 tracer: zipkin proxy_init: image: proxyv2 resources: limits: - cpu: 100m - memory: 50Mi + cpu: 2000m + memory: 1024Mi requests: cpu: 10m memory: 10Mi sds: - # enabled: true token: aud: istio-ca sts: @@ -395,7 +365,7 @@ spec: envSecrets: {} image: repository: grafana/grafana - tag: 6.7.4 + tag: 7.0.5 nodeSelector: {} persist: false podAntiAffinityLabelSelector: [] @@ -436,12 +406,11 @@ spec: podAntiAffinityTermLabelSelector: [] security: cert_file: /kiali-cert/cert-chain.pem - # TODO: Investigate security.enabled=true enabled: false private_key_file: /kiali-cert/key.pem service: annotations: {} - tag: v1.20.0 + tag: v1.22 mixer: adapters: kubernetesenv: @@ -459,7 +428,7 @@ spec: enabled: false sampleProbability: 1 stdio: - enabled: true + enabled: false outputAsJson: false useAdapterCRDs: false policy: @@ -467,11 +436,11 @@ spec: kubernetesenv: enabled: true useAdapterCRDs: false - autoscaleEnabled: false + autoscaleEnabled: true image: mixer sessionAffinityEnabled: false telemetry: - autoscaleEnabled: false + autoscaleEnabled: true env: GOMAXPROCS: '6' image: mixer @@ -486,7 +455,7 @@ spec: tolerations: [] pilot: appNamespaces: [] - autoscaleEnabled: false + autoscaleEnabled: true autoscaleMax: 5 autoscaleMin: 1 configMap: true @@ -517,14 +486,14 @@ spec: scrapeInterval: 15s security: enabled: true - tag: v2.15.1 + tag: v2.19.2 tolerations: [] sidecarInjectorWebhook: enableNamespacesByDefault: false injectLabel: istio-injection objectSelector: autoInject: true - enabled: true + enabled: false rewriteAppHTTPProbe: true telemetry: enabled: true @@ -532,9 +501,11 @@ spec: enabled: false v2: enabled: true - metadataExchange: {} + metadataExchange: + wasmEnabled: false prometheus: enabled: true + wasmEnabled: false stackdriver: configOverride: {} enabled: false @@ -550,7 +521,7 @@ spec: persist: false spanStorageType: badger storageClassName: '' - tag: 'latest' + tag: '1.18.1' nodeSelector: {} opencensus: exporters: diff --git a/namespaces/kube-system/kured/kured.yaml b/namespaces/kube-system/kured/kured.yaml index c0224c67e7..61c8d19b7f 100644 --- a/namespaces/kube-system/kured/kured.yaml +++ b/namespaces/kube-system/kured/kured.yaml @@ -1,20 +1,34 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: kured namespace: kube-system - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: kured - helmVersion: v3 + interval: 5m chart: - repository: https://weaveworks.github.io/kured - name: kured - version: 2.1.1 + spec: + chart: kured + version: 2.2.0 + sourceRef: + kind: HelmRepository + name: weaveworks-kured-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true values: image: repository: raspbernetes/kured - tag: 1.4.5 + tag: 1.5.0 diff --git a/namespaces/kube-system/metrics-server/metrics-server.yaml b/namespaces/kube-system/metrics-server/metrics-server.yaml index fb4d334b44..56e86a7e94 100644 --- a/namespaces/kube-system/metrics-server/metrics-server.yaml +++ b/namespaces/kube-system/metrics-server/metrics-server.yaml @@ -1,24 +1,34 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: metrics-server namespace: kube-system - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: metrics-server - helmVersion: v3 - rollback: - enable: true + interval: 5m chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: metrics-server - version: 2.11.1 + spec: + chart: metrics-server + version: 2.11.1 + sourceRef: + kind: HelmRepository + name: kubernetes-stable-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true values: - rbac: - pspEnabled: true image: repository: gcr.io/google_containers/metrics-server-arm64 tag: v0.3.6 diff --git a/namespaces/kube-system/sealed-secrets/sealed-secrets.yaml b/namespaces/kube-system/sealed-secrets/sealed-secrets.yaml index b97ac0432d..37621da70b 100644 --- a/namespaces/kube-system/sealed-secrets/sealed-secrets.yaml +++ b/namespaces/kube-system/sealed-secrets/sealed-secrets.yaml @@ -1,19 +1,34 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: sealed-secrets namespace: kube-system - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' + creationTimestamp: null spec: - releaseName: sealed-secrets - helmVersion: v3 + interval: 5m chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: sealed-secrets - version: 1.10.3 + spec: + chart: sealed-secrets + version: 1.10.3 + sourceRef: + kind: HelmRepository + name: kubernetes-stable-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true values: ingress: enabled: false diff --git a/namespaces/network/cert-manager/cert-manager.yaml b/namespaces/network/cert-manager/cert-manager.yaml index bc940ee016..aeb50fa4bf 100644 --- a/namespaces/network/cert-manager/cert-manager.yaml +++ b/namespaces/network/cert-manager/cert-manager.yaml @@ -1,23 +1,46 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: cert-manager namespace: network - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: cert-manager - helmVersion: v3 - rollback: - enable: false + interval: 5m chart: - repository: https://charts.jetstack.io/ - name: cert-manager - version: v0.16.1 + spec: + chart: cert-manager + # version: v1.0.2 + sourceRef: + kind: HelmRepository + name: jetstack-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 5 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having the sealed secret cloudflare-cert-manager-token un-encrypted. Also depends on prometheus-operator + # due to service monitor resources. + dependsOn: + - name: sealed-secrets + namespace: kube-system + - name: kube-prometheus-stack + namespace: observability values: global: + logLevel: 4 + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: 'network' podSecurityPolicy: enabled: true installCRDs: true @@ -26,5 +49,9 @@ spec: servicemonitor: enabled: true extraArgs: + - --cluster-resource-namespace=network + - --enable-certificate-owner-ref=true - --dns01-recursive-nameservers=1.1.1.1:53 - --dns01-recursive-nameservers-only + # - --default-issuer-name=letsencrypt-prod + # - --default-issuer-kind=ClusterIssuer diff --git a/namespaces/network/cert-manager/clusterissuer-prod.yaml b/namespaces/network/cert-manager/clusterissuer-prod.yaml index 4b934f084e..192b6e8250 100644 --- a/namespaces/network/cert-manager/clusterissuer-prod.yaml +++ b/namespaces/network/cert-manager/clusterissuer-prod.yaml @@ -1,5 +1,5 @@ --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod diff --git a/namespaces/network/cert-manager/clusterissuer-stg.yaml b/namespaces/network/cert-manager/clusterissuer-stg.yaml index 2fd41bd759..29421d7268 100644 --- a/namespaces/network/cert-manager/clusterissuer-stg.yaml +++ b/namespaces/network/cert-manager/clusterissuer-stg.yaml @@ -1,5 +1,5 @@ --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging diff --git a/namespaces/network/cert-manager/secret.encrypted.yaml b/namespaces/network/cert-manager/secret.encrypted.yaml index 941d3e0716..45765b163c 100644 --- a/namespaces/network/cert-manager/secret.encrypted.yaml +++ b/namespaces/network/cert-manager/secret.encrypted.yaml @@ -6,9 +6,10 @@ metadata: namespace: network spec: encryptedData: - api-token: AgB+ZhFzy/n2vHwbaJqGZ2WbpHfbRIYCmdz5GouE+PUYajKVfZN5HdhtancsVf72VJY2tiU1mjGLywd9kZOzCogDpvqL6fcaNqkyFVjjeyG1f4LgrsiEx59QAz2RXixSqJKqfh/hG2KfEQoxFSqJOMpf0F++XZegvp3MuoOJYQ+vjEUcQvtUrc0VgF8KfyiqQXiq7cN9MuzOJBw+Nm0pLd+Yb0p6r9l3FBLSJFmwQFTeu7lVoafkOHtWjvH/uPJAjxG9l22D5/BBGMwjuO//cFxRtenp1DYPlvCThsHIumUguwofPEeDg2d7Eht5BFaHWhvexqUcgkvP1R4+ClfxMWy1pykKemps7JARl5Tc7Lw1eU5sz6JbHQ/6UBpaRi2Ii02h6DYoeTfutXGl969NcZi5aJF46g9SdQTDYADTAf08U2858LDuUiqyDtJpMvlX6BvOcxhzMr4nnHKmfgswPDhlKVMu4/lnPvNS+PQzlPMACPHoikzz01BZb5J3CpM4TzZ47R3vs1k1GcSgOaBFykKkO9Nz7IbcB7TdBQsseZwFxFAvQZXNOxAHsp36VkXPq9gPVnObL2KonDnyLiPsPRvVj8ZIEkGbSY89ut0Pa9L9akC7wnDEGmdYNwdUEJ6IYYOEin1Zo35u+czkKt/5RnXNjA62xF0zWP1W2qZjTjMU0+1WHZm6Dvt7iHrmQllCckWpkO0F8/+PKlXdDPTX2nW1XbGi8RHcqCMMC3hoKoXbxUFQ1y6zDtSj + api-token: AgAb2KqyAA/acH031U4cv+WyIDJeaFqdDFUvCvM1QJAz2unzaxjfRDGnBTcUUMxIVM9fbQEERxNMx7fiDujJ+WSEH48b3ikK0oNFUwZF1J/7q7dIr92+lvEsKDyr3kd0n7mSHD5BkGCoIXhdwwxYat4KquRhqoXDO0MnDJ/mAuPW/9P2mA6ZS4Hb9AKaHp1wkhZRsDEpf6z9fZ/aKpGYn25XzmhrIS5rYymgK41ThD40waj8sumJJQzHG0nk+YvXlW5YZYgoKG8E1NhNAbThvocLZReiege1oDmwmj9Af/0rWM8P2/YqsX898RWjLtY9qPlhcE40zGGU6KGouG7voB9BitSeGdgjghtp89qHG8U/xPgsgNBqGnDdoplEPZgEgTWCzfWtyP3XyLhu5omVt9RdKkYIaRteiFPwFHFRxXGbQN97WttzJ2dSyKOtOovWxAGq4WZjneXJkcAYIvLs9zI+3NobMqcJT8DYlj5+zaCVQHoN/DFfMIMNDJcs2aH4uvrAFNwBuXSQXipR0vvcQ0JZ5hiL+uzogIHVOrvG6ei8TfiMnp6NiuUEkWNg0ltb1hiDc9avmXJOywLPUBOp+0B8glGlLm5kLJXI9clVHqReISFQjfnCxbmVu728BneKXOPuTBro+qAp99am22cT5x38bQ1kALsm0diuXMG0NUg8HweLx2x387ORZS2tYgWABCsvtncE/oq24oCkmfkWpAW+zwVKRSjkOWBM/+kF59hHRd10P1OhzGXX template: metadata: creationTimestamp: null name: cloudflare-cert-manager-token namespace: network + diff --git a/namespaces/network/cloudflare-ddns/deployment.yaml b/namespaces/network/cloudflare-ddns/deployment.yaml index 94d0fc78e4..77492e6c34 100644 --- a/namespaces/network/cloudflare-ddns/deployment.yaml +++ b/namespaces/network/cloudflare-ddns/deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: cloudflare-ddns - image: hotio/cloudflare-ddns:latest + image: hotio/cloudflare-ddns:stable env: - name: CF_APITOKEN valueFrom: diff --git a/namespaces/network/dex/dex.yaml b/namespaces/network/dex/dex.yaml index 83724d4770..19ff133d04 100644 --- a/namespaces/network/dex/dex.yaml +++ b/namespaces/network/dex/dex.yaml @@ -1,18 +1,37 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: dex namespace: network - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: dex + interval: 5m chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: dex - version: 2.13.0 + spec: + chart: dex + version: 2.13.0 + sourceRef: + kind: HelmRepository + name: kubernetes-stable-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 5 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having the sealed secret dex-helm-values un-encrypted. + dependsOn: + - name: sealed-secrets + namespace: kube-system values: image: raspbernetes/dex imageTag: v2.24.0 @@ -71,5 +90,6 @@ spec: - secretName: dex.raspbernetes.com-tls hosts: - dex.raspbernetes.com - valueFileSecrets: - - name: 'dex-helm-values' + valuesFrom: + - kind: Secret + name: dex-helm-values diff --git a/namespaces/network/dex/secret.encrypted.yaml b/namespaces/network/dex/secret.encrypted.yaml new file mode 100644 index 0000000000..9e3f82890f --- /dev/null +++ b/namespaces/network/dex/secret.encrypted.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: dex-helm-values + namespace: network +spec: + encryptedData: + values.yaml: AgBFN4YETbkm+Ok1UoNoSDH0DpbbNV/J4Q59W3wxvnpuAYWzhHsxLsa0128CgSWOtSaT/hP+dAYrw2lEXIiP544a1+BIrFFCNxvsgPSRFN62U+C+uvIYhOhT1i2CfZuGnAdj405WbGDYCRo9r9/uNvap++/WJ5RdGjCfcNJQSl3GhMaQVtxNlMteiUBexAu1/rSeJYXLdpgo3VZOSH1MPcFMbAYflvBfDG8PCBbOBucgq0ceFoTZREQT5CG7qBys/ZYkDlI55SyBZ5X4YLxY4iBcc/sG0jj37c9c+41QK0JNab9dOj256rtH+J9e48O13foIychVzS8t1v9QnPgIcpsAJHeHVWywvG+UphI0DvOMazqwc9e+wQn/joRuGz9SVtBgx4isfNzCoySSS6aLwNTNvn5mMUh08qwenccDK6208sVErZ5eJKSX2La2bKx5exXgOwBNd/llppJV0JZDnhp5/eKsQzdvO6bkouOU5o1mJi58PbSYNXSN+SN4oZniEQ2PvRXbg6hhCSKXKG7MuOMZTIulN7f5/Y0ESlo1O9VXoRg9bexpjZuYrEAejSwLylVd3fF3gidnd04IdCpq7XZu7zm4GCdhhwm1FYRFgO8xIzWfHl2AhGAMVMBsJO1KFcn5iZUdPjcbdW1A32k8I2It3pbpdacF1J7LJ9VgTQu5468A9yqavEzvy6rJd64311Kcjc74gnNUMyt02WWNr52WsQWKh/pH/rmCsJAaOr+TdP+fI2zTtgopRMeUrrYjn/ymXYCh6yNh3+IZqdYNA/BhoQaszbbAZZgQxHIe/vZEe/gUKN1KiunpSPYBvX86ePsSAHZJ+xJKUDgTkdW2Aqud9tpVq7iGwASSw7mvyhLxFy1LePNq+muEE1AIavO7U9UiSPjnosa7vw155dzR9nJzPAAz6TTW8Tc9xFB2OGXrGcO2rTe2K4/cmVTJg6qRgQVJX3aiUNy+oMXJ0KqaX5AxkxX5QPODHlxhG7Jj2dZ8StKLgmB9ih4jFVe1OceY3yilSG5enln5rPApmI76fpJhyFeouY6Y2qM4r41vqDmgw+kLc1rIaXLvq8hHp2OlzcClhcm3wqPfgC28MdLy3PfKGGGjs21SJVc0woMo0yiuVGthkd/wOBgwgQ+d9PcYdxJX5oPOVojHoF7Y19msD6HAuPvgfM0cLoDn8mcaxLLOYHfVDWO2snlFB1KYpiNRsTMjsrnGPmMunFuwhQ225yEnBmXH4Ia+3+EQzAWiph7QRTcsCer7WWTER0X6PG+C8NkdekId8BQUzSzr4eO3OwGkYlZaJICHp7Bjh7VZnlZ77RYlxOc/QAMVl4wcB+zqp1F6f1eJtGF+yM9yBlOPOd+3NEzkEg6/VZ9aiypJo6o5eJkrSBlUuSnzkd5MGhdhJFHaGoQY2UIEK/yFAzCc2+SyoDfgixee2pC6jOiNOaSzqnnLDTHQEvpmyPmLoJoy7Ykgu9YzgJXH6RW+dmrrZvY6rsqEbgrFF1RU83YZdch/5Q4XvUH7c0RJKgXjdlMAzVo5mPd9KEN4A4rPuIORhZl1ZXc5yV+WlSvQK1MlNW5LvqlPrHM74WPoqxAQOpQmBBReeNux0Uu/6gKUnw1R+xDA1Vps89WAwsXBBUKwHNS9w27R1B/EU5hs8DonfkbqAVUFaUroO51+ceOjsfQWjvvUMRFQq5U5bsOr7x6kA2JdoQPZAETYFod/tB+i1kuWzhXTx9I5GGWC7+KHAjnTkUAPfCs3KRsmwJ+gS8rZ74Zr8Ly3vSf5tJaer1uCkckIfSkuwGnfTFCWLalq3oCd4/XpUv2B498hlwXAJ3oM6hkvyt4vboo1AvM8yjjrpuYH8PqoJF8PfSolIX9+/wNdjCHR/5ACofjRQPAtWqYe/mPW5xUmIxnv4vlSC/aB1Ku3X5Xjb/n2vJmI/IAQSkf1cmalyCuWhbP6KXnlKA5fIBsSvif5KNm/j2ut7aB4xcArST6AMuahG2Shvy4u4Zie/6igMNdMdMT3RUi5nTL0t5rutKBy/q0Rqfn+AZUHvedNFAYGLxw5Uh5nY0eHMvriuZ19oMv7q2hhn/rcLezQLg0eDzn/JXirYuw2/DXHGrLDe4wvbMd4lZvzi/1/nZJ0FtD9crBAlxDXV2yHLiiLC5TOhk2oHzoJ69qtl7PDZkLRi0dcZGZdhT+FwAE9Uuuld1oHL2SwYLVVyaT1NVS0+mH+XEkjPdN2hB8= + template: + metadata: + creationTimestamp: null + name: dex-helm-values + namespace: network + diff --git a/namespaces/network/external-dns/external-dns.yaml b/namespaces/network/external-dns/external-dns.yaml index 03dc3d0623..5573d226b8 100644 --- a/namespaces/network/external-dns/external-dns.yaml +++ b/namespaces/network/external-dns/external-dns.yaml @@ -1,18 +1,37 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: external-dns namespace: network - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: external-dns + interval: 5m chart: - repository: https://charts.bitnami.com/bitnami - name: external-dns - version: 3.3.0 + spec: + chart: external-dns + version: 3.3.0 + sourceRef: + kind: HelmRepository + name: bitnami-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on prometheus-operator due to service monitor resources. + dependsOn: + - name: kube-prometheus-stack + namespace: observability values: image: registry: docker.io @@ -26,7 +45,6 @@ spec: logLevel: debug rbac: create: true - pspEnabled: true metrics: enabled: true serviceMonitor: diff --git a/namespaces/network/keycloak/keycloak.yaml b/namespaces/network/keycloak/keycloak.yaml index e01a4e75c4..b0328a580b 100644 --- a/namespaces/network/keycloak/keycloak.yaml +++ b/namespaces/network/keycloak/keycloak.yaml @@ -1,6 +1,6 @@ # TODO: https://github.com/raspbernetes/k8s-gitops/issues/70 # --- -# apiVersion: helm.fluxcd.io/v1 +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 # kind: HelmRelease # metadata: # name: keycloak diff --git a/namespaces/network/metallb/metallb.yaml b/namespaces/network/metallb/metallb.yaml index ff1fcdfc83..2fdfde3aa6 100644 --- a/namespaces/network/metallb/metallb.yaml +++ b/namespaces/network/metallb/metallb.yaml @@ -1,19 +1,33 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: metallb namespace: network - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: metallb - helmVersion: v3 + interval: 5m chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: metallb - version: 0.12.0 + spec: + chart: metallb + version: 0.12.0 + sourceRef: + kind: HelmRepository + name: kubernetes-stable-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true values: controller: image: @@ -25,9 +39,9 @@ spec: tag: v0.9.3 prometheus: serviceMonitor: - enabled: true + enabled: false prometheusRule: - enabled: true + enabled: false configInline: address-pools: - name: default diff --git a/namespaces/network/nginx-ingress/nginx-ingress.yaml b/namespaces/network/nginx-ingress/nginx-ingress.yaml index cd41b5bd3a..8fe981a7e9 100644 --- a/namespaces/network/nginx-ingress/nginx-ingress.yaml +++ b/namespaces/network/nginx-ingress/nginx-ingress.yaml @@ -1,5 +1,5 @@ # --- -# apiVersion: helm.fluxcd.io/v1 +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 # kind: HelmRelease # metadata: # name: ingress-nginx diff --git a/namespaces/network/oauth2-proxy/oauth2-proxy-dex.yaml b/namespaces/network/oauth2-proxy/oauth2-proxy-dex.yaml deleted file mode 100644 index b21ba71da9..0000000000 --- a/namespaces/network/oauth2-proxy/oauth2-proxy-dex.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: helm.fluxcd.io/v1 -kind: HelmRelease -metadata: - name: oauth2-proxy - namespace: network - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' -spec: - releaseName: oauth2-proxy - helmVersion: v3 - chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: oauth2-proxy - version: 3.1.0 - values: - image: - repository: 'quay.io/pusher/oauth2_proxy' - tag: v5.1.1-arm64 - config: - existingSecret: oauth2-proxy-dex - extraArgs: - provider: oidc - provider-display-name: 'DEX OIDC Provider' - oidc-issuer-url: https://dex.raspbernetes.com - cookie-secure: true - cookie-domain: .raspbernetes.com - whitelist-domain: .raspbernetes.com - email-domain: '*' - session-store-type: cookie - pass-basic-auth: false - pass-access-token: true - pass-authorization-header: true - set-authorization-header: true - set-xauthrequest: true - standard-logging: true - auth-logging: true - request-logging: true - skip-provider-button: true - ssl-insecure-skip-verify: true - upstream: static://200 - http-address: 0.0.0.0:4180 - ingress: - enabled: false - path: /oauth2 - hosts: - - raspbernetes.com - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: 'letsencrypt-prod' - tls: - - secretName: raspbernetes.com-tls - hosts: - - raspbernetes.com diff --git a/namespaces/network/oauth2-proxy/oauth2-proxy.yaml b/namespaces/network/oauth2-proxy/oauth2-proxy.yaml index d87cf96ab2..4840fbc74f 100644 --- a/namespaces/network/oauth2-proxy/oauth2-proxy.yaml +++ b/namespaces/network/oauth2-proxy/oauth2-proxy.yaml @@ -1,40 +1,75 @@ -# --- -# apiVersion: helm.fluxcd.io/v1 -# kind: HelmRelease -# metadata: -# name: oauth2-proxy -# namespace: network -# annotations: -# fluxcd.io/ignore: 'false' -# fluxcd.io/automated: 'false' -# spec: -# releaseName: oauth2-proxy -# helmVersion: v3 -# chart: -# repository: https://kubernetes-charts.storage.googleapis.com/ -# name: oauth2-proxy -# version: 3.1.0 -# values: -# image: -# repository: 'quay.io/pusher/oauth2_proxy' -# tag: v5.1.1-arm64 -# config: -# existingSecret: oauth2-proxy-github -# extraArgs: -# provider: github -# github-org: raspbernetes -# email-domain: '*' -# cookie-domain: raspbernetes.com -# whitelist-domain: raspbernetes.com -# ingress: -# enabled: false -# path: /oauth2 -# hosts: -# - raspbernetes.com -# annotations: -# kubernetes.io/ingress.class: nginx -# cert-manager.io/cluster-issuer: 'letsencrypt-prod' -# tls: -# - secretName: raspbernetes.com-tls -# hosts: -# - raspbernetes.com +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: oauth2-proxy + namespace: network +spec: + interval: 5m + chart: + spec: + chart: oauth2-proxy + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: kubernetes-stable-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 5 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having the sealed secret oauth2-proxy-dex un-encrypted. Also requires dex + cert-manager to be running. + dependsOn: + - name: dex + - name: cert-manager + - name: sealed-secrets + namespace: kube-system + values: + image: + repository: 'quay.io/pusher/oauth2_proxy' + tag: v5.1.1-arm64 + config: + existingSecret: oauth2-proxy-dex + extraArgs: + provider: oidc + provider-display-name: 'DEX OIDC Provider' + oidc-issuer-url: https://dex.raspbernetes.com + cookie-secure: true + cookie-domain: .raspbernetes.com + whitelist-domain: .raspbernetes.com + email-domain: '*' + session-store-type: cookie + pass-basic-auth: false + pass-access-token: true + pass-authorization-header: true + set-authorization-header: true + set-xauthrequest: true + standard-logging: true + auth-logging: true + request-logging: true + skip-provider-button: true + ssl-insecure-skip-verify: true + upstream: static://200 + http-address: 0.0.0.0:4180 + ingress: + enabled: false + path: /oauth2 + hosts: + - raspbernetes.com + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: 'letsencrypt-prod' + tls: + - secretName: raspbernetes.com-tls + hosts: + - raspbernetes.com diff --git a/namespaces/observability/botkube/botkube.yaml b/namespaces/observability/botkube/botkube.yaml deleted file mode 100644 index e3558f7617..0000000000 --- a/namespaces/observability/botkube/botkube.yaml +++ /dev/null @@ -1,199 +0,0 @@ ---- -# apiVersion: helm.fluxcd.io/v1 -# kind: HelmRelease -# metadata: -# name: botkube -# namespace: observability -# annotations: -# fluxcd.io/ignore: false -# spec: -# releaseName: botkube -# rollback: -# enable: true -# chart: -# repository: https://infracloudio.github.io/charts -# name: botkube -# version: v0.10.0 -# values: -# image: -# repository: infracloudio/botkube -# tag: v0.10.0 -# serviceMonitor: -# enabled: true -# config: -# settings: -# clustername: k8s -# resources: -# - name: pod # Name of the resources e.g pod, deployment, ingress, etc. (Resource name must be in singular form) -# namespaces: -# include: -# - all -# ignore: # List of namespaces to be ignored (omitempty), used only with include: all -# - rook-ceph # example : include [all], ignore [x,y,z] -# events: # List of lifecycle events you want to receive, e.g create, update, delete, error OR all -# - create -# - delete -# - name: service -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: deployment -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - update -# - delete -# - error -# - name: statefulset -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - update -# - delete -# - error -# - name: ingress -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: node -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: namespace -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: persistentvolume -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: persistentvolumeclaim -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: secret -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: configmap -# namespaces: -# include: -# - all -# ignore: -# - rook-ceph -# events: -# - delete -# - error -# - name: daemonset -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: job -# namespaces: -# include: -# - all -# ignore: -# - rook-ceph -# events: -# - create -# - update -# - delete -# - error -# - name: role -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: rolebinding -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: clusterrole -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# - name: clusterrolebinding -# namespaces: -# include: -# - all -# ignore: -# - -# events: -# - create -# - delete -# - error -# valueFileSecrets: -# - name: 'botkube-helm-values' diff --git a/namespaces/observability/jaeger-operator/jaeger-operator.yaml b/namespaces/observability/jaeger-operator/jaeger-operator.yaml deleted file mode 100644 index cd03dc9830..0000000000 --- a/namespaces/observability/jaeger-operator/jaeger-operator.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# apiVersion: helm.fluxcd.io/v1 -# kind: HelmRelease -# metadata: -# name: jaeger-operator -# namespace: observability -# annotations: -# fluxcd.io/ignore: 'false' -# fluxcd.io/automated: 'false' -# spec: -# releaseName: jaeger-operator -# chart: -# repository: https://jaegertracing.github.io/helm-charts -# name: jaeger-operator -# version: 2.14.2 diff --git a/namespaces/observability/jaeger/jaeger.yaml b/namespaces/observability/jaeger/jaeger.yaml deleted file mode 100644 index ea027dc361..0000000000 --- a/namespaces/observability/jaeger/jaeger.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# apiVersion: helm.fluxcd.io/v1 -# kind: HelmRelease -# metadata: -# name: jaeger -# namespace: observability -# annotations: -# fluxcd.io/ignore: 'false' -# fluxcd.io/automated: 'false' -# spec: -# releaseName: jaeger -# chart: -# repository: https://jaegertracing.github.io/helm-charts -# name: jaeger -# version: 0.27.2 diff --git a/namespaces/observability/kiali/kiali-server.yaml b/namespaces/observability/kiali/kiali-server.yaml index 6ec6adb784..16acdc6c5a 100644 --- a/namespaces/observability/kiali/kiali-server.yaml +++ b/namespaces/observability/kiali/kiali-server.yaml @@ -1,6 +1,6 @@ # # Source: https://github.com/kiali/helm-charts # --- -# apiVersion: helm.fluxcd.io/v1 +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 # kind: HelmRelease # metadata: # name: kiali-server diff --git a/namespaces/observability/prometheus-operator/prometheus-operator.yaml b/namespaces/observability/kube-prometheus-stack/kube-prometheus-stack.yaml similarity index 83% rename from namespaces/observability/prometheus-operator/prometheus-operator.yaml rename to namespaces/observability/kube-prometheus-stack/kube-prometheus-stack.yaml index 28675095eb..8d6d2488e3 100644 --- a/namespaces/observability/prometheus-operator/prometheus-operator.yaml +++ b/namespaces/observability/kube-prometheus-stack/kube-prometheus-stack.yaml @@ -1,23 +1,40 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: prometheus-operator + name: kube-prometheus-stack namespace: observability - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: prometheus-operator - helmVersion: v3 - rollback: - enable: false + interval: 5m chart: - repository: https://kubernetes-charts.storage.googleapis.com/ - name: prometheus-operator - version: 9.3.1 + spec: + chart: kube-prometheus-stack + version: 9.4.7 + sourceRef: + kind: HelmRepository + name: prometheus-community-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having the sealed secret to un-encrypted required secrets. + dependsOn: + - name: sealed-secrets + namespace: kube-system + timeout: 20m values: - fullnameOverride: 'z' + fullnameOverride: x prometheusOperator: enabled: true manageCrds: true @@ -29,20 +46,24 @@ spec: tlsProxy: image: repository: raspbernetes/ghostunnel - tag: v1.5.2 + tag: v1.5.3 admissionWebhooks: patch: image: repository: jettech/kube-webhook-certgen - tag: v1.2.0 + tag: v1.3.0 configmapReloadImage: repository: jimmidyson/configmap-reload - tag: v0.3.0 + tag: v0.4.0 prometheusConfigReloaderImage: repository: quay.io/coreos/prometheus-config-reloader tag: v0.40.0 alertmanager: + fullnameOverride: alertmanager enabled: true + alertmanagerSpec: + # Required for istio - https://istio.io/latest/docs/reference/config/analysis/ist0118/ + portName: http-web ingress: enabled: false annotations: @@ -58,10 +79,11 @@ spec: hosts: - alert-manager.raspbernetes.com grafana: + fullnameOverride: grafana enabled: true image: repository: grafana/grafana - tag: 7.1.3 + tag: 7.2.0 ingress: enabled: false annotations: @@ -78,8 +100,7 @@ spec: - grafana.raspbernetes.com sidecar: image: - repository: raspbernetes/k8s-sidecar - tag: 0.1.144 + tag: 0.1.193 imagePullPolicy: Always dashboards: enabled: true @@ -144,8 +165,8 @@ spec: url: http://loki.logging.svc.cluster.local:3100 downloadDashboardsImage: repository: curlimages/curl - tag: 7.70.0 - # Unused because disable_login_form=false however, used for backup authentication + tag: 7.72.0 + # Unused because disable_login_form=true however, used for backup authentication admin: existingSecret: 'grafana-admin-creds' userKey: admin-user @@ -192,6 +213,7 @@ spec: token_url: https://dex.raspbernetes.com/token api_url: https://dex.raspbernetes.com/userinfo prometheus: + fullnameOverride: prometheus ingress: enabled: false annotations: @@ -207,6 +229,8 @@ spec: hosts: - prometheus.raspbernetes.com prometheusSpec: + # Required for istio - https://istio.io/latest/docs/reference/config/analysis/ist0118/ + portName: http-web storageSpec: volumeClaimTemplate: spec: @@ -224,6 +248,9 @@ spec: podMonitorNamespaceSelector: {} podMonitorSelectorNilUsesHelmValues: false kube-state-metrics: + fullnameOverride: kube-state-metrics image: repository: raspbernetes/kube-state-metrics tag: v1.9.5 + prometheus-node-exporter: + fullnameOverride: node-exporter diff --git a/namespaces/observability/prometheus-operator/secret.encrypted-grafana.yaml b/namespaces/observability/kube-prometheus-stack/secret.encrypted-grafana.yaml similarity index 100% rename from namespaces/observability/prometheus-operator/secret.encrypted-grafana.yaml rename to namespaces/observability/kube-prometheus-stack/secret.encrypted-grafana.yaml diff --git a/namespaces/observability/prometheus-operator/secret.encrypted.yaml b/namespaces/observability/kube-prometheus-stack/secret.encrypted.yaml similarity index 100% rename from namespaces/observability/prometheus-operator/secret.encrypted.yaml rename to namespaces/observability/kube-prometheus-stack/secret.encrypted.yaml diff --git a/namespaces/observability/prometheus-operator/secret.oauth2.encrypted.yaml b/namespaces/observability/kube-prometheus-stack/secret.oauth2.encrypted.yaml similarity index 100% rename from namespaces/observability/prometheus-operator/secret.oauth2.encrypted.yaml rename to namespaces/observability/kube-prometheus-stack/secret.oauth2.encrypted.yaml diff --git a/namespaces/observability/prometheus-operator/vs-alert-manager.yaml b/namespaces/observability/kube-prometheus-stack/vs-alert-manager.yaml similarity index 87% rename from namespaces/observability/prometheus-operator/vs-alert-manager.yaml rename to namespaces/observability/kube-prometheus-stack/vs-alert-manager.yaml index c95c28765c..11b89c3c1f 100644 --- a/namespaces/observability/prometheus-operator/vs-alert-manager.yaml +++ b/namespaces/observability/kube-prometheus-stack/vs-alert-manager.yaml @@ -18,4 +18,4 @@ spec: - destination: port: number: 9093 - host: z-alertmanager.observability.svc.cluster.local + host: x-alertmanager.observability.svc.cluster.local diff --git a/namespaces/observability/prometheus-operator/vs-grafana.yaml b/namespaces/observability/kube-prometheus-stack/vs-grafana.yaml similarity index 84% rename from namespaces/observability/prometheus-operator/vs-grafana.yaml rename to namespaces/observability/kube-prometheus-stack/vs-grafana.yaml index 21a40d4707..707b53fda2 100644 --- a/namespaces/observability/prometheus-operator/vs-grafana.yaml +++ b/namespaces/observability/kube-prometheus-stack/vs-grafana.yaml @@ -18,4 +18,4 @@ spec: - destination: port: number: 80 - host: prometheus-operator-grafana.observability.svc.cluster.local + host: grafana.observability.svc.cluster.local diff --git a/namespaces/observability/prometheus-operator/vs-prometheus.yaml b/namespaces/observability/kube-prometheus-stack/vs-prometheus.yaml similarity index 87% rename from namespaces/observability/prometheus-operator/vs-prometheus.yaml rename to namespaces/observability/kube-prometheus-stack/vs-prometheus.yaml index 0412be2647..4a34686f51 100644 --- a/namespaces/observability/prometheus-operator/vs-prometheus.yaml +++ b/namespaces/observability/kube-prometheus-stack/vs-prometheus.yaml @@ -18,4 +18,4 @@ spec: - destination: port: number: 9090 - host: z-prometheus.observability.svc.cluster.local + host: x-prometheus.observability.svc.cluster.local diff --git a/namespaces/observability/loki/loki.yaml b/namespaces/observability/loki/loki.yaml index 7fbf101aae..4c0eef8316 100644 --- a/namespaces/observability/loki/loki.yaml +++ b/namespaces/observability/loki/loki.yaml @@ -1,19 +1,37 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: loki namespace: observability - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: loki - helmVersion: v3 + interval: 5m chart: - repository: https://grafana.github.io/loki/charts - name: loki-stack - version: 0.40.0 + spec: + chart: loki-stack + version: 0.40.0 + sourceRef: + kind: HelmRepository + name: grafana-loki-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having prometheus-operator due to service monitor resources. + dependsOn: + - name: kube-prometheus-stack + namespace: observability values: loki: enabled: true diff --git a/namespaces/observability/speedtest/speedtest.yaml b/namespaces/observability/speedtest/speedtest.yaml index b15afc3fa7..4ba19b5645 100644 --- a/namespaces/observability/speedtest/speedtest.yaml +++ b/namespaces/observability/speedtest/speedtest.yaml @@ -1,21 +1,36 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: speedtest-prometheus namespace: observability - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: speedtest-prometheus - helmVersion: v3 - rollback: - enable: true + interval: 5m chart: - repository: https://billimek.com/billimek-charts/ - name: speedtest-prometheus - version: 1.0.1 + spec: + chart: speedtest-prometheus + version: 1.0.1 + sourceRef: + kind: HelmRepository + name: k8s-at-home-charts + namespace: gitops-system + interval: 1m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true + # Depends on having prometheus-operator due to service monitor resources. + dependsOn: + - name: kube-prometheus-stack values: serviceMonitor: enabled: true diff --git a/namespaces/openfaas-fn/namespace.yaml b/namespaces/openfaas-fn/namespace.yaml index 749d2638db..27123e393e 100644 --- a/namespaces/openfaas-fn/namespace.yaml +++ b/namespaces/openfaas-fn/namespace.yaml @@ -1,8 +1,8 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openfaas-fn - labels: - role: openfaas-fn - namespace: openfaas-fn +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: openfaas-fn +# labels: +# role: openfaas-fn +# namespace: openfaas-fn diff --git a/namespaces/openfaas-fn/networkpolicy.yaml b/namespaces/openfaas-fn/networkpolicy.yaml index 8cd7402310..cbd919c5e0 100644 --- a/namespaces/openfaas-fn/networkpolicy.yaml +++ b/namespaces/openfaas-fn/networkpolicy.yaml @@ -1,15 +1,15 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-allow-all - namespace: openfaas-fn -spec: - podSelector: {} - ingress: - - {} - egress: - - {} - policyTypes: - - Ingress - - Egress +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: default-allow-all +# namespace: openfaas-fn +# spec: +# podSelector: {} +# ingress: +# - {} +# egress: +# - {} +# policyTypes: +# - Ingress +# - Egress diff --git a/namespaces/openfaas/namespace.yaml b/namespaces/openfaas/namespace.yaml index 4ce4d9c959..fe8ba1c113 100644 --- a/namespaces/openfaas/namespace.yaml +++ b/namespaces/openfaas/namespace.yaml @@ -1,9 +1,9 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openfaas - labels: - role: openfaas-system - access: openfaas-system - namespace: openfaas +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: openfaas +# labels: +# role: openfaas-system +# access: openfaas-system +# namespace: openfaas diff --git a/namespaces/openfaas/networkpolicy.yaml b/namespaces/openfaas/networkpolicy.yaml index 915aa1e7c4..8ab381a42d 100644 --- a/namespaces/openfaas/networkpolicy.yaml +++ b/namespaces/openfaas/networkpolicy.yaml @@ -1,15 +1,15 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-allow-all - namespace: openfaas -spec: - podSelector: {} - ingress: - - {} - egress: - - {} - policyTypes: - - Ingress - - Egress +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: default-allow-all +# namespace: openfaas +# spec: +# podSelector: {} +# ingress: +# - {} +# egress: +# - {} +# policyTypes: +# - Ingress +# - Egress diff --git a/namespaces/openfaas/openfaas/openfaas.yaml b/namespaces/openfaas/openfaas/openfaas.yaml index d6c191a6ce..55a4bf3b8e 100644 --- a/namespaces/openfaas/openfaas/openfaas.yaml +++ b/namespaces/openfaas/openfaas/openfaas.yaml @@ -1,44 +1,44 @@ ---- -apiVersion: helm.fluxcd.io/v1 -kind: HelmRelease -metadata: - name: openfaas - namespace: openfaas - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' -spec: - releaseName: openfaas - helmVersion: v3 - chart: - repository: https://openfaas.github.io/faas-netes/ - name: openfaas - version: 6.0.1 - values: - basic_auth: false - psp: true - gateway: - image: openfaas/gateway:0.18.18-arm64 - directFunctions: true - oauth2Plugin: - enabled: false - faasnetes: - image: openfaas/faas-netes:0.12.2-arm64 - operator: - image: openfaas/faas-netes:0.12.2-arm64 - create: false - queueWorker: - image: openfaas/queue-worker:0.11.0-arm64 - prometheus: - create: false - alertmanager: - create: false - faasIdler: - image: openfaas/faas-idler:0.3.0-arm64 - basicAuthPlugin: - image: openfaas/basic-auth-plugin:0.18.17-arm64 - replicas: 1 - ingressOperator: - create: false - nodeSelector: - beta.kubernetes.io/arch: arm64 +# --- +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 +# kind: HelmRelease +# metadata: +# name: openfaas +# namespace: openfaas +# spec: +# interval: 5m +# chart: +# spec: +# chart: openfaas +# version: 6.0.1 +# sourceRef: +# kind: HelmRepository +# name: openfaas-charts +# namespace: gitops-system +# interval: 5m +# values: +# basic_auth: false +# gateway: +# image: openfaas/gateway:0.18.18-arm64 +# directFunctions: true +# oauth2Plugin: +# enabled: false +# faasnetes: +# image: openfaas/faas-netes:0.12.2-arm64 +# operator: +# image: openfaas/faas-netes:0.12.2-arm64 +# create: false +# queueWorker: +# image: openfaas/queue-worker:0.11.0-arm64 +# prometheus: +# create: false +# alertmanager: +# create: false +# faasIdler: +# image: openfaas/faas-idler:0.3.0-arm64 +# basicAuthPlugin: +# image: openfaas/basic-auth-plugin:0.18.17-arm64 +# replicas: 1 +# ingressOperator: +# create: false +# nodeSelector: +# beta.kubernetes.io/arch: arm64 diff --git a/namespaces/security/falco/falco.yaml b/namespaces/security/falco/falco.yaml index d81821f3b2..1d7f36e4a6 100644 --- a/namespaces/security/falco/falco.yaml +++ b/namespaces/security/falco/falco.yaml @@ -1,5 +1,5 @@ --- -# apiVersion: helm.fluxcd.io/v1 +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 # kind: HelmRelease # metadata: # name: falco diff --git a/namespaces/security/gatekeeper/000-crd.yaml b/namespaces/security/gatekeeper/000-crd.yaml index 5df8265e05..8a39f98553 100644 --- a/namespaces/security/gatekeeper/000-crd.yaml +++ b/namespaces/security/gatekeeper/000-crd.yaml @@ -1,215 +1,215 @@ -# Extracted CRDs from gatekeeper repository -# https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null - labels: - gatekeeper.sh/system: 'yes' - name: configs.config.gatekeeper.sh -spec: - group: config.gatekeeper.sh - names: - kind: Config - listKind: ConfigList - plural: configs - singular: config - scope: Namespaced - validation: - openAPIV3Schema: - description: Config is the Schema for the configs API - properties: - apiVersion: - description: - 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: - 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConfigSpec defines the desired state of Config - properties: - sync: - description: Configuration for syncing k8s objects - properties: - syncOnly: - description: - If non-empty, only entries on this list will be replicated - into OPA - items: - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - type: array - type: object - validation: - description: Configuration for validation - properties: - traces: - description: - List of requests to trace. Both "user" and "kinds" - must be specified - items: - properties: - dump: - description: - Also dump the state of OPA with the trace. Set - to `All` to dump everything. - type: string - kind: - description: Only trace requests of the following GroupVersionKind - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - user: - description: Only trace requests from the specified user - type: string - type: object - type: array - type: object - type: object - status: - description: ConfigStatus defines the observed state of Config - type: object - type: object - version: v1alpha1 - versions: - - name: v1alpha1 - served: true - storage: true -status: - acceptedNames: - kind: '' - plural: '' - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - controller-tools.k8s.io: '1.0' - name: constrainttemplates.templates.gatekeeper.sh -spec: - group: templates.gatekeeper.sh - names: - kind: ConstraintTemplate - plural: constrainttemplates - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: - 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: - 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - type: object - type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - properties: - byPod: - items: - properties: - errors: - items: - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: array - created: - type: boolean - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true - - name: v1alpha1 - served: true - storage: false -status: - acceptedNames: - kind: '' - plural: '' - conditions: [] - storedVersions: [] +# # Extracted CRDs from gatekeeper repository +# # https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml +# --- +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# annotations: +# controller-gen.kubebuilder.io/version: v0.2.4 +# creationTimestamp: null +# labels: +# gatekeeper.sh/system: 'yes' +# name: configs.config.gatekeeper.sh +# spec: +# group: config.gatekeeper.sh +# names: +# kind: Config +# listKind: ConfigList +# plural: configs +# singular: config +# scope: Namespaced +# validation: +# openAPIV3Schema: +# description: Config is the Schema for the configs API +# properties: +# apiVersion: +# description: +# 'APIVersion defines the versioned schema of this representation +# of an object. Servers should convert recognized schemas to the latest +# internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +# type: string +# kind: +# description: +# 'Kind is a string value representing the REST resource this +# object represents. Servers may infer this from the endpoint the client +# submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +# type: string +# metadata: +# type: object +# spec: +# description: ConfigSpec defines the desired state of Config +# properties: +# sync: +# description: Configuration for syncing k8s objects +# properties: +# syncOnly: +# description: +# If non-empty, only entries on this list will be replicated +# into OPA +# items: +# properties: +# group: +# type: string +# kind: +# type: string +# version: +# type: string +# type: object +# type: array +# type: object +# validation: +# description: Configuration for validation +# properties: +# traces: +# description: +# List of requests to trace. Both "user" and "kinds" +# must be specified +# items: +# properties: +# dump: +# description: +# Also dump the state of OPA with the trace. Set +# to `All` to dump everything. +# type: string +# kind: +# description: Only trace requests of the following GroupVersionKind +# properties: +# group: +# type: string +# kind: +# type: string +# version: +# type: string +# type: object +# user: +# description: Only trace requests from the specified user +# type: string +# type: object +# type: array +# type: object +# type: object +# status: +# description: ConfigStatus defines the observed state of Config +# type: object +# type: object +# version: v1alpha1 +# versions: +# - name: v1alpha1 +# served: true +# storage: true +# status: +# acceptedNames: +# kind: '' +# plural: '' +# conditions: [] +# storedVersions: [] +# --- +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# creationTimestamp: null +# labels: +# controller-tools.k8s.io: '1.0' +# name: constrainttemplates.templates.gatekeeper.sh +# spec: +# group: templates.gatekeeper.sh +# names: +# kind: ConstraintTemplate +# plural: constrainttemplates +# scope: Cluster +# subresources: +# status: {} +# validation: +# openAPIV3Schema: +# properties: +# apiVersion: +# description: +# 'APIVersion defines the versioned schema of this representation +# of an object. Servers should convert recognized schemas to the latest +# internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +# type: string +# kind: +# description: +# 'Kind is a string value representing the REST resource this +# object represents. Servers may infer this from the endpoint the client +# submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +# type: string +# metadata: +# type: object +# spec: +# properties: +# crd: +# properties: +# spec: +# properties: +# names: +# properties: +# kind: +# type: string +# shortNames: +# items: +# type: string +# type: array +# type: object +# validation: +# type: object +# type: object +# type: object +# targets: +# items: +# properties: +# libs: +# items: +# type: string +# type: array +# rego: +# type: string +# target: +# type: string +# type: object +# type: array +# type: object +# status: +# properties: +# byPod: +# items: +# properties: +# errors: +# items: +# properties: +# code: +# type: string +# location: +# type: string +# message: +# type: string +# required: +# - code +# - message +# type: object +# type: array +# id: +# description: a unique identifier for the pod that wrote the status +# type: string +# observedGeneration: +# format: int64 +# type: integer +# type: object +# type: array +# created: +# type: boolean +# type: object +# version: v1beta1 +# versions: +# - name: v1beta1 +# served: true +# storage: true +# - name: v1alpha1 +# served: true +# storage: false +# status: +# acceptedNames: +# kind: '' +# plural: '' +# conditions: [] +# storedVersions: [] diff --git a/namespaces/security/gatekeeper/gatekeeper.yaml b/namespaces/security/gatekeeper/gatekeeper.yaml index 0729aaddc7..4dc216b077 100644 --- a/namespaces/security/gatekeeper/gatekeeper.yaml +++ b/namespaces/security/gatekeeper/gatekeeper.yaml @@ -1,5 +1,5 @@ # --- -# apiVersion: helm.fluxcd.io/v1 +# apiVersion: helm.toolkit.fluxcd.io/v2beta1 # kind: HelmRelease # metadata: # name: gatekeeper diff --git a/namespaces/storage/openebs/openebs.yaml b/namespaces/storage/openebs/openebs.yaml index 9c6da40d01..b23df653f8 100644 --- a/namespaces/storage/openebs/openebs.yaml +++ b/namespaces/storage/openebs/openebs.yaml @@ -1,22 +1,34 @@ --- -apiVersion: helm.fluxcd.io/v1 +apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: openebs namespace: storage - annotations: - fluxcd.io/ignore: 'false' - fluxcd.io/automated: 'false' spec: - releaseName: openebs - helmVersion: v3 + interval: 5m chart: - repository: https://openebs.github.io/charts - name: openebs - version: 1.12.3 + spec: + chart: openebs + version: 2.1.0 + sourceRef: + kind: HelmRepository + name: openebs-charts + namespace: gitops-system + interval: 5m + test: + enable: false # Enable helm test + install: + remediation: # perform remediation when helm install fails + retries: 3 + upgrade: + remediation: # perform remediation when helm upgrade fails + retries: 3 + remediateLastFailure: true # remediate the last failure, when no retries remain + cleanupOnFail: true + rollback: + timeout: 1m + cleanupOnFail: true values: - rbac: - pspEnabled: true ndm: sparse: count: '1' diff --git a/namespaces/storage/rook-ceph/rook-ceph.yaml b/namespaces/storage/rook-ceph/rook-ceph.yaml deleted file mode 100644 index cdc6661785..0000000000 --- a/namespaces/storage/rook-ceph/rook-ceph.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# apiVersion: helm.fluxcd.io/v1 -# kind: HelmRelease -# metadata: -# name: rook-ceph -# namespace: storage -# annotations: -# fluxcd.io/ignore: 'false' -# fluxcd.io/automated: 'false' -# spec: -# releaseName: rook-ceph -# chart: -# repository: https://charts.rook.io/release -# name: rook-ceph -# version: v1.3.2 -# values: -# csi: -# kubeletDirPath: /var/lib/kubelet -# resources: -# requests: -# cpu: 100m -# memory: 128Mi -# limits: -# cpu: 500m -# memory: 1000Mi diff --git a/scripts/flux.sh b/scripts/flux.sh deleted file mode 100755 index a8f40c9451..0000000000 --- a/scripts/flux.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash - -set -eou pipefail - -CLEAN=${CLEAN:-true} - -if [[ ! $(fluxctl) ]]; then - echo "Fluxctl needs to be manually installed - https://docs.fluxcd.io/en/latest/references/fluxctl/" - exit 1 -fi - -# Untaint master nodes -# TODO: Enable Ansible to allow configuring the taints to be added/removed. -[[ ! $(kubectl taint nodes --all node-role.kubernetes.io/master-) ]] && echo "Masters untainted" - -# Ignore if namespace already exists -[[ ! $(kubectl get ns flux) ]] && kubectl create ns flux - -if [[ -f .secrets/k8s-secret-fluxcd-ssh.yaml ]]; then - echo "Applying existing SSH key pair" - kubectl apply -f .secrets/k8s-secret-fluxcd-ssh.yaml -fi - -if [[ -f .secrets/k8s-secret-fluxcd-ssh.yaml ]]; then - echo "Applying existing sealed-secret key" - kubectl apply -f .secrets/k8s-secret-sealed-secret-private-key.yaml -fi - -helm repo add fluxcd https://charts.fluxcd.io - -helm template fluxcd/flux \ - --name-template=default \ - --namespace=flux \ - --version=1.5.0 \ - --values=config/flux/values.yaml > flux.yaml - -[[ -f flux.yaml ]] && kubectl apply -f flux.yaml - -echo -e "\nCompleted..." -echo "Note: Follow these instructions to setup SSH keys if this is your first time: https://docs.fluxcd.io/en/latest/tutorials/get-started/#giving-write-access" - -if [[ -f "flux.yaml" && $CLEAN == true ]]; then - echo -e "\nCleaning up manifests." - echo "Set CLEAN=false if you wish for this not to occur." - rm -rf flux.yaml -fi diff --git a/scripts/helm-gen.sh b/scripts/helm-gen.sh deleted file mode 100755 index cebb8b82fe..0000000000 --- a/scripts/helm-gen.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash -set -eou pipefail - -HELM_OPERATOR_VERSION=v1.2.0 - -mkdir -p output - -helm repo add fluxcd https://charts.fluxcd.io -helm template fluxcd/helm-operator \ - --version="${HELM_OPERATOR_VERSION}" \ - --name-template=default \ - --namespace flux \ - --values=config/helm-operator/values.yaml > output/helm-operator.yaml - -kustomize build -o namespaces/flux/helm-operator/helm-operator.yaml - -rm -rf output