├── README.md └── flux ├── bootstrap-flux.sh ├── namespace.yaml ├── resources ├── cert-manager │ ├── cert-manager.yaml │ ├── ns.yaml │ └── selfsigned.yaml ├── demo │ ├── elastic.yaml │ ├── ingress.yaml │ └── ns.yaml ├── eck │ └── eck.yaml ├── external-dns │ ├── cilium-etcd-operator.yaml │ ├── coredns.yaml │ ├── etcd-crd.yaml │ ├── external-dns.yaml │ └── ns.yaml ├── local-static-provisioner │ ├── local-static-provisioner.yaml │ ├── ns.yaml │ └── storageclass.yaml ├── metallb-system │ ├── generate-secret.sh │ ├── metallb-config.yaml │ ├── metallb.yaml │ └── ns.yaml ├── metrics-server │ ├── metrics-server.yaml │ └── ns.yaml ├── nginx-ingress │ ├── nginx-ingress.yaml │ └── ns.yaml └── npd │ ├── node-problem-detector.yaml │ └── ns.yaml ├── values-flux.yaml └── values-helm-operator.yaml /README.md: -------------------------------------------------------------------------------- 1 | # Gitops template 2 | 3 | This repository is used as a template for commonly used tools on top of Kubernetes and provides example of using [fluxcd](https://fluxcd.io) with Helm v3 charts. 4 | -------------------------------------------------------------------------------- /flux/bootstrap-flux.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | kubectl apply -f namespace.yaml 3 | helm repo add fluxcd https://charts.fluxcd.io 4 | helm upgrade -i flux fluxcd/flux -n flux -f values-flux.yaml 5 | helm upgrade -i helm-operator fluxcd/helm-operator -n flux -f values-helm-operator.yaml 6 | -------------------------------------------------------------------------------- /flux/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: flux 5 | -------------------------------------------------------------------------------- /flux/resources/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: cert-manager 5 | namespace: cert-manager 6 | spec: 7 | releaseName: cert-manager 8 | chart: 9 | repository: https://charts.jetstack.io 10 | version: v0.15.0 11 | name: cert-manager 12 | values: 13 | installCRDs: true 14 | -------------------------------------------------------------------------------- /flux/resources/cert-manager/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | name: cert-manager 8 | -------------------------------------------------------------------------------- /flux/resources/cert-manager/selfsigned.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: ClusterIssuer 3 | metadata: 4 | name: selfsigned-clusterissuer 5 | spec: 6 | selfSigned: {} 7 | -------------------------------------------------------------------------------- /flux/resources/demo/elastic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: elasticsearch.k8s.elastic.co/v1 2 | kind: Elasticsearch 3 | metadata: 4 | name: quickstart 5 | namespace: demo 6 | spec: 7 | version: 7.6.2 8 | nodeSets: 9 | - name: default 10 | count: 2 11 | podTemplate: 12 | spec: 13 | initContainers: 14 | - name: sysctl 15 | securityContext: 16 | privileged: true 17 | command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144'] 18 | volumeClaimTemplates: 19 | - metadata: 20 | name: elasticsearch-data 21 | spec: 22 | accessModes: 23 | - ReadWriteOnce 24 | resources: 25 | requests: 26 | storage: 100Gi 27 | storageClassName: local 28 | -------------------------------------------------------------------------------- /flux/resources/demo/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: nginx 7 | name: nginx 8 | namespace: demo 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - image: nginx 20 | name: nginx 21 | --- 22 | apiVersion: v1 23 | kind: Service 24 | metadata: 25 | labels: 26 | app: nginx 27 | name: nginx 28 | namespace: demo 29 | spec: 30 | ports: 31 | - port: 80 32 | protocol: TCP 33 | targetPort: 80 34 | selector: 35 | app: nginx 36 | --- 37 | apiVersion: networking.k8s.io/v1beta1 38 | kind: Ingress 39 | metadata: 40 | annotations: 41 | kubernetes.io/ingress.class: nginx 42 | cert-manager.io/cluster-issuer: selfsigned-clusterissuer 43 | name: nginx 44 | namespace: demo 45 | spec: 46 | rules: 47 | - host: nginx.test.org 48 | http: 49 | paths: 50 | - backend: 51 | serviceName: nginx 52 | servicePort: 80 53 | tls: 54 | - hosts: 55 | - nginx.test.org 56 | secretName: nginx.test.org 57 | -------------------------------------------------------------------------------- /flux/resources/demo/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: demo 6 | labels: 7 | name: demo 8 | -------------------------------------------------------------------------------- /flux/resources/eck/eck.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | creationTimestamp: null 5 | name: apmservers.apm.k8s.elastic.co 6 | spec: 7 | additionalPrinterColumns: 8 | - JSONPath: .status.health 9 | name: health 10 | type: string 11 | - JSONPath: .status.availableNodes 12 | description: Available nodes 13 | name: nodes 14 | type: integer 15 | - JSONPath: .spec.version 16 | description: APM version 17 | name: version 18 | type: string 19 | - JSONPath: .metadata.creationTimestamp 20 | name: age 21 | type: date 22 | group: apm.k8s.elastic.co 23 | names: 24 | categories: 25 | - elastic 26 | kind: ApmServer 27 | listKind: ApmServerList 28 | plural: apmservers 29 | shortNames: 30 | - apm 31 | singular: apmserver 32 | scope: Namespaced 33 | subresources: 34 | status: {} 35 | validation: 36 | openAPIV3Schema: 37 | description: ApmServer represents an APM Server resource in a Kubernetes cluster. 38 | properties: 39 | apiVersion: 40 | description: 'APIVersion defines the versioned schema of this representation 41 | of an object. Servers should convert recognized schemas to the latest 42 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 43 | type: string 44 | kind: 45 | description: 'Kind is a string value representing the REST resource this 46 | object represents. Servers may infer this from the endpoint the client 47 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 48 | type: string 49 | metadata: 50 | type: object 51 | spec: 52 | description: ApmServerSpec holds the specification of an APM Server. 53 | properties: 54 | config: 55 | description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' 56 | type: object 57 | count: 58 | description: Count of APM Server instances to deploy. 59 | format: int32 60 | type: integer 61 | elasticsearchRef: 62 | description: ElasticsearchRef is a reference to the output Elasticsearch 63 | cluster running in the same Kubernetes cluster. 64 | properties: 65 | name: 66 | description: Name of the Kubernetes object. 67 | type: string 68 | namespace: 69 | description: Namespace of the Kubernetes object. If empty, defaults 70 | to the current namespace. 71 | type: string 72 | required: 73 | - name 74 | type: object 75 | http: 76 | description: HTTP holds the HTTP layer configuration for the APM Server 77 | resource. 78 | properties: 79 | service: 80 | description: Service defines the template for the associated Kubernetes 81 | Service object. 82 | properties: 83 | metadata: 84 | description: ObjectMeta is the metadata of the service. The 85 | name and namespace provided here are managed by ECK and will 86 | be ignored. 87 | type: object 88 | spec: 89 | description: Spec is the specification of the service. 90 | properties: 91 | clusterIP: 92 | description: 'clusterIP is the IP address of the service 93 | and is usually assigned randomly by the master. If an 94 | address is specified manually and is not in use by others, 95 | it will be allocated to the service; otherwise, creation 96 | of the service will fail. This field can not be changed 97 | through updates. Valid values are "None", empty string 98 | (""), or a valid IP address. "None" can be specified for 99 | headless services when proxying is not required. Only 100 | applies to types ClusterIP, NodePort, and LoadBalancer. 101 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 102 | type: string 103 | externalIPs: 104 | description: externalIPs is a list of IP addresses for which 105 | nodes in the cluster will also accept traffic for this 106 | service. These IPs are not managed by Kubernetes. The 107 | user is responsible for ensuring that traffic arrives 108 | at a node with this IP. A common example is external 109 | load-balancers that are not part of the Kubernetes system. 110 | items: 111 | type: string 112 | type: array 113 | externalName: 114 | description: externalName is the external reference that 115 | kubedns or equivalent will return as a CNAME record for 116 | this service. No proxying will be involved. Must be a 117 | valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) 118 | and requires Type to be ExternalName. 119 | type: string 120 | externalTrafficPolicy: 121 | description: externalTrafficPolicy denotes if this Service 122 | desires to route external traffic to node-local or cluster-wide 123 | endpoints. "Local" preserves the client source IP and 124 | avoids a second hop for LoadBalancer and Nodeport type 125 | services, but risks potentially imbalanced traffic spreading. 126 | "Cluster" obscures the client source IP and may cause 127 | a second hop to another node, but should have good overall 128 | load-spreading. 129 | type: string 130 | healthCheckNodePort: 131 | description: healthCheckNodePort specifies the healthcheck 132 | nodePort for the service. If not specified, HealthCheckNodePort 133 | is created by the service api backend with the allocated 134 | nodePort. Will use user-specified nodePort value if specified 135 | by the client. Only effects when Type is set to LoadBalancer 136 | and ExternalTrafficPolicy is set to Local. 137 | format: int32 138 | type: integer 139 | ipFamily: 140 | description: ipFamily specifies whether this Service has 141 | a preference for a particular IP family (e.g. IPv4 vs. 142 | IPv6). If a specific IP family is requested, the clusterIP 143 | field will be allocated from that family, if it is available 144 | in the cluster. If no IP family is requested, the cluster's 145 | primary IP family will be used. Other IP fields (loadBalancerIP, 146 | loadBalancerSourceRanges, externalIPs) and controllers 147 | which allocate external load-balancers should use the 148 | same IP family. Endpoints for this Service will be of 149 | this family. This field is immutable after creation. 150 | Assigning a ServiceIPFamily not available in the cluster 151 | (e.g. IPv6 in IPv4 only cluster) is an error condition 152 | and will fail during clusterIP assignment. 153 | type: string 154 | loadBalancerIP: 155 | description: 'Only applies to Service Type: LoadBalancer 156 | LoadBalancer will get created with the IP specified in 157 | this field. This feature depends on whether the underlying 158 | cloud-provider supports specifying the loadBalancerIP 159 | when a load balancer is created. This field will be ignored 160 | if the cloud-provider does not support the feature.' 161 | type: string 162 | loadBalancerSourceRanges: 163 | description: 'If specified and supported by the platform, 164 | this will restrict traffic through the cloud-provider 165 | load-balancer will be restricted to the specified client 166 | IPs. This field will be ignored if the cloud-provider 167 | does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' 168 | items: 169 | type: string 170 | type: array 171 | ports: 172 | description: 'The list of ports that are exposed by this 173 | service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 174 | items: 175 | description: ServicePort contains information on service's 176 | port. 177 | properties: 178 | name: 179 | description: The name of this port within the service. 180 | This must be a DNS_LABEL. All ports within a ServiceSpec 181 | must have unique names. When considering the endpoints 182 | for a Service, this must match the 'name' field 183 | in the EndpointPort. Optional if only one ServicePort 184 | is defined on this service. 185 | type: string 186 | nodePort: 187 | description: 'The port on each node on which this 188 | service is exposed when type=NodePort or LoadBalancer. 189 | Usually assigned by the system. If specified, it 190 | will be allocated to the service if unused or else 191 | creation of the service will fail. Default is to 192 | auto-allocate a port if the ServiceType of this 193 | Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' 194 | format: int32 195 | type: integer 196 | port: 197 | description: The port that will be exposed by this 198 | service. 199 | format: int32 200 | type: integer 201 | protocol: 202 | description: The IP protocol for this port. Supports 203 | "TCP", "UDP", and "SCTP". Default is TCP. 204 | type: string 205 | targetPort: 206 | anyOf: 207 | - type: string 208 | - type: integer 209 | description: 'Number or name of the port to access 210 | on the pods targeted by the service. Number must 211 | be in the range 1 to 65535. Name must be an IANA_SVC_NAME. 212 | If this is a string, it will be looked up as a named 213 | port in the target Pod''s container ports. If this 214 | is not specified, the value of the ''port'' field 215 | is used (an identity map). This field is ignored 216 | for services with clusterIP=None, and should be 217 | omitted or set equal to the ''port'' field. More 218 | info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' 219 | required: 220 | - port 221 | type: object 222 | type: array 223 | publishNotReadyAddresses: 224 | description: publishNotReadyAddresses, when set to true, 225 | indicates that DNS implementations must publish the notReadyAddresses 226 | of subsets for the Endpoints associated with the Service. 227 | The default value is false. The primary use case for setting 228 | this field is to use a StatefulSet's Headless Service 229 | to propagate SRV records for its Pods without respect 230 | to their readiness for purpose of peer discovery. 231 | type: boolean 232 | selector: 233 | additionalProperties: 234 | type: string 235 | description: 'Route service traffic to pods with label keys 236 | and values matching this selector. If empty or not present, 237 | the service is assumed to have an external process managing 238 | its endpoints, which Kubernetes will not modify. Only 239 | applies to types ClusterIP, NodePort, and LoadBalancer. 240 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' 241 | type: object 242 | sessionAffinity: 243 | description: 'Supports "ClientIP" and "None". Used to maintain 244 | session affinity. Enable client IP based session affinity. 245 | Must be ClientIP or None. Defaults to None. More info: 246 | https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 247 | type: string 248 | sessionAffinityConfig: 249 | description: sessionAffinityConfig contains the configurations 250 | of session affinity. 251 | properties: 252 | clientIP: 253 | description: clientIP contains the configurations of 254 | Client IP based session affinity. 255 | properties: 256 | timeoutSeconds: 257 | description: timeoutSeconds specifies the seconds 258 | of ClientIP type session sticky time. The value 259 | must be >0 && <=86400(for 1 day) if ServiceAffinity 260 | == "ClientIP". Default value is 10800(for 3 hours). 261 | format: int32 262 | type: integer 263 | type: object 264 | type: object 265 | type: 266 | description: 'type determines how the Service is exposed. 267 | Defaults to ClusterIP. Valid options are ExternalName, 268 | ClusterIP, NodePort, and LoadBalancer. "ExternalName" 269 | maps to the specified externalName. "ClusterIP" allocates 270 | a cluster-internal IP address for load-balancing to endpoints. 271 | Endpoints are determined by the selector or if that is 272 | not specified, by manual construction of an Endpoints 273 | object. If clusterIP is "None", no virtual IP is allocated 274 | and the endpoints are published as a set of endpoints 275 | rather than a stable IP. "NodePort" builds on ClusterIP 276 | and allocates a port on every node which routes to the 277 | clusterIP. "LoadBalancer" builds on NodePort and creates 278 | an external load-balancer (if supported in the current 279 | cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' 280 | type: string 281 | type: object 282 | type: object 283 | tls: 284 | description: TLS defines options for configuring TLS for HTTP. 285 | properties: 286 | certificate: 287 | description: "Certificate is a reference to a Kubernetes secret 288 | that contains the certificate and private key for enabling 289 | TLS. The referenced secret should contain the following: \n 290 | - `ca.crt`: The certificate authority (optional). - `tls.crt`: 291 | The certificate (or a chain). - `tls.key`: The private key 292 | to the first certificate in the certificate chain." 293 | properties: 294 | secretName: 295 | description: SecretName is the name of the secret. 296 | type: string 297 | type: object 298 | selfSignedCertificate: 299 | description: SelfSignedCertificate allows configuring the self-signed 300 | certificate generated by the operator. 301 | properties: 302 | disabled: 303 | description: Disabled indicates that the provisioning of 304 | the self-signed certifcate should be disabled. 305 | type: boolean 306 | subjectAltNames: 307 | description: SubjectAlternativeNames is a list of SANs to 308 | include in the generated HTTP TLS certificate. 309 | items: 310 | description: SubjectAlternativeName represents a SAN entry 311 | in a x509 certificate. 312 | properties: 313 | dns: 314 | description: DNS is the DNS name of the subject. 315 | type: string 316 | ip: 317 | description: IP is the IP address of the subject. 318 | type: string 319 | type: object 320 | type: array 321 | type: object 322 | type: object 323 | type: object 324 | image: 325 | description: Image is the APM Server Docker image to deploy. 326 | type: string 327 | podTemplate: 328 | description: PodTemplate provides customisation options (labels, annotations, 329 | affinity rules, resource requests, and so on) for the APM Server pods. 330 | type: object 331 | secureSettings: 332 | description: 'SecureSettings is a list of references to Kubernetes secrets 333 | containing sensitive configuration options for APM Server. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-apm-server.html#k8s-apm-secure-settings' 334 | items: 335 | description: SecretSource defines a data source based on a Kubernetes 336 | Secret. 337 | properties: 338 | entries: 339 | description: Entries define how to project each key-value pair 340 | in the secret to filesystem paths. If not defined, all keys 341 | will be projected to similarly named paths in the filesystem. 342 | If defined, only the specified keys will be projected to the 343 | corresponding paths. 344 | items: 345 | description: KeyToPath defines how to map a key in a Secret 346 | object to a filesystem path. 347 | properties: 348 | key: 349 | description: Key is the key contained in the secret. 350 | type: string 351 | path: 352 | description: Path is the relative file path to map the key 353 | to. Path must not be an absolute file path and must not 354 | contain any ".." components. 355 | type: string 356 | required: 357 | - key 358 | type: object 359 | type: array 360 | secretName: 361 | description: SecretName is the name of the secret. 362 | type: string 363 | required: 364 | - secretName 365 | type: object 366 | type: array 367 | version: 368 | description: Version of the APM Server. 369 | type: string 370 | type: object 371 | status: 372 | description: ApmServerStatus defines the observed state of ApmServer 373 | properties: 374 | associationStatus: 375 | description: Association is the status of any auto-linking to Elasticsearch 376 | clusters. 377 | type: string 378 | availableNodes: 379 | format: int32 380 | type: integer 381 | health: 382 | description: ApmServerHealth expresses the status of the Apm Server 383 | instances. 384 | type: string 385 | secretTokenSecret: 386 | description: SecretTokenSecretName is the name of the Secret that contains 387 | the secret token 388 | type: string 389 | service: 390 | description: ExternalService is the name of the service the agents should 391 | connect to. 392 | type: string 393 | type: object 394 | version: v1 395 | versions: 396 | - name: v1 397 | served: true 398 | storage: true 399 | - name: v1beta1 400 | served: true 401 | storage: false 402 | - name: v1alpha1 403 | served: false 404 | storage: false 405 | status: 406 | acceptedNames: 407 | kind: "" 408 | plural: "" 409 | conditions: [] 410 | storedVersions: [] 411 | --- 412 | apiVersion: apiextensions.k8s.io/v1beta1 413 | kind: CustomResourceDefinition 414 | metadata: 415 | creationTimestamp: null 416 | name: elasticsearches.elasticsearch.k8s.elastic.co 417 | spec: 418 | additionalPrinterColumns: 419 | - JSONPath: .status.health 420 | name: health 421 | type: string 422 | - JSONPath: .status.availableNodes 423 | description: Available nodes 424 | name: nodes 425 | type: integer 426 | - JSONPath: .spec.version 427 | description: Elasticsearch version 428 | name: version 429 | type: string 430 | - JSONPath: .status.phase 431 | name: phase 432 | type: string 433 | - JSONPath: .metadata.creationTimestamp 434 | name: age 435 | type: date 436 | group: elasticsearch.k8s.elastic.co 437 | names: 438 | categories: 439 | - elastic 440 | kind: Elasticsearch 441 | listKind: ElasticsearchList 442 | plural: elasticsearches 443 | shortNames: 444 | - es 445 | singular: elasticsearch 446 | scope: Namespaced 447 | subresources: 448 | status: {} 449 | validation: 450 | openAPIV3Schema: 451 | description: Elasticsearch represents an Elasticsearch resource in a Kubernetes 452 | cluster. 453 | properties: 454 | apiVersion: 455 | description: 'APIVersion defines the versioned schema of this representation 456 | of an object. Servers should convert recognized schemas to the latest 457 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 458 | type: string 459 | kind: 460 | description: 'Kind is a string value representing the REST resource this 461 | object represents. Servers may infer this from the endpoint the client 462 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 463 | type: string 464 | metadata: 465 | type: object 466 | spec: 467 | description: ElasticsearchSpec holds the specification of an Elasticsearch 468 | cluster. 469 | properties: 470 | http: 471 | description: HTTP holds HTTP layer settings for Elasticsearch. 472 | properties: 473 | service: 474 | description: Service defines the template for the associated Kubernetes 475 | Service object. 476 | properties: 477 | metadata: 478 | description: ObjectMeta is the metadata of the service. The 479 | name and namespace provided here are managed by ECK and will 480 | be ignored. 481 | type: object 482 | spec: 483 | description: Spec is the specification of the service. 484 | properties: 485 | clusterIP: 486 | description: 'clusterIP is the IP address of the service 487 | and is usually assigned randomly by the master. If an 488 | address is specified manually and is not in use by others, 489 | it will be allocated to the service; otherwise, creation 490 | of the service will fail. This field can not be changed 491 | through updates. Valid values are "None", empty string 492 | (""), or a valid IP address. "None" can be specified for 493 | headless services when proxying is not required. Only 494 | applies to types ClusterIP, NodePort, and LoadBalancer. 495 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 496 | type: string 497 | externalIPs: 498 | description: externalIPs is a list of IP addresses for which 499 | nodes in the cluster will also accept traffic for this 500 | service. These IPs are not managed by Kubernetes. The 501 | user is responsible for ensuring that traffic arrives 502 | at a node with this IP. A common example is external 503 | load-balancers that are not part of the Kubernetes system. 504 | items: 505 | type: string 506 | type: array 507 | externalName: 508 | description: externalName is the external reference that 509 | kubedns or equivalent will return as a CNAME record for 510 | this service. No proxying will be involved. Must be a 511 | valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) 512 | and requires Type to be ExternalName. 513 | type: string 514 | externalTrafficPolicy: 515 | description: externalTrafficPolicy denotes if this Service 516 | desires to route external traffic to node-local or cluster-wide 517 | endpoints. "Local" preserves the client source IP and 518 | avoids a second hop for LoadBalancer and Nodeport type 519 | services, but risks potentially imbalanced traffic spreading. 520 | "Cluster" obscures the client source IP and may cause 521 | a second hop to another node, but should have good overall 522 | load-spreading. 523 | type: string 524 | healthCheckNodePort: 525 | description: healthCheckNodePort specifies the healthcheck 526 | nodePort for the service. If not specified, HealthCheckNodePort 527 | is created by the service api backend with the allocated 528 | nodePort. Will use user-specified nodePort value if specified 529 | by the client. Only effects when Type is set to LoadBalancer 530 | and ExternalTrafficPolicy is set to Local. 531 | format: int32 532 | type: integer 533 | ipFamily: 534 | description: ipFamily specifies whether this Service has 535 | a preference for a particular IP family (e.g. IPv4 vs. 536 | IPv6). If a specific IP family is requested, the clusterIP 537 | field will be allocated from that family, if it is available 538 | in the cluster. If no IP family is requested, the cluster's 539 | primary IP family will be used. Other IP fields (loadBalancerIP, 540 | loadBalancerSourceRanges, externalIPs) and controllers 541 | which allocate external load-balancers should use the 542 | same IP family. Endpoints for this Service will be of 543 | this family. This field is immutable after creation. 544 | Assigning a ServiceIPFamily not available in the cluster 545 | (e.g. IPv6 in IPv4 only cluster) is an error condition 546 | and will fail during clusterIP assignment. 547 | type: string 548 | loadBalancerIP: 549 | description: 'Only applies to Service Type: LoadBalancer 550 | LoadBalancer will get created with the IP specified in 551 | this field. This feature depends on whether the underlying 552 | cloud-provider supports specifying the loadBalancerIP 553 | when a load balancer is created. This field will be ignored 554 | if the cloud-provider does not support the feature.' 555 | type: string 556 | loadBalancerSourceRanges: 557 | description: 'If specified and supported by the platform, 558 | this will restrict traffic through the cloud-provider 559 | load-balancer will be restricted to the specified client 560 | IPs. This field will be ignored if the cloud-provider 561 | does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' 562 | items: 563 | type: string 564 | type: array 565 | ports: 566 | description: 'The list of ports that are exposed by this 567 | service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 568 | items: 569 | description: ServicePort contains information on service's 570 | port. 571 | properties: 572 | name: 573 | description: The name of this port within the service. 574 | This must be a DNS_LABEL. All ports within a ServiceSpec 575 | must have unique names. When considering the endpoints 576 | for a Service, this must match the 'name' field 577 | in the EndpointPort. Optional if only one ServicePort 578 | is defined on this service. 579 | type: string 580 | nodePort: 581 | description: 'The port on each node on which this 582 | service is exposed when type=NodePort or LoadBalancer. 583 | Usually assigned by the system. If specified, it 584 | will be allocated to the service if unused or else 585 | creation of the service will fail. Default is to 586 | auto-allocate a port if the ServiceType of this 587 | Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' 588 | format: int32 589 | type: integer 590 | port: 591 | description: The port that will be exposed by this 592 | service. 593 | format: int32 594 | type: integer 595 | protocol: 596 | description: The IP protocol for this port. Supports 597 | "TCP", "UDP", and "SCTP". Default is TCP. 598 | type: string 599 | targetPort: 600 | anyOf: 601 | - type: string 602 | - type: integer 603 | description: 'Number or name of the port to access 604 | on the pods targeted by the service. Number must 605 | be in the range 1 to 65535. Name must be an IANA_SVC_NAME. 606 | If this is a string, it will be looked up as a named 607 | port in the target Pod''s container ports. If this 608 | is not specified, the value of the ''port'' field 609 | is used (an identity map). This field is ignored 610 | for services with clusterIP=None, and should be 611 | omitted or set equal to the ''port'' field. More 612 | info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' 613 | required: 614 | - port 615 | type: object 616 | type: array 617 | publishNotReadyAddresses: 618 | description: publishNotReadyAddresses, when set to true, 619 | indicates that DNS implementations must publish the notReadyAddresses 620 | of subsets for the Endpoints associated with the Service. 621 | The default value is false. The primary use case for setting 622 | this field is to use a StatefulSet's Headless Service 623 | to propagate SRV records for its Pods without respect 624 | to their readiness for purpose of peer discovery. 625 | type: boolean 626 | selector: 627 | additionalProperties: 628 | type: string 629 | description: 'Route service traffic to pods with label keys 630 | and values matching this selector. If empty or not present, 631 | the service is assumed to have an external process managing 632 | its endpoints, which Kubernetes will not modify. Only 633 | applies to types ClusterIP, NodePort, and LoadBalancer. 634 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' 635 | type: object 636 | sessionAffinity: 637 | description: 'Supports "ClientIP" and "None". Used to maintain 638 | session affinity. Enable client IP based session affinity. 639 | Must be ClientIP or None. Defaults to None. More info: 640 | https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 641 | type: string 642 | sessionAffinityConfig: 643 | description: sessionAffinityConfig contains the configurations 644 | of session affinity. 645 | properties: 646 | clientIP: 647 | description: clientIP contains the configurations of 648 | Client IP based session affinity. 649 | properties: 650 | timeoutSeconds: 651 | description: timeoutSeconds specifies the seconds 652 | of ClientIP type session sticky time. The value 653 | must be >0 && <=86400(for 1 day) if ServiceAffinity 654 | == "ClientIP". Default value is 10800(for 3 hours). 655 | format: int32 656 | type: integer 657 | type: object 658 | type: object 659 | type: 660 | description: 'type determines how the Service is exposed. 661 | Defaults to ClusterIP. Valid options are ExternalName, 662 | ClusterIP, NodePort, and LoadBalancer. "ExternalName" 663 | maps to the specified externalName. "ClusterIP" allocates 664 | a cluster-internal IP address for load-balancing to endpoints. 665 | Endpoints are determined by the selector or if that is 666 | not specified, by manual construction of an Endpoints 667 | object. If clusterIP is "None", no virtual IP is allocated 668 | and the endpoints are published as a set of endpoints 669 | rather than a stable IP. "NodePort" builds on ClusterIP 670 | and allocates a port on every node which routes to the 671 | clusterIP. "LoadBalancer" builds on NodePort and creates 672 | an external load-balancer (if supported in the current 673 | cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' 674 | type: string 675 | type: object 676 | type: object 677 | tls: 678 | description: TLS defines options for configuring TLS for HTTP. 679 | properties: 680 | certificate: 681 | description: "Certificate is a reference to a Kubernetes secret 682 | that contains the certificate and private key for enabling 683 | TLS. The referenced secret should contain the following: \n 684 | - `ca.crt`: The certificate authority (optional). - `tls.crt`: 685 | The certificate (or a chain). - `tls.key`: The private key 686 | to the first certificate in the certificate chain." 687 | properties: 688 | secretName: 689 | description: SecretName is the name of the secret. 690 | type: string 691 | type: object 692 | selfSignedCertificate: 693 | description: SelfSignedCertificate allows configuring the self-signed 694 | certificate generated by the operator. 695 | properties: 696 | disabled: 697 | description: Disabled indicates that the provisioning of 698 | the self-signed certifcate should be disabled. 699 | type: boolean 700 | subjectAltNames: 701 | description: SubjectAlternativeNames is a list of SANs to 702 | include in the generated HTTP TLS certificate. 703 | items: 704 | description: SubjectAlternativeName represents a SAN entry 705 | in a x509 certificate. 706 | properties: 707 | dns: 708 | description: DNS is the DNS name of the subject. 709 | type: string 710 | ip: 711 | description: IP is the IP address of the subject. 712 | type: string 713 | type: object 714 | type: array 715 | type: object 716 | type: object 717 | type: object 718 | image: 719 | description: Image is the Elasticsearch Docker image to deploy. 720 | type: string 721 | nodeSets: 722 | description: 'NodeSets allow specifying groups of Elasticsearch nodes 723 | sharing the same configuration and Pod templates. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-orchestration.html' 724 | items: 725 | description: NodeSet is the specification for a group of Elasticsearch 726 | nodes sharing the same configuration and a Pod template. 727 | properties: 728 | config: 729 | description: Config holds the Elasticsearch configuration. 730 | type: object 731 | count: 732 | description: Count of Elasticsearch nodes to deploy. 733 | format: int32 734 | minimum: 1 735 | type: integer 736 | name: 737 | description: Name of this set of nodes. Becomes a part of the 738 | Elasticsearch node.name setting. 739 | maxLength: 23 740 | pattern: '[a-zA-Z0-9-]+' 741 | type: string 742 | podTemplate: 743 | description: PodTemplate provides customisation options (labels, 744 | annotations, affinity rules, resource requests, and so on) for 745 | the Pods belonging to this NodeSet. 746 | type: object 747 | volumeClaimTemplates: 748 | description: 'VolumeClaimTemplates is a list of persistent volume 749 | claims to be used by each Pod in this NodeSet. Every claim in 750 | this list must have a matching volumeMount in one of the containers 751 | defined in the PodTemplate. Items defined here take precedence 752 | over any default claims added by the operator with the same 753 | name. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-volume-claim-templates.html' 754 | items: 755 | description: PersistentVolumeClaim is a user's request for and 756 | claim to a persistent volume 757 | properties: 758 | apiVersion: 759 | description: 'APIVersion defines the versioned schema of 760 | this representation of an object. Servers should convert 761 | recognized schemas to the latest internal value, and may 762 | reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 763 | type: string 764 | kind: 765 | description: 'Kind is a string value representing the REST 766 | resource this object represents. Servers may infer this 767 | from the endpoint the client submits requests to. Cannot 768 | be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 769 | type: string 770 | metadata: 771 | description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' 772 | type: object 773 | spec: 774 | description: 'Spec defines the desired characteristics of 775 | a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' 776 | properties: 777 | accessModes: 778 | description: 'AccessModes contains the desired access 779 | modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' 780 | items: 781 | type: string 782 | type: array 783 | dataSource: 784 | description: This field requires the VolumeSnapshotDataSource 785 | alpha feature gate to be enabled and currently VolumeSnapshot 786 | is the only supported data source. If the provisioner 787 | can support VolumeSnapshot data source, it will create 788 | a new volume and data will be restored to the volume 789 | at the same time. If the provisioner does not support 790 | VolumeSnapshot data source, volume will not be created 791 | and the failure will be reported as an event. In the 792 | future, we plan to support more data source types 793 | and the behavior of the provisioner may change. 794 | properties: 795 | apiGroup: 796 | description: APIGroup is the group for the resource 797 | being referenced. If APIGroup is not specified, 798 | the specified Kind must be in the core API group. 799 | For any other third-party types, APIGroup is required. 800 | type: string 801 | kind: 802 | description: Kind is the type of resource being 803 | referenced 804 | type: string 805 | name: 806 | description: Name is the name of resource being 807 | referenced 808 | type: string 809 | required: 810 | - kind 811 | - name 812 | type: object 813 | resources: 814 | description: 'Resources represents the minimum resources 815 | the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' 816 | properties: 817 | limits: 818 | additionalProperties: 819 | type: string 820 | description: 'Limits describes the maximum amount 821 | of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 822 | type: object 823 | requests: 824 | additionalProperties: 825 | type: string 826 | description: 'Requests describes the minimum amount 827 | of compute resources required. If Requests is 828 | omitted for a container, it defaults to Limits 829 | if that is explicitly specified, otherwise to 830 | an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 831 | type: object 832 | type: object 833 | selector: 834 | description: A label query over volumes to consider 835 | for binding. 836 | properties: 837 | matchExpressions: 838 | description: matchExpressions is a list of label 839 | selector requirements. The requirements are ANDed. 840 | items: 841 | description: A label selector requirement is a 842 | selector that contains values, a key, and an 843 | operator that relates the key and values. 844 | properties: 845 | key: 846 | description: key is the label key that the 847 | selector applies to. 848 | type: string 849 | operator: 850 | description: operator represents a key's relationship 851 | to a set of values. Valid operators are 852 | In, NotIn, Exists and DoesNotExist. 853 | type: string 854 | values: 855 | description: values is an array of string 856 | values. If the operator is In or NotIn, 857 | the values array must be non-empty. If the 858 | operator is Exists or DoesNotExist, the 859 | values array must be empty. This array is 860 | replaced during a strategic merge patch. 861 | items: 862 | type: string 863 | type: array 864 | required: 865 | - key 866 | - operator 867 | type: object 868 | type: array 869 | matchLabels: 870 | additionalProperties: 871 | type: string 872 | description: matchLabels is a map of {key,value} 873 | pairs. A single {key,value} in the matchLabels 874 | map is equivalent to an element of matchExpressions, 875 | whose key field is "key", the operator is "In", 876 | and the values array contains only "value". The 877 | requirements are ANDed. 878 | type: object 879 | type: object 880 | storageClassName: 881 | description: 'Name of the StorageClass required by the 882 | claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' 883 | type: string 884 | volumeMode: 885 | description: volumeMode defines what type of volume 886 | is required by the claim. Value of Filesystem is implied 887 | when not included in claim spec. This is a beta feature. 888 | type: string 889 | volumeName: 890 | description: VolumeName is the binding reference to 891 | the PersistentVolume backing this claim. 892 | type: string 893 | type: object 894 | status: 895 | description: 'Status represents the current information/status 896 | of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' 897 | properties: 898 | accessModes: 899 | description: 'AccessModes contains the actual access 900 | modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' 901 | items: 902 | type: string 903 | type: array 904 | capacity: 905 | additionalProperties: 906 | type: string 907 | description: Represents the actual resources of the 908 | underlying volume. 909 | type: object 910 | conditions: 911 | description: Current Condition of persistent volume 912 | claim. If underlying persistent volume is being resized 913 | then the Condition will be set to 'ResizeStarted'. 914 | items: 915 | description: PersistentVolumeClaimCondition contails 916 | details about state of pvc 917 | properties: 918 | lastProbeTime: 919 | description: Last time we probed the condition. 920 | format: date-time 921 | type: string 922 | lastTransitionTime: 923 | description: Last time the condition transitioned 924 | from one status to another. 925 | format: date-time 926 | type: string 927 | message: 928 | description: Human-readable message indicating 929 | details about last transition. 930 | type: string 931 | reason: 932 | description: Unique, this should be a short, machine 933 | understandable string that gives the reason 934 | for condition's last transition. If it reports 935 | "ResizeStarted" that means the underlying persistent 936 | volume is being resized. 937 | type: string 938 | status: 939 | type: string 940 | type: 941 | description: PersistentVolumeClaimConditionType 942 | is a valid value of PersistentVolumeClaimCondition.Type 943 | type: string 944 | required: 945 | - status 946 | - type 947 | type: object 948 | type: array 949 | phase: 950 | description: Phase represents the current phase of PersistentVolumeClaim. 951 | type: string 952 | type: object 953 | type: object 954 | type: array 955 | required: 956 | - count 957 | - name 958 | type: object 959 | minItems: 1 960 | type: array 961 | podDisruptionBudget: 962 | description: PodDisruptionBudget provides access to the default pod 963 | disruption budget for the Elasticsearch cluster. The default budget 964 | selects all cluster pods and sets `maxUnavailable` to 1. To disable, 965 | set `PodDisruptionBudget` to the empty value (`{}` in YAML). 966 | properties: 967 | metadata: 968 | description: ObjectMeta is the metadata of the PDB. The name and 969 | namespace provided here are managed by ECK and will be ignored. 970 | type: object 971 | spec: 972 | description: Spec is the specification of the PDB. 973 | properties: 974 | maxUnavailable: 975 | anyOf: 976 | - type: string 977 | - type: integer 978 | description: An eviction is allowed if at most "maxUnavailable" 979 | pods selected by "selector" are unavailable after the eviction, 980 | i.e. even in absence of the evicted pod. For example, one 981 | can prevent all voluntary evictions by specifying 0. This 982 | is a mutually exclusive setting with "minAvailable". 983 | minAvailable: 984 | anyOf: 985 | - type: string 986 | - type: integer 987 | description: An eviction is allowed if at least "minAvailable" 988 | pods selected by "selector" will still be available after 989 | the eviction, i.e. even in the absence of the evicted pod. So 990 | for example you can prevent all voluntary evictions by specifying 991 | "100%". 992 | selector: 993 | description: Label query over pods whose evictions are managed 994 | by the disruption budget. 995 | properties: 996 | matchExpressions: 997 | description: matchExpressions is a list of label selector 998 | requirements. The requirements are ANDed. 999 | items: 1000 | description: A label selector requirement is a selector 1001 | that contains values, a key, and an operator that relates 1002 | the key and values. 1003 | properties: 1004 | key: 1005 | description: key is the label key that the selector 1006 | applies to. 1007 | type: string 1008 | operator: 1009 | description: operator represents a key's relationship 1010 | to a set of values. Valid operators are In, NotIn, 1011 | Exists and DoesNotExist. 1012 | type: string 1013 | values: 1014 | description: values is an array of string values. 1015 | If the operator is In or NotIn, the values array 1016 | must be non-empty. If the operator is Exists or 1017 | DoesNotExist, the values array must be empty. This 1018 | array is replaced during a strategic merge patch. 1019 | items: 1020 | type: string 1021 | type: array 1022 | required: 1023 | - key 1024 | - operator 1025 | type: object 1026 | type: array 1027 | matchLabels: 1028 | additionalProperties: 1029 | type: string 1030 | description: matchLabels is a map of {key,value} pairs. 1031 | A single {key,value} in the matchLabels map is equivalent 1032 | to an element of matchExpressions, whose key field is 1033 | "key", the operator is "In", and the values array contains 1034 | only "value". The requirements are ANDed. 1035 | type: object 1036 | type: object 1037 | type: object 1038 | type: object 1039 | secureSettings: 1040 | description: 'SecureSettings is a list of references to Kubernetes secrets 1041 | containing sensitive configuration options for Elasticsearch. See: 1042 | https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html' 1043 | items: 1044 | description: SecretSource defines a data source based on a Kubernetes 1045 | Secret. 1046 | properties: 1047 | entries: 1048 | description: Entries define how to project each key-value pair 1049 | in the secret to filesystem paths. If not defined, all keys 1050 | will be projected to similarly named paths in the filesystem. 1051 | If defined, only the specified keys will be projected to the 1052 | corresponding paths. 1053 | items: 1054 | description: KeyToPath defines how to map a key in a Secret 1055 | object to a filesystem path. 1056 | properties: 1057 | key: 1058 | description: Key is the key contained in the secret. 1059 | type: string 1060 | path: 1061 | description: Path is the relative file path to map the key 1062 | to. Path must not be an absolute file path and must not 1063 | contain any ".." components. 1064 | type: string 1065 | required: 1066 | - key 1067 | type: object 1068 | type: array 1069 | secretName: 1070 | description: SecretName is the name of the secret. 1071 | type: string 1072 | required: 1073 | - secretName 1074 | type: object 1075 | type: array 1076 | updateStrategy: 1077 | description: UpdateStrategy specifies how updates to the cluster should 1078 | be performed. 1079 | properties: 1080 | changeBudget: 1081 | description: ChangeBudget defines the constraints to consider when 1082 | applying changes to the Elasticsearch cluster. 1083 | properties: 1084 | maxSurge: 1085 | description: MaxSurge is the maximum number of new pods that 1086 | can be created exceeding the original number of pods defined 1087 | in the specification. MaxSurge is only taken into consideration 1088 | when scaling up. Setting a negative value will disable the 1089 | restriction. Defaults to unbounded if not specified. 1090 | format: int32 1091 | type: integer 1092 | maxUnavailable: 1093 | description: MaxUnavailable is the maximum number of pods that 1094 | can be unavailable (not ready) during the update due to circumstances 1095 | under the control of the operator. Setting a negative value 1096 | will disable this restriction. Defaults to 1 if not specified. 1097 | format: int32 1098 | type: integer 1099 | type: object 1100 | type: object 1101 | version: 1102 | description: Version of Elasticsearch. 1103 | type: string 1104 | required: 1105 | - nodeSets 1106 | type: object 1107 | status: 1108 | description: ElasticsearchStatus defines the observed state of Elasticsearch 1109 | properties: 1110 | availableNodes: 1111 | format: int32 1112 | type: integer 1113 | health: 1114 | description: ElasticsearchHealth is the health of the cluster as returned 1115 | by the health API. 1116 | type: string 1117 | phase: 1118 | description: ElasticsearchOrchestrationPhase is the phase Elasticsearch 1119 | is in from the controller point of view. 1120 | type: string 1121 | type: object 1122 | version: v1 1123 | versions: 1124 | - name: v1 1125 | served: true 1126 | storage: true 1127 | - name: v1beta1 1128 | served: true 1129 | storage: false 1130 | - name: v1alpha1 1131 | served: false 1132 | storage: false 1133 | status: 1134 | acceptedNames: 1135 | kind: "" 1136 | plural: "" 1137 | conditions: [] 1138 | storedVersions: [] 1139 | --- 1140 | apiVersion: apiextensions.k8s.io/v1beta1 1141 | kind: CustomResourceDefinition 1142 | metadata: 1143 | creationTimestamp: null 1144 | name: kibanas.kibana.k8s.elastic.co 1145 | spec: 1146 | additionalPrinterColumns: 1147 | - JSONPath: .status.health 1148 | name: health 1149 | type: string 1150 | - JSONPath: .status.availableNodes 1151 | description: Available nodes 1152 | name: nodes 1153 | type: integer 1154 | - JSONPath: .spec.version 1155 | description: Kibana version 1156 | name: version 1157 | type: string 1158 | - JSONPath: .metadata.creationTimestamp 1159 | name: age 1160 | type: date 1161 | group: kibana.k8s.elastic.co 1162 | names: 1163 | categories: 1164 | - elastic 1165 | kind: Kibana 1166 | listKind: KibanaList 1167 | plural: kibanas 1168 | shortNames: 1169 | - kb 1170 | singular: kibana 1171 | scope: Namespaced 1172 | subresources: 1173 | status: {} 1174 | validation: 1175 | openAPIV3Schema: 1176 | description: Kibana represents a Kibana resource in a Kubernetes cluster. 1177 | properties: 1178 | apiVersion: 1179 | description: 'APIVersion defines the versioned schema of this representation 1180 | of an object. Servers should convert recognized schemas to the latest 1181 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1182 | type: string 1183 | kind: 1184 | description: 'Kind is a string value representing the REST resource this 1185 | object represents. Servers may infer this from the endpoint the client 1186 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1187 | type: string 1188 | metadata: 1189 | type: object 1190 | spec: 1191 | description: KibanaSpec holds the specification of a Kibana instance. 1192 | properties: 1193 | config: 1194 | description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' 1195 | type: object 1196 | count: 1197 | description: Count of Kibana instances to deploy. 1198 | format: int32 1199 | type: integer 1200 | elasticsearchRef: 1201 | description: ElasticsearchRef is a reference to an Elasticsearch cluster 1202 | running in the same Kubernetes cluster. 1203 | properties: 1204 | name: 1205 | description: Name of the Kubernetes object. 1206 | type: string 1207 | namespace: 1208 | description: Namespace of the Kubernetes object. If empty, defaults 1209 | to the current namespace. 1210 | type: string 1211 | required: 1212 | - name 1213 | type: object 1214 | http: 1215 | description: HTTP holds the HTTP layer configuration for Kibana. 1216 | properties: 1217 | service: 1218 | description: Service defines the template for the associated Kubernetes 1219 | Service object. 1220 | properties: 1221 | metadata: 1222 | description: ObjectMeta is the metadata of the service. The 1223 | name and namespace provided here are managed by ECK and will 1224 | be ignored. 1225 | type: object 1226 | spec: 1227 | description: Spec is the specification of the service. 1228 | properties: 1229 | clusterIP: 1230 | description: 'clusterIP is the IP address of the service 1231 | and is usually assigned randomly by the master. If an 1232 | address is specified manually and is not in use by others, 1233 | it will be allocated to the service; otherwise, creation 1234 | of the service will fail. This field can not be changed 1235 | through updates. Valid values are "None", empty string 1236 | (""), or a valid IP address. "None" can be specified for 1237 | headless services when proxying is not required. Only 1238 | applies to types ClusterIP, NodePort, and LoadBalancer. 1239 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 1240 | type: string 1241 | externalIPs: 1242 | description: externalIPs is a list of IP addresses for which 1243 | nodes in the cluster will also accept traffic for this 1244 | service. These IPs are not managed by Kubernetes. The 1245 | user is responsible for ensuring that traffic arrives 1246 | at a node with this IP. A common example is external 1247 | load-balancers that are not part of the Kubernetes system. 1248 | items: 1249 | type: string 1250 | type: array 1251 | externalName: 1252 | description: externalName is the external reference that 1253 | kubedns or equivalent will return as a CNAME record for 1254 | this service. No proxying will be involved. Must be a 1255 | valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) 1256 | and requires Type to be ExternalName. 1257 | type: string 1258 | externalTrafficPolicy: 1259 | description: externalTrafficPolicy denotes if this Service 1260 | desires to route external traffic to node-local or cluster-wide 1261 | endpoints. "Local" preserves the client source IP and 1262 | avoids a second hop for LoadBalancer and Nodeport type 1263 | services, but risks potentially imbalanced traffic spreading. 1264 | "Cluster" obscures the client source IP and may cause 1265 | a second hop to another node, but should have good overall 1266 | load-spreading. 1267 | type: string 1268 | healthCheckNodePort: 1269 | description: healthCheckNodePort specifies the healthcheck 1270 | nodePort for the service. If not specified, HealthCheckNodePort 1271 | is created by the service api backend with the allocated 1272 | nodePort. Will use user-specified nodePort value if specified 1273 | by the client. Only effects when Type is set to LoadBalancer 1274 | and ExternalTrafficPolicy is set to Local. 1275 | format: int32 1276 | type: integer 1277 | ipFamily: 1278 | description: ipFamily specifies whether this Service has 1279 | a preference for a particular IP family (e.g. IPv4 vs. 1280 | IPv6). If a specific IP family is requested, the clusterIP 1281 | field will be allocated from that family, if it is available 1282 | in the cluster. If no IP family is requested, the cluster's 1283 | primary IP family will be used. Other IP fields (loadBalancerIP, 1284 | loadBalancerSourceRanges, externalIPs) and controllers 1285 | which allocate external load-balancers should use the 1286 | same IP family. Endpoints for this Service will be of 1287 | this family. This field is immutable after creation. 1288 | Assigning a ServiceIPFamily not available in the cluster 1289 | (e.g. IPv6 in IPv4 only cluster) is an error condition 1290 | and will fail during clusterIP assignment. 1291 | type: string 1292 | loadBalancerIP: 1293 | description: 'Only applies to Service Type: LoadBalancer 1294 | LoadBalancer will get created with the IP specified in 1295 | this field. This feature depends on whether the underlying 1296 | cloud-provider supports specifying the loadBalancerIP 1297 | when a load balancer is created. This field will be ignored 1298 | if the cloud-provider does not support the feature.' 1299 | type: string 1300 | loadBalancerSourceRanges: 1301 | description: 'If specified and supported by the platform, 1302 | this will restrict traffic through the cloud-provider 1303 | load-balancer will be restricted to the specified client 1304 | IPs. This field will be ignored if the cloud-provider 1305 | does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' 1306 | items: 1307 | type: string 1308 | type: array 1309 | ports: 1310 | description: 'The list of ports that are exposed by this 1311 | service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 1312 | items: 1313 | description: ServicePort contains information on service's 1314 | port. 1315 | properties: 1316 | name: 1317 | description: The name of this port within the service. 1318 | This must be a DNS_LABEL. All ports within a ServiceSpec 1319 | must have unique names. When considering the endpoints 1320 | for a Service, this must match the 'name' field 1321 | in the EndpointPort. Optional if only one ServicePort 1322 | is defined on this service. 1323 | type: string 1324 | nodePort: 1325 | description: 'The port on each node on which this 1326 | service is exposed when type=NodePort or LoadBalancer. 1327 | Usually assigned by the system. If specified, it 1328 | will be allocated to the service if unused or else 1329 | creation of the service will fail. Default is to 1330 | auto-allocate a port if the ServiceType of this 1331 | Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' 1332 | format: int32 1333 | type: integer 1334 | port: 1335 | description: The port that will be exposed by this 1336 | service. 1337 | format: int32 1338 | type: integer 1339 | protocol: 1340 | description: The IP protocol for this port. Supports 1341 | "TCP", "UDP", and "SCTP". Default is TCP. 1342 | type: string 1343 | targetPort: 1344 | anyOf: 1345 | - type: string 1346 | - type: integer 1347 | description: 'Number or name of the port to access 1348 | on the pods targeted by the service. Number must 1349 | be in the range 1 to 65535. Name must be an IANA_SVC_NAME. 1350 | If this is a string, it will be looked up as a named 1351 | port in the target Pod''s container ports. If this 1352 | is not specified, the value of the ''port'' field 1353 | is used (an identity map). This field is ignored 1354 | for services with clusterIP=None, and should be 1355 | omitted or set equal to the ''port'' field. More 1356 | info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' 1357 | required: 1358 | - port 1359 | type: object 1360 | type: array 1361 | publishNotReadyAddresses: 1362 | description: publishNotReadyAddresses, when set to true, 1363 | indicates that DNS implementations must publish the notReadyAddresses 1364 | of subsets for the Endpoints associated with the Service. 1365 | The default value is false. The primary use case for setting 1366 | this field is to use a StatefulSet's Headless Service 1367 | to propagate SRV records for its Pods without respect 1368 | to their readiness for purpose of peer discovery. 1369 | type: boolean 1370 | selector: 1371 | additionalProperties: 1372 | type: string 1373 | description: 'Route service traffic to pods with label keys 1374 | and values matching this selector. If empty or not present, 1375 | the service is assumed to have an external process managing 1376 | its endpoints, which Kubernetes will not modify. Only 1377 | applies to types ClusterIP, NodePort, and LoadBalancer. 1378 | Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' 1379 | type: object 1380 | sessionAffinity: 1381 | description: 'Supports "ClientIP" and "None". Used to maintain 1382 | session affinity. Enable client IP based session affinity. 1383 | Must be ClientIP or None. Defaults to None. More info: 1384 | https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' 1385 | type: string 1386 | sessionAffinityConfig: 1387 | description: sessionAffinityConfig contains the configurations 1388 | of session affinity. 1389 | properties: 1390 | clientIP: 1391 | description: clientIP contains the configurations of 1392 | Client IP based session affinity. 1393 | properties: 1394 | timeoutSeconds: 1395 | description: timeoutSeconds specifies the seconds 1396 | of ClientIP type session sticky time. The value 1397 | must be >0 && <=86400(for 1 day) if ServiceAffinity 1398 | == "ClientIP". Default value is 10800(for 3 hours). 1399 | format: int32 1400 | type: integer 1401 | type: object 1402 | type: object 1403 | type: 1404 | description: 'type determines how the Service is exposed. 1405 | Defaults to ClusterIP. Valid options are ExternalName, 1406 | ClusterIP, NodePort, and LoadBalancer. "ExternalName" 1407 | maps to the specified externalName. "ClusterIP" allocates 1408 | a cluster-internal IP address for load-balancing to endpoints. 1409 | Endpoints are determined by the selector or if that is 1410 | not specified, by manual construction of an Endpoints 1411 | object. If clusterIP is "None", no virtual IP is allocated 1412 | and the endpoints are published as a set of endpoints 1413 | rather than a stable IP. "NodePort" builds on ClusterIP 1414 | and allocates a port on every node which routes to the 1415 | clusterIP. "LoadBalancer" builds on NodePort and creates 1416 | an external load-balancer (if supported in the current 1417 | cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' 1418 | type: string 1419 | type: object 1420 | type: object 1421 | tls: 1422 | description: TLS defines options for configuring TLS for HTTP. 1423 | properties: 1424 | certificate: 1425 | description: "Certificate is a reference to a Kubernetes secret 1426 | that contains the certificate and private key for enabling 1427 | TLS. The referenced secret should contain the following: \n 1428 | - `ca.crt`: The certificate authority (optional). - `tls.crt`: 1429 | The certificate (or a chain). - `tls.key`: The private key 1430 | to the first certificate in the certificate chain." 1431 | properties: 1432 | secretName: 1433 | description: SecretName is the name of the secret. 1434 | type: string 1435 | type: object 1436 | selfSignedCertificate: 1437 | description: SelfSignedCertificate allows configuring the self-signed 1438 | certificate generated by the operator. 1439 | properties: 1440 | disabled: 1441 | description: Disabled indicates that the provisioning of 1442 | the self-signed certifcate should be disabled. 1443 | type: boolean 1444 | subjectAltNames: 1445 | description: SubjectAlternativeNames is a list of SANs to 1446 | include in the generated HTTP TLS certificate. 1447 | items: 1448 | description: SubjectAlternativeName represents a SAN entry 1449 | in a x509 certificate. 1450 | properties: 1451 | dns: 1452 | description: DNS is the DNS name of the subject. 1453 | type: string 1454 | ip: 1455 | description: IP is the IP address of the subject. 1456 | type: string 1457 | type: object 1458 | type: array 1459 | type: object 1460 | type: object 1461 | type: object 1462 | image: 1463 | description: Image is the Kibana Docker image to deploy. 1464 | type: string 1465 | podTemplate: 1466 | description: PodTemplate provides customisation options (labels, annotations, 1467 | affinity rules, resource requests, and so on) for the Kibana pods 1468 | type: object 1469 | secureSettings: 1470 | description: 'SecureSettings is a list of references to Kubernetes secrets 1471 | containing sensitive configuration options for Kibana. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-kibana.html#k8s-kibana-secure-settings' 1472 | items: 1473 | description: SecretSource defines a data source based on a Kubernetes 1474 | Secret. 1475 | properties: 1476 | entries: 1477 | description: Entries define how to project each key-value pair 1478 | in the secret to filesystem paths. If not defined, all keys 1479 | will be projected to similarly named paths in the filesystem. 1480 | If defined, only the specified keys will be projected to the 1481 | corresponding paths. 1482 | items: 1483 | description: KeyToPath defines how to map a key in a Secret 1484 | object to a filesystem path. 1485 | properties: 1486 | key: 1487 | description: Key is the key contained in the secret. 1488 | type: string 1489 | path: 1490 | description: Path is the relative file path to map the key 1491 | to. Path must not be an absolute file path and must not 1492 | contain any ".." components. 1493 | type: string 1494 | required: 1495 | - key 1496 | type: object 1497 | type: array 1498 | secretName: 1499 | description: SecretName is the name of the secret. 1500 | type: string 1501 | required: 1502 | - secretName 1503 | type: object 1504 | type: array 1505 | version: 1506 | description: Version of Kibana. 1507 | type: string 1508 | type: object 1509 | status: 1510 | description: KibanaStatus defines the observed state of Kibana 1511 | properties: 1512 | associationStatus: 1513 | description: AssociationStatus is the status of an association resource. 1514 | type: string 1515 | availableNodes: 1516 | format: int32 1517 | type: integer 1518 | health: 1519 | description: KibanaHealth expresses the status of the Kibana instances. 1520 | type: string 1521 | type: object 1522 | version: v1 1523 | versions: 1524 | - name: v1 1525 | served: true 1526 | storage: true 1527 | - name: v1beta1 1528 | served: true 1529 | storage: false 1530 | - name: v1alpha1 1531 | served: false 1532 | storage: false 1533 | status: 1534 | acceptedNames: 1535 | kind: "" 1536 | plural: "" 1537 | conditions: [] 1538 | storedVersions: [] 1539 | 1540 | --- 1541 | apiVersion: rbac.authorization.k8s.io/v1 1542 | kind: ClusterRole 1543 | metadata: 1544 | name: elastic-operator 1545 | rules: 1546 | - apiGroups: 1547 | - "" 1548 | resources: 1549 | - pods 1550 | - endpoints 1551 | - events 1552 | - persistentvolumeclaims 1553 | - secrets 1554 | - services 1555 | - configmaps 1556 | verbs: 1557 | - get 1558 | - list 1559 | - watch 1560 | - create 1561 | - update 1562 | - patch 1563 | - delete 1564 | - apiGroups: 1565 | - apps 1566 | resources: 1567 | - deployments 1568 | - statefulsets 1569 | verbs: 1570 | - get 1571 | - list 1572 | - watch 1573 | - create 1574 | - update 1575 | - patch 1576 | - delete 1577 | - apiGroups: 1578 | - policy 1579 | resources: 1580 | - poddisruptionbudgets 1581 | verbs: 1582 | - get 1583 | - list 1584 | - watch 1585 | - create 1586 | - update 1587 | - patch 1588 | - delete 1589 | - apiGroups: 1590 | - elasticsearch.k8s.elastic.co 1591 | resources: 1592 | - elasticsearches 1593 | - elasticsearches/status 1594 | - elasticsearches/finalizers 1595 | - enterpriselicenses 1596 | - enterpriselicenses/status 1597 | verbs: 1598 | - get 1599 | - list 1600 | - watch 1601 | - create 1602 | - update 1603 | - patch 1604 | - delete 1605 | - apiGroups: 1606 | - kibana.k8s.elastic.co 1607 | resources: 1608 | - kibanas 1609 | - kibanas/status 1610 | - kibanas/finalizers 1611 | verbs: 1612 | - get 1613 | - list 1614 | - watch 1615 | - create 1616 | - update 1617 | - patch 1618 | - delete 1619 | - apiGroups: 1620 | - apm.k8s.elastic.co 1621 | resources: 1622 | - apmservers 1623 | - apmservers/status 1624 | - apmservers/finalizers 1625 | verbs: 1626 | - get 1627 | - list 1628 | - watch 1629 | - create 1630 | - update 1631 | - patch 1632 | - delete 1633 | - apiGroups: 1634 | - associations.k8s.elastic.co 1635 | resources: 1636 | - apmserverelasticsearchassociations 1637 | - apmserverelasticsearchassociations/status 1638 | verbs: 1639 | - get 1640 | - list 1641 | - watch 1642 | - create 1643 | - update 1644 | - patch 1645 | - delete 1646 | - apiGroups: 1647 | - admissionregistration.k8s.io 1648 | resources: 1649 | - mutatingwebhookconfigurations 1650 | - validatingwebhookconfigurations 1651 | verbs: 1652 | - get 1653 | - list 1654 | - watch 1655 | - create 1656 | - update 1657 | - patch 1658 | - delete 1659 | 1660 | --- 1661 | apiVersion: rbac.authorization.k8s.io/v1 1662 | kind: ClusterRoleBinding 1663 | metadata: 1664 | name: elastic-operator 1665 | roleRef: 1666 | apiGroup: rbac.authorization.k8s.io 1667 | kind: ClusterRole 1668 | name: elastic-operator 1669 | subjects: 1670 | - kind: ServiceAccount 1671 | name: elastic-operator 1672 | namespace: elastic-system 1673 | 1674 | --- 1675 | apiVersion: v1 1676 | kind: Namespace 1677 | metadata: 1678 | name: elastic-system 1679 | 1680 | --- 1681 | apiVersion: apps/v1 1682 | kind: StatefulSet 1683 | metadata: 1684 | name: elastic-operator 1685 | namespace: elastic-system 1686 | labels: 1687 | control-plane: elastic-operator 1688 | spec: 1689 | selector: 1690 | matchLabels: 1691 | control-plane: elastic-operator 1692 | serviceName: elastic-operator 1693 | template: 1694 | metadata: 1695 | labels: 1696 | control-plane: elastic-operator 1697 | spec: 1698 | serviceAccountName: elastic-operator 1699 | containers: 1700 | - image: docker.elastic.co/eck/eck-operator:1.0.1 1701 | name: manager 1702 | args: ["manager", "--operator-roles", "all", "--log-verbosity=0"] 1703 | env: 1704 | - name: OPERATOR_NAMESPACE 1705 | valueFrom: 1706 | fieldRef: 1707 | fieldPath: metadata.namespace 1708 | - name: WEBHOOK_SECRET 1709 | value: elastic-webhook-server-cert 1710 | - name: WEBHOOK_PODS_LABEL 1711 | value: elastic-operator 1712 | - name: OPERATOR_IMAGE 1713 | value: docker.elastic.co/eck/eck-operator:1.0.1 1714 | resources: 1715 | limits: 1716 | cpu: 1 1717 | memory: 150Mi 1718 | requests: 1719 | cpu: 100m 1720 | memory: 50Mi 1721 | ports: 1722 | - containerPort: 9443 1723 | name: webhook-server 1724 | protocol: TCP 1725 | volumeMounts: 1726 | - mountPath: /tmp/k8s-webhook-server/serving-certs 1727 | name: cert 1728 | readOnly: true 1729 | terminationGracePeriodSeconds: 10 1730 | volumes: 1731 | - name: cert 1732 | secret: 1733 | defaultMode: 420 1734 | secretName: elastic-webhook-server-cert 1735 | 1736 | --- 1737 | apiVersion: v1 1738 | kind: ServiceAccount 1739 | metadata: 1740 | name: elastic-operator 1741 | namespace: elastic-system 1742 | 1743 | --- 1744 | apiVersion: admissionregistration.k8s.io/v1beta1 1745 | kind: ValidatingWebhookConfiguration 1746 | metadata: 1747 | name: elastic-webhook.k8s.elastic.co 1748 | webhooks: 1749 | - clientConfig: 1750 | caBundle: Cg== 1751 | service: 1752 | name: elastic-webhook-server 1753 | namespace: elastic-system 1754 | path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch 1755 | failurePolicy: Ignore 1756 | name: elastic-es-validation-v1.k8s.elastic.co 1757 | rules: 1758 | - apiGroups: 1759 | - elasticsearch.k8s.elastic.co 1760 | apiVersions: 1761 | - v1 1762 | operations: 1763 | - CREATE 1764 | - UPDATE 1765 | resources: 1766 | - elasticsearches 1767 | - clientConfig: 1768 | caBundle: Cg== 1769 | service: 1770 | name: elastic-webhook-server 1771 | namespace: elastic-system 1772 | path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch 1773 | failurePolicy: Ignore 1774 | name: elastic-es-validation-v1beta1.k8s.elastic.co 1775 | rules: 1776 | - apiGroups: 1777 | - elasticsearch.k8s.elastic.co 1778 | apiVersions: 1779 | - v1beta1 1780 | operations: 1781 | - CREATE 1782 | - UPDATE 1783 | resources: 1784 | - elasticsearches 1785 | --- 1786 | apiVersion: v1 1787 | kind: Service 1788 | metadata: 1789 | name: elastic-webhook-server 1790 | namespace: elastic-system 1791 | spec: 1792 | ports: 1793 | - port: 443 1794 | targetPort: 9443 1795 | selector: 1796 | control-plane: elastic-operator 1797 | --- 1798 | apiVersion: v1 1799 | kind: Secret 1800 | metadata: 1801 | name: elastic-webhook-server-cert 1802 | namespace: elastic-system 1803 | -------------------------------------------------------------------------------- /flux/resources/external-dns/cilium-etcd-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | io.cilium/app: etcd-operator 7 | name: cilium-etcd-operator 8 | name: cilium-etcd-operator 9 | namespace: external-dns 10 | spec: 11 | replicas: 1 12 | selector: 13 | matchLabels: 14 | io.cilium/app: etcd-operator 15 | name: cilium-etcd-operator 16 | strategy: 17 | rollingUpdate: 18 | maxSurge: 1 19 | maxUnavailable: 1 20 | type: RollingUpdate 21 | template: 22 | metadata: 23 | labels: 24 | io.cilium/app: etcd-operator 25 | name: cilium-etcd-operator 26 | spec: 27 | containers: 28 | - args: 29 | #- --etcd-node-selector=disktype=ssd,cputype=high 30 | command: 31 | - /usr/bin/cilium-etcd-operator 32 | env: 33 | - name: CILIUM_ETCD_OPERATOR_CLUSTER_DOMAIN 34 | value: "cluster.local" 35 | - name: CILIUM_ETCD_OPERATOR_ETCD_CLUSTER_SIZE 36 | value: "3" 37 | - name: CILIUM_ETCD_OPERATOR_NAMESPACE 38 | valueFrom: 39 | fieldRef: 40 | apiVersion: v1 41 | fieldPath: metadata.namespace 42 | - name: CILIUM_ETCD_OPERATOR_POD_NAME 43 | valueFrom: 44 | fieldRef: 45 | apiVersion: v1 46 | fieldPath: metadata.name 47 | - name: CILIUM_ETCD_OPERATOR_POD_UID 48 | valueFrom: 49 | fieldRef: 50 | apiVersion: v1 51 | fieldPath: metadata.uid 52 | - name: CILIUM_ETCD_META_ETCD_AUTO_COMPACTION_MODE 53 | value: "revision" 54 | - name: CILIUM_ETCD_META_ETCD_AUTO_COMPACTION_RETENTION 55 | value: "25000" 56 | image: docker.io/cilium/cilium-etcd-operator:v2.0.7 57 | imagePullPolicy: IfNotPresent 58 | name: cilium-etcd-operator 59 | dnsPolicy: ClusterFirst 60 | hostNetwork: true 61 | restartPolicy: Always 62 | serviceAccount: cilium-etcd-operator 63 | serviceAccountName: cilium-etcd-operator 64 | tolerations: 65 | - operator: Exists 66 | --- 67 | apiVersion: v1 68 | kind: ServiceAccount 69 | metadata: 70 | name: cilium-etcd-operator 71 | namespace: external-dns 72 | --- 73 | apiVersion: rbac.authorization.k8s.io/v1 74 | kind: ClusterRole 75 | metadata: 76 | name: cilium-etcd-operator 77 | rules: 78 | - apiGroups: 79 | - etcd.database.coreos.com 80 | resources: 81 | - etcdclusters 82 | verbs: 83 | - get 84 | - delete 85 | - create 86 | - update 87 | - apiGroups: 88 | - apiextensions.k8s.io 89 | resources: 90 | - customresourcedefinitions 91 | verbs: 92 | - delete 93 | - get 94 | - create 95 | - apiGroups: 96 | - "" 97 | resources: 98 | - deployments 99 | verbs: 100 | - delete 101 | - create 102 | - get 103 | - update 104 | - apiGroups: 105 | - "" 106 | resources: 107 | - pods 108 | verbs: 109 | - list 110 | - get 111 | - delete 112 | - apiGroups: 113 | - apps 114 | resources: 115 | - deployments 116 | verbs: 117 | - delete 118 | - create 119 | - get 120 | - update 121 | - apiGroups: 122 | - "" 123 | resources: 124 | - componentstatuses 125 | verbs: 126 | - get 127 | - apiGroups: 128 | - extensions 129 | resources: 130 | - deployments 131 | verbs: 132 | - delete 133 | - create 134 | - get 135 | - update 136 | - apiGroups: 137 | - "" 138 | resources: 139 | - secrets 140 | verbs: 141 | - get 142 | - create 143 | - delete 144 | --- 145 | apiVersion: rbac.authorization.k8s.io/v1 146 | kind: ClusterRoleBinding 147 | metadata: 148 | name: cilium-etcd-operator 149 | roleRef: 150 | apiGroup: rbac.authorization.k8s.io 151 | kind: ClusterRole 152 | name: cilium-etcd-operator 153 | subjects: 154 | - kind: ServiceAccount 155 | name: cilium-etcd-operator 156 | namespace: external-dns 157 | --- 158 | apiVersion: v1 159 | kind: ServiceAccount 160 | metadata: 161 | name: cilium-etcd-sa 162 | namespace: external-dns 163 | --- 164 | apiVersion: rbac.authorization.k8s.io/v1 165 | kind: ClusterRole 166 | metadata: 167 | name: etcd-operator 168 | rules: 169 | - apiGroups: 170 | - etcd.database.coreos.com 171 | resources: 172 | - etcdclusters 173 | - etcdbackups 174 | - etcdrestores 175 | verbs: 176 | - '*' 177 | - apiGroups: 178 | - apiextensions.k8s.io 179 | resources: 180 | - customresourcedefinitions 181 | verbs: 182 | - '*' 183 | - apiGroups: 184 | - "" 185 | resources: 186 | - pods 187 | - services 188 | - endpoints 189 | - persistentvolumeclaims 190 | - events 191 | - deployments 192 | verbs: 193 | - '*' 194 | - apiGroups: 195 | - apps 196 | resources: 197 | - deployments 198 | verbs: 199 | - '*' 200 | - apiGroups: 201 | - extensions 202 | resources: 203 | - deployments 204 | verbs: 205 | - create 206 | - get 207 | - list 208 | - patch 209 | - update 210 | - apiGroups: 211 | - "" 212 | resources: 213 | - secrets 214 | verbs: 215 | - get 216 | --- 217 | apiVersion: rbac.authorization.k8s.io/v1 218 | kind: ClusterRoleBinding 219 | metadata: 220 | name: etcd-operator 221 | roleRef: 222 | apiGroup: rbac.authorization.k8s.io 223 | kind: ClusterRole 224 | name: etcd-operator 225 | subjects: 226 | - kind: ServiceAccount 227 | name: cilium-etcd-sa 228 | namespace: external-dns 229 | -------------------------------------------------------------------------------- /flux/resources/external-dns/coredns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: coredns 5 | namespace: external-dns 6 | spec: 7 | releaseName: coredns 8 | chart: 9 | repository: https://kubernetes-charts.storage.googleapis.com 10 | version: 1.10.1 11 | name: coredns 12 | values: 13 | serviceType: "NodePort" 14 | replicaCount: 2 15 | serviceAccount: 16 | create: true 17 | rbac: 18 | pspEnable: true 19 | isClusterService: false 20 | extraSecrets: 21 | - name: cilium-etcd-client-tls 22 | mountPath: /etc/coredns/tls/etcd 23 | servers: 24 | - zones: 25 | - zone: . 26 | port: 53 27 | plugins: 28 | - name: errors 29 | - name: health 30 | configBlock: |- 31 | lameduck 5s 32 | - name: ready 33 | - name: prometheus 34 | parameters: 0.0.0.0:9153 35 | - name: forward 36 | parameters: . /etc/resolv.conf 37 | - name: cache 38 | parameters: 30 39 | - name: loop 40 | - name: reload 41 | - name: loadbalance 42 | - name: etcd 43 | parameters: test.org 44 | configBlock: |- 45 | stubzones 46 | path /skydns 47 | endpoint https://cilium-etcd-client.external-dns.svc:2379 48 | tls /etc/coredns/tls/etcd/etcd-client.crt /etc/coredns/tls/etcd/etcd-client.key /etc/coredns/tls/etcd/etcd-client-ca.crt 49 | -------------------------------------------------------------------------------- /flux/resources/external-dns/etcd-crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: etcdclusters.etcd.database.coreos.com 5 | spec: 6 | additionalPrinterColumns: 7 | - JSONPath: .metadata.creationTimestamp 8 | description: 'CreationTimestamp is a timestamp representing the server time when 9 | this object was created. It is not guaranteed to be set in happens-before order 10 | across separate operations. Clients may not set this value. It is represented 11 | in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 12 | lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 13 | name: Age 14 | type: date 15 | group: etcd.database.coreos.com 16 | names: 17 | kind: EtcdCluster 18 | listKind: EtcdClusterList 19 | plural: etcdclusters 20 | shortNames: 21 | - etcd 22 | singular: etcdcluster 23 | scope: Namespaced 24 | version: v1beta2 25 | versions: 26 | - name: v1beta2 27 | served: true 28 | storage: true 29 | -------------------------------------------------------------------------------- /flux/resources/external-dns/external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: external-dns 5 | namespace: external-dns 6 | spec: 7 | releaseName: external-dns 8 | chart: 9 | repository: https://charts.bitnami.com/bitnami 10 | version: 2.22.4 11 | name: external-dns 12 | values: 13 | provider: coredns 14 | policy: sync 15 | coredns: 16 | etcdEndpoints: "https://cilium-etcd-client.external-dns.svc:2379" 17 | etcdTLS: 18 | enabled: true 19 | secretName: "cilium-etcd-client-tls" 20 | caFilename: "etcd-client-ca.crt" 21 | certFilename: "etcd-client.crt" 22 | keyFilename: "etcd-client.key" 23 | -------------------------------------------------------------------------------- /flux/resources/external-dns/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: external-dns 6 | labels: 7 | name: external-dns 8 | -------------------------------------------------------------------------------- /flux/resources/local-static-provisioner/local-static-provisioner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: local-static-provisioner 5 | namespace: local-static-provisioner 6 | spec: 7 | releaseName: local-static-provisioner 8 | chart: 9 | git: https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner 10 | path: helm/provisioner 11 | ref: master 12 | values: 13 | classes: 14 | - name: local 15 | hostDir: /mnt/disks 16 | -------------------------------------------------------------------------------- /flux/resources/local-static-provisioner/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: local-static-provisioner 6 | labels: 7 | name: local-static-provisioner 8 | -------------------------------------------------------------------------------- /flux/resources/local-static-provisioner/storageclass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: local 5 | provisioner: kubernetes.io/no-provisioner 6 | volumeBindingMode: WaitForFirstConsumer 7 | reclaimPolicy: Delete 8 | -------------------------------------------------------------------------------- /flux/resources/metallb-system/generate-secret.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" -o yaml --dry-run=client > metallb-secret.yaml 3 | -------------------------------------------------------------------------------- /flux/resources/metallb-system/metallb-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | namespace: metallb-system 5 | name: config 6 | data: 7 | config: | 8 | address-pools: 9 | - name: default 10 | protocol: layer2 11 | addresses: 12 | - 10.10.39.200-10.10.39.220 13 | -------------------------------------------------------------------------------- /flux/resources/metallb-system/metallb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1beta1 2 | kind: PodSecurityPolicy 3 | metadata: 4 | labels: 5 | app: metallb 6 | name: controller 7 | namespace: metallb-system 8 | spec: 9 | allowPrivilegeEscalation: false 10 | allowedCapabilities: [] 11 | allowedHostPaths: [] 12 | defaultAddCapabilities: [] 13 | defaultAllowPrivilegeEscalation: false 14 | fsGroup: 15 | ranges: 16 | - max: 65535 17 | min: 1 18 | rule: MustRunAs 19 | hostIPC: false 20 | hostNetwork: false 21 | hostPID: false 22 | privileged: false 23 | readOnlyRootFilesystem: true 24 | requiredDropCapabilities: 25 | - ALL 26 | runAsUser: 27 | ranges: 28 | - max: 65535 29 | min: 1 30 | rule: MustRunAs 31 | seLinux: 32 | rule: RunAsAny 33 | supplementalGroups: 34 | ranges: 35 | - max: 65535 36 | min: 1 37 | rule: MustRunAs 38 | volumes: 39 | - configMap 40 | - secret 41 | - emptyDir 42 | --- 43 | apiVersion: policy/v1beta1 44 | kind: PodSecurityPolicy 45 | metadata: 46 | labels: 47 | app: metallb 48 | name: speaker 49 | namespace: metallb-system 50 | spec: 51 | allowPrivilegeEscalation: false 52 | allowedCapabilities: 53 | - NET_ADMIN 54 | - NET_RAW 55 | - SYS_ADMIN 56 | allowedHostPaths: [] 57 | defaultAddCapabilities: [] 58 | defaultAllowPrivilegeEscalation: false 59 | fsGroup: 60 | rule: RunAsAny 61 | hostIPC: false 62 | hostNetwork: true 63 | hostPID: false 64 | hostPorts: 65 | - max: 7472 66 | min: 7472 67 | privileged: true 68 | readOnlyRootFilesystem: true 69 | requiredDropCapabilities: 70 | - ALL 71 | runAsUser: 72 | rule: RunAsAny 73 | seLinux: 74 | rule: RunAsAny 75 | supplementalGroups: 76 | rule: RunAsAny 77 | volumes: 78 | - configMap 79 | - secret 80 | - emptyDir 81 | --- 82 | apiVersion: v1 83 | kind: ServiceAccount 84 | metadata: 85 | labels: 86 | app: metallb 87 | name: controller 88 | namespace: metallb-system 89 | --- 90 | apiVersion: v1 91 | kind: ServiceAccount 92 | metadata: 93 | labels: 94 | app: metallb 95 | name: speaker 96 | namespace: metallb-system 97 | --- 98 | apiVersion: rbac.authorization.k8s.io/v1 99 | kind: ClusterRole 100 | metadata: 101 | labels: 102 | app: metallb 103 | name: metallb-system:controller 104 | rules: 105 | - apiGroups: 106 | - '' 107 | resources: 108 | - services 109 | verbs: 110 | - get 111 | - list 112 | - watch 113 | - update 114 | - apiGroups: 115 | - '' 116 | resources: 117 | - services/status 118 | verbs: 119 | - update 120 | - apiGroups: 121 | - '' 122 | resources: 123 | - events 124 | verbs: 125 | - create 126 | - patch 127 | - apiGroups: 128 | - policy 129 | resourceNames: 130 | - controller 131 | resources: 132 | - podsecuritypolicies 133 | verbs: 134 | - use 135 | --- 136 | apiVersion: rbac.authorization.k8s.io/v1 137 | kind: ClusterRole 138 | metadata: 139 | labels: 140 | app: metallb 141 | name: metallb-system:speaker 142 | rules: 143 | - apiGroups: 144 | - '' 145 | resources: 146 | - services 147 | - endpoints 148 | - nodes 149 | verbs: 150 | - get 151 | - list 152 | - watch 153 | - apiGroups: 154 | - '' 155 | resources: 156 | - events 157 | verbs: 158 | - create 159 | - patch 160 | - apiGroups: 161 | - policy 162 | resourceNames: 163 | - speaker 164 | resources: 165 | - podsecuritypolicies 166 | verbs: 167 | - use 168 | --- 169 | apiVersion: rbac.authorization.k8s.io/v1 170 | kind: Role 171 | metadata: 172 | labels: 173 | app: metallb 174 | name: config-watcher 175 | namespace: metallb-system 176 | rules: 177 | - apiGroups: 178 | - '' 179 | resources: 180 | - configmaps 181 | verbs: 182 | - get 183 | - list 184 | - watch 185 | --- 186 | apiVersion: rbac.authorization.k8s.io/v1 187 | kind: Role 188 | metadata: 189 | labels: 190 | app: metallb 191 | name: pod-lister 192 | namespace: metallb-system 193 | rules: 194 | - apiGroups: 195 | - '' 196 | resources: 197 | - pods 198 | verbs: 199 | - list 200 | --- 201 | apiVersion: rbac.authorization.k8s.io/v1 202 | kind: ClusterRoleBinding 203 | metadata: 204 | labels: 205 | app: metallb 206 | name: metallb-system:controller 207 | roleRef: 208 | apiGroup: rbac.authorization.k8s.io 209 | kind: ClusterRole 210 | name: metallb-system:controller 211 | subjects: 212 | - kind: ServiceAccount 213 | name: controller 214 | namespace: metallb-system 215 | --- 216 | apiVersion: rbac.authorization.k8s.io/v1 217 | kind: ClusterRoleBinding 218 | metadata: 219 | labels: 220 | app: metallb 221 | name: metallb-system:speaker 222 | roleRef: 223 | apiGroup: rbac.authorization.k8s.io 224 | kind: ClusterRole 225 | name: metallb-system:speaker 226 | subjects: 227 | - kind: ServiceAccount 228 | name: speaker 229 | namespace: metallb-system 230 | --- 231 | apiVersion: rbac.authorization.k8s.io/v1 232 | kind: RoleBinding 233 | metadata: 234 | labels: 235 | app: metallb 236 | name: config-watcher 237 | namespace: metallb-system 238 | roleRef: 239 | apiGroup: rbac.authorization.k8s.io 240 | kind: Role 241 | name: config-watcher 242 | subjects: 243 | - kind: ServiceAccount 244 | name: controller 245 | - kind: ServiceAccount 246 | name: speaker 247 | --- 248 | apiVersion: rbac.authorization.k8s.io/v1 249 | kind: RoleBinding 250 | metadata: 251 | labels: 252 | app: metallb 253 | name: pod-lister 254 | namespace: metallb-system 255 | roleRef: 256 | apiGroup: rbac.authorization.k8s.io 257 | kind: Role 258 | name: pod-lister 259 | subjects: 260 | - kind: ServiceAccount 261 | name: speaker 262 | --- 263 | apiVersion: apps/v1 264 | kind: DaemonSet 265 | metadata: 266 | labels: 267 | app: metallb 268 | component: speaker 269 | name: speaker 270 | namespace: metallb-system 271 | spec: 272 | selector: 273 | matchLabels: 274 | app: metallb 275 | component: speaker 276 | template: 277 | metadata: 278 | annotations: 279 | prometheus.io/port: '7472' 280 | prometheus.io/scrape: 'true' 281 | labels: 282 | app: metallb 283 | component: speaker 284 | spec: 285 | containers: 286 | - args: 287 | - --port=7472 288 | - --config=config 289 | env: 290 | - name: METALLB_NODE_NAME 291 | valueFrom: 292 | fieldRef: 293 | fieldPath: spec.nodeName 294 | - name: METALLB_HOST 295 | valueFrom: 296 | fieldRef: 297 | fieldPath: status.hostIP 298 | - name: METALLB_ML_BIND_ADDR 299 | valueFrom: 300 | fieldRef: 301 | fieldPath: status.podIP 302 | - name: METALLB_ML_LABELS 303 | value: "app=metallb,component=speaker" 304 | - name: METALLB_ML_NAMESPACE 305 | valueFrom: 306 | fieldRef: 307 | fieldPath: metadata.namespace 308 | - name: METALLB_ML_SECRET_KEY 309 | valueFrom: 310 | secretKeyRef: 311 | name: memberlist 312 | key: secretkey 313 | image: metallb/speaker:v0.9.3 314 | imagePullPolicy: Always 315 | name: speaker 316 | ports: 317 | - containerPort: 7472 318 | name: monitoring 319 | resources: 320 | limits: 321 | cpu: 100m 322 | memory: 100Mi 323 | securityContext: 324 | allowPrivilegeEscalation: false 325 | capabilities: 326 | add: 327 | - NET_ADMIN 328 | - NET_RAW 329 | - SYS_ADMIN 330 | drop: 331 | - ALL 332 | readOnlyRootFilesystem: true 333 | hostNetwork: true 334 | nodeSelector: 335 | beta.kubernetes.io/os: linux 336 | serviceAccountName: speaker 337 | terminationGracePeriodSeconds: 2 338 | tolerations: 339 | - effect: NoSchedule 340 | key: node-role.kubernetes.io/master 341 | --- 342 | apiVersion: apps/v1 343 | kind: Deployment 344 | metadata: 345 | labels: 346 | app: metallb 347 | component: controller 348 | name: controller 349 | namespace: metallb-system 350 | spec: 351 | revisionHistoryLimit: 3 352 | selector: 353 | matchLabels: 354 | app: metallb 355 | component: controller 356 | template: 357 | metadata: 358 | annotations: 359 | prometheus.io/port: '7472' 360 | prometheus.io/scrape: 'true' 361 | labels: 362 | app: metallb 363 | component: controller 364 | spec: 365 | containers: 366 | - args: 367 | - --port=7472 368 | - --config=config 369 | image: metallb/controller:v0.9.3 370 | imagePullPolicy: Always 371 | name: controller 372 | ports: 373 | - containerPort: 7472 374 | name: monitoring 375 | resources: 376 | limits: 377 | cpu: 100m 378 | memory: 100Mi 379 | securityContext: 380 | allowPrivilegeEscalation: false 381 | capabilities: 382 | drop: 383 | - all 384 | readOnlyRootFilesystem: true 385 | nodeSelector: 386 | beta.kubernetes.io/os: linux 387 | securityContext: 388 | runAsNonRoot: true 389 | runAsUser: 65534 390 | serviceAccountName: controller 391 | terminationGracePeriodSeconds: 0 392 | -------------------------------------------------------------------------------- /flux/resources/metallb-system/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: metallb-system 5 | labels: 6 | app: metallb 7 | -------------------------------------------------------------------------------- /flux/resources/metrics-server/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: metrics-server 5 | namespace: metrics-server 6 | spec: 7 | releaseName: metrics-server 8 | chart: 9 | repository: https://kubernetes-charts.storage.googleapis.com 10 | version: 2.11.1 11 | name: metrics-server 12 | values: 13 | args: 14 | - --kubelet-preferred-address-types=InternalIP,ExternalIP 15 | - --kubelet-insecure-tls 16 | -------------------------------------------------------------------------------- /flux/resources/metrics-server/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: metrics-server 6 | labels: 7 | name: metrics-server 8 | -------------------------------------------------------------------------------- /flux/resources/nginx-ingress/nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | spec: 7 | releaseName: nginx-ingress 8 | chart: 9 | repository: https://kubernetes-charts.storage.googleapis.com 10 | version: 1.36.3 11 | name: nginx-ingress 12 | values: 13 | controller: 14 | publishService: 15 | enabled: true 16 | kind: "DaemonSet" 17 | service: 18 | enabled: true 19 | externalTrafficPolicy: Local 20 | daemonset: 21 | hostPorts: 22 | http: 80 23 | https: 443 24 | defaultBackend: 25 | replicaCount: 2 26 | podSecurityPolicy: 27 | enabled: true 28 | -------------------------------------------------------------------------------- /flux/resources/nginx-ingress/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: nginx-ingress 6 | labels: 7 | name: nginx-ingress 8 | -------------------------------------------------------------------------------- /flux/resources/npd/node-problem-detector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: node-problem-detector 5 | namespace: node-problem-detector 6 | spec: 7 | releaseName: node-problem-detector 8 | chart: 9 | repository: https://kubernetes-charts.storage.googleapis.com 10 | version: 1.7.6 11 | name: node-problem-detector 12 | -------------------------------------------------------------------------------- /flux/resources/npd/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: node-problem-detector 6 | labels: 7 | name: node-problem-detector 8 | -------------------------------------------------------------------------------- /flux/values-flux.yaml: -------------------------------------------------------------------------------- 1 | git: 2 | pollInterval: 1m 3 | url: ssh://git@github.com/clusterfrak-dynamics/gitops-template.git 4 | branch: master 5 | path: flux/resources 6 | syncGarbageCollection: 7 | enabled: true 8 | registry: 9 | disableScanning: false 10 | -------------------------------------------------------------------------------- /flux/values-helm-operator.yaml: -------------------------------------------------------------------------------- 1 | helm: 2 | versions: v3 3 | git: 4 | ssh: 5 | secretName: flux-git-deploy 6 | configureRepositories: 7 | enable: true 8 | repositories: 9 | - name: stable 10 | url: https://kubernetes-charts.storage.googleapis.com 11 | - name: incubator 12 | url: https://kubernetes-charts-incubator.storage.googleapis.com 13 | --------------------------------------------------------------------------------