├── .charts.yml ├── .dockerignore ├── .earthlyignore ├── .envrc ├── .flake8 ├── .github └── workflows │ ├── ci.yml │ ├── docs.yml │ ├── image.yml │ └── release.yml ├── .gitignore ├── .markdownlint.rb ├── .mdlrc ├── .pre-commit-config.yaml ├── CHANGELOG.md ├── Cargo.lock ├── Cargo.toml ├── Dockerfile ├── Earthfile ├── LICENSE ├── README.md ├── build.rs ├── crates ├── cluster_feature_derive │ ├── Cargo.toml │ └── src │ │ └── lib.rs ├── helm │ ├── Cargo.toml │ └── src │ │ └── lib.rs └── serde_gtmpl │ ├── Cargo.toml │ └── src │ └── lib.rs ├── data ├── audit │ └── policy.yaml ├── keystone-auth │ └── webhook.yaml └── kubeadm │ └── configure-kube-proxy.sh ├── devstack ├── local.conf.sample ├── override-defaults ├── plugin.sh └── settings ├── docs ├── SUMMARY.md ├── admin │ ├── intro.md │ └── troubleshooting.md ├── developer │ ├── cluster-topology.md │ ├── testing-and-development.md │ └── upgrade-in-atmosphere.md ├── index.md ├── static │ ├── logo.png │ └── user │ │ └── getting-started │ │ ├── cluster-create-info.png │ │ ├── cluster-create-mgmt.png │ │ ├── cluster-create-network.png │ │ ├── cluster-create-size.png │ │ ├── cluster-created-show.png │ │ ├── cluster-list-create.png │ │ ├── cluster-postcreate-list.png │ │ ├── cluster-postcreate-show.png │ │ └── cluster-template-list.png └── user │ ├── configs.md │ ├── getting-started.md │ ├── images.md │ └── labels.md ├── flake.lock ├── flake.nix ├── hack ├── run-integration-tests.sh ├── setup-capo.sh ├── setup-docker.sh ├── setup-helm.sh ├── setup-kind.sh ├── setup-kubectl.sh └── stack.sh ├── magnum_cluster_api ├── __init__.py ├── cache.py ├── charts │ ├── .gitkeep │ ├── cilium │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── LICENSE │ │ ├── README.md │ │ ├── README.md.gotmpl │ │ ├── files │ │ │ ├── agent │ │ │ │ └── poststart-eni.bash │ │ │ ├── cilium-agent │ │ │ │ └── dashboards │ │ │ │ │ └── cilium-dashboard.json │ │ │ ├── cilium-envoy │ │ │ │ └── configmap │ │ │ │ │ └── bootstrap-config.json │ │ │ ├── cilium-operator │ │ │ │ └── dashboards │ │ │ │ │ └── cilium-operator-dashboard.json │ │ │ ├── hubble │ │ │ │ └── dashboards │ │ │ │ │ ├── hubble-dashboard.json │ │ │ │ │ ├── hubble-dns-namespace.json │ │ │ │ │ ├── hubble-l7-http-metrics-by-workload.json │ │ │ │ │ └── hubble-network-overview-namespace.json │ │ │ ├── nodeinit │ │ │ │ ├── prestop.bash │ │ │ │ └── startup.bash │ │ │ └── spire │ │ │ │ ├── init.bash │ │ │ │ └── wait-for-spire.bash │ │ ├── requirements.lock │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── cilium-agent │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── daemonset.yaml │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── servicemonitor.yaml │ │ │ ├── cilium-ca-bundle-configmap.yaml │ │ │ ├── cilium-ca-secret.yaml │ │ │ ├── cilium-configmap.yaml │ │ │ ├── cilium-envoy │ │ │ │ ├── configmap.yaml │ │ │ │ ├── daemonset.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── servicemonitor.yaml │ │ │ ├── cilium-flowlog-configmap.yaml │ │ │ ├── cilium-gateway-api-class.yaml │ │ │ ├── cilium-ingress-class.yaml │ │ │ ├── cilium-ingress-service.yaml │ │ │ ├── cilium-nodeinit │ │ │ │ ├── daemonset.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ ├── cilium-operator │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── secret.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── servicemonitor.yaml │ │ │ ├── cilium-preflight │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── daemonset.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ ├── cilium-resource-quota.yaml │ │ │ ├── cilium-secrets-namespace.yaml │ │ │ ├── clustermesh-apiserver │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── metrics-service.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── servicemonitor.yaml │ │ │ │ ├── tls-certmanager │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ └── server-secret.yaml │ │ │ │ ├── tls-cronjob │ │ │ │ │ ├── _job-spec.tpl │ │ │ │ │ ├── cronjob.yaml │ │ │ │ │ ├── job.yaml │ │ │ │ │ ├── role.yaml │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── tls-helm │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ └── server-secret.yaml │ │ │ │ ├── tls-provided │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ └── server-secret.yaml │ │ │ │ └── users-configmap.yaml │ │ │ ├── clustermesh-config │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── clustermesh-secret.yaml │ │ │ │ └── kvstoremesh-secret.yaml │ │ │ ├── etcd-operator │ │ │ │ ├── cilium-etcd-operator-clusterrole.yaml │ │ │ │ ├── cilium-etcd-operator-clusterrolebinding.yaml │ │ │ │ ├── cilium-etcd-operator-deployment.yaml │ │ │ │ ├── cilium-etcd-operator-serviceaccount.yaml │ │ │ │ ├── etcd-operator-clusterrole.yaml │ │ │ │ ├── etcd-operator-clusterrolebinding.yaml │ │ │ │ ├── etcd-operator-serviceaccount.yaml │ │ │ │ └── poddisruptionbudget.yaml │ │ │ ├── hubble-relay │ │ │ │ ├── configmap.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── metrics-service.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── servicemonitor.yaml │ │ │ ├── hubble-ui │ │ │ │ ├── _nginx.tpl │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── configmap.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ ├── hubble │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ ├── metrics-service.yaml │ │ │ │ ├── peer-service.yaml │ │ │ │ ├── servicemonitor.yaml │ │ │ │ ├── tls-certmanager │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ └── ui-client-certs.yaml │ │ │ │ ├── tls-cronjob │ │ │ │ │ ├── _job-spec.tpl │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── cronjob.yaml │ │ │ │ │ ├── job.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── tls-helm │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ └── ui-client-certs.yaml │ │ │ │ └── tls-provided │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ └── ui-client-certs.yaml │ │ │ ├── spire │ │ │ │ ├── agent │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── bundle-configmap.yaml │ │ │ │ ├── namespace.yaml │ │ │ │ └── server │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ ├── role.yaml │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── statefulset.yaml │ │ │ └── validate.yaml │ │ ├── values.yaml │ │ └── values.yaml.tmpl │ ├── cluster-autoscaler │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── README.md.gotmpl │ │ ├── requirements.lock │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── deployment.yaml │ │ │ ├── pdb.yaml │ │ │ ├── podsecuritypolicy.yaml │ │ │ ├── priority-expander-configmap.yaml │ │ │ ├── prometheusrule.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── secret.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ └── vpa.yaml │ │ └── values.yaml │ ├── k8s-keystone-auth │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap-policy.yaml │ │ │ ├── configmap-sync.yaml │ │ │ ├── daemonset.yaml │ │ │ ├── secret-ca.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ └── values.yaml │ ├── openstack-cinder-csi │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── requirements.lock │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── cinder-csi-driver.yaml │ │ │ ├── controllerplugin-deployment.yaml │ │ │ ├── controllerplugin-podmonitor.yaml │ │ │ ├── controllerplugin-rbac.yaml │ │ │ ├── custom_storageclass.yaml │ │ │ ├── nodeplugin-daemonset.yaml │ │ │ ├── nodeplugin-rbac.yaml │ │ │ ├── secret.yaml │ │ │ └── storageclass.yaml │ │ └── values.yaml │ ├── openstack-cloud-controller-manager │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _mysql.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── requirements.lock │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding-sm.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── daemonset.yaml │ │ │ ├── secret.yaml │ │ │ ├── service-sm.yaml │ │ │ ├── serviceaccount.yaml │ │ │ └── servicemonitor.yaml │ │ └── values.yaml │ ├── openstack-manila-csi │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── requirements.lock │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── controllerplugin-clusterrole.yaml │ │ │ ├── controllerplugin-clusterrolebinding.yaml │ │ │ ├── controllerplugin-role.yaml │ │ │ ├── controllerplugin-rolebinding.yaml │ │ │ ├── controllerplugin-rules-clusterrole.yaml │ │ │ ├── controllerplugin-service.yaml │ │ │ ├── controllerplugin-serviceaccount.yaml │ │ │ ├── controllerplugin-statefulset.yaml │ │ │ ├── csidriver.yaml │ │ │ ├── nodeplugin-clusterrole.yaml │ │ │ ├── nodeplugin-clusterrolebinding.yaml │ │ │ ├── nodeplugin-daemonset.yaml │ │ │ ├── nodeplugin-rules-clusterrole.yaml │ │ │ ├── nodeplugin-serviceaccount.yaml │ │ │ └── runtimeconfig-cm.yaml │ │ └── values.yaml │ └── patches │ │ ├── cluster-autoscaler │ │ └── 001-add-omt-to-clusterrole.patch │ │ └── openstack-manila-csi │ │ └── 001-add-ca-certificate-and-set-namespace.patch ├── clients.py ├── cmd │ ├── __init__.py │ ├── image_builder.py │ ├── image_loader.py │ └── proxy.py ├── conf.py ├── driver.py ├── exceptions.py ├── helm.py ├── image_utils.py ├── images.py ├── integrations │ ├── __init__.py │ ├── cinder.py │ ├── common.py │ └── manila.py ├── manifests │ ├── __init__.py │ ├── calico │ │ ├── v3.24.2.yaml │ │ ├── v3.25.2.yaml │ │ ├── v3.26.5.yaml │ │ ├── v3.27.4.yaml │ │ ├── v3.28.2.yaml │ │ ├── v3.29.0.yaml │ │ ├── v3.29.2.yaml │ │ ├── v3.29.3.yaml │ │ └── v3.30.0.yaml │ └── nfs-csi │ │ ├── csi-nfs-controller.yaml │ │ ├── csi-nfs-driverinfo.yaml │ │ ├── csi-nfs-node.yaml │ │ └── rbac-csi-nfs.yaml ├── monitor.py ├── objects.py ├── privsep │ ├── __init__.py │ └── haproxy.py ├── proxy │ ├── manager.py │ ├── structs.py │ ├── templates │ │ └── haproxy.cfg.j2 │ └── utils.py ├── resources.py ├── service.py ├── sync.py ├── tests │ ├── conftest.py │ ├── functional │ │ ├── __init__.py │ │ ├── conftest.py │ │ ├── fixtures.py │ │ ├── test_driver.py │ │ └── test_resources.py │ └── unit │ │ ├── cmd │ │ └── test_image_loader.py │ │ ├── conftest.py │ │ ├── test_driver.py │ │ ├── test_helm.py │ │ ├── test_image_utils.py │ │ ├── test_images.py │ │ ├── test_objects.py │ │ ├── test_resources.py │ │ ├── test_sync.py │ │ └── test_utils.py └── utils.py ├── mkdocs.yml ├── pyproject.toml ├── registry └── config.yml ├── renovate.json ├── setup.cfg ├── src ├── addons │ ├── cilium.rs │ ├── cinder_csi.rs │ ├── cloud_controller_manager.rs │ ├── csi.rs │ ├── manila_csi.rs │ └── mod.rs ├── client.rs ├── clients │ ├── kubernetes.rs │ └── mod.rs ├── cluster_api │ ├── clusterclasses.rs │ ├── clusterresourcesets.rs │ ├── clusters.rs │ ├── kubeadmconfigtemplates.rs │ ├── kubeadmcontrolplane.rs │ ├── kubeadmcontrolplanetemplates.rs │ ├── machines.rs │ ├── mod.rs │ ├── openstackclustertemplates.rs │ └── openstackmachinetemplates.rs ├── driver.rs ├── features │ ├── api_server_load_balancer.rs │ ├── audit_log.rs │ ├── boot_volume.rs │ ├── cluster_identity.rs │ ├── containerd_config.rs │ ├── control_plane_availability_zones.rs │ ├── disable_api_server_floating_ip.rs │ ├── external_network.rs │ ├── flavors.rs │ ├── image_repository.rs │ ├── images.rs │ ├── keystone_auth.rs │ ├── mod.rs │ ├── networks.rs │ ├── openid_connect.rs │ ├── operating_system.rs │ ├── server_groups.rs │ ├── ssh_key.rs │ ├── test.rs │ ├── tls.rs │ └── volumes.rs ├── lib.rs ├── magnum.rs ├── monitor.rs └── resources.rs ├── tests └── fixtures │ └── kube-apiserver.yaml ├── tools ├── sync-audit-policy ├── sync-k8s-image-builds └── sync-nfs-csi-manifests ├── tox.ini ├── uv.lock └── zuul.d ├── jobs.yaml ├── playbooks ├── functional │ └── pre.yml ├── tox │ └── pre.yml └── unit │ └── pre.yml └── project.yaml /.charts.yml: -------------------------------------------------------------------------------- 1 | charts: 2 | - name: cluster-autoscaler 3 | version: 9.29.1 4 | repository: 5 | url: https://kubernetes.github.io/autoscaler 6 | - name: cilium 7 | version: 1.15.3 8 | repository: 9 | url: https://helm.cilium.io/ 10 | - name: openstack-cloud-controller-manager 11 | version: 2.32.0 12 | repository: 13 | url: https://kubernetes.github.io/cloud-provider-openstack 14 | - name: openstack-cinder-csi 15 | version: 2.32.0 16 | repository: 17 | url: https://kubernetes.github.io/cloud-provider-openstack 18 | - name: openstack-manila-csi 19 | version: 2.32.0 20 | repository: 21 | url: https://kubernetes.github.io/cloud-provider-openstack 22 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .gitignore -------------------------------------------------------------------------------- /.earthlyignore: -------------------------------------------------------------------------------- 1 | .gitignore -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | use flake 2 | -------------------------------------------------------------------------------- /.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 120 3 | -------------------------------------------------------------------------------- /.github/workflows/docs.yml: -------------------------------------------------------------------------------- 1 | name: docs 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | permissions: 10 | contents: write 11 | pull-requests: write 12 | 13 | jobs: 14 | build: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout project 18 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 19 | 20 | - name: Install Earthly 21 | uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13 22 | with: 23 | github-token: ${{ secrets.GITHUB_TOKEN }} 24 | 25 | - name: Build image 26 | run: earthly --secret GITHUB_TOKEN +mkdocs-build 27 | env: 28 | EARTHLY_CI: true 29 | EARTHLY_PUSH: "${{ github.event_name == 'push' }}" 30 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 31 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: release 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | permissions: 9 | id-token: write 10 | contents: write 11 | pull-requests: write 12 | 13 | jobs: 14 | release-please: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout project 18 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 19 | 20 | - name: Run "release-please" 21 | uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 22 | id: release 23 | with: 24 | release-type: python 25 | package-name: magnum-cluster-api 26 | 27 | - name: Checkout project 28 | if: ${{ steps.release.outputs.release_created }} 29 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 30 | 31 | - name: Build package (x86_64) 32 | if: ${{ steps.release.outputs.release_created }} 33 | uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 34 | with: 35 | command: publish 36 | args: --non-interactive --skip-existing 37 | manylinux: '2_28' 38 | target: x86_64 39 | 40 | - name: Build package (aarch64) 41 | if: ${{ steps.release.outputs.release_created }} 42 | uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 43 | with: 44 | command: publish 45 | args: --non-interactive --skip-existing 46 | manylinux: '2_28' 47 | target: aarch64 48 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .direnv 2 | .idea 3 | __pycache__ 4 | dist 5 | site 6 | *.orig 7 | *.rej 8 | .tox 9 | .stestr 10 | target 11 | *.so 12 | -------------------------------------------------------------------------------- /.markdownlint.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD013', :ignore_code_blocks => true, :line_length => 500 3 | rule 'MD024', :allow_different_nesting => true 4 | -------------------------------------------------------------------------------- /.mdlrc: -------------------------------------------------------------------------------- 1 | style "#{File.dirname(__FILE__)}/.markdownlint.rb" 2 | rules '~MD002', '~MD012', '~MD041' 3 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | exclude: ^magnum_cluster_api/charts/ 2 | 3 | repos: 4 | - repo: https://github.com/psf/black 5 | rev: 25.1.0 6 | hooks: 7 | - id: black 8 | 9 | - repo: https://github.com/pycqa/flake8 10 | rev: 7.2.0 11 | hooks: 12 | - id: flake8 13 | 14 | - repo: https://github.com/pycqa/isort 15 | rev: 6.0.1 16 | hooks: 17 | - id: isort 18 | 19 | - repo: https://github.com/pre-commit/pre-commit-hooks 20 | rev: v5.0.0 21 | hooks: 22 | - id: check-yaml 23 | args: [--allow-multiple-documents] 24 | - id: end-of-file-fixer 25 | - id: trailing-whitespace 26 | 27 | - repo: local 28 | hooks: 29 | - id: ensure-calico-manifest 30 | name: ensure calico manifest exists for CALICO_TAG 31 | language: system 32 | files: ^magnum_cluster_api/resources.py$ 33 | entry: bash -c 34 | args: 35 | - | 36 | CALICO_TAG=$(grep ^CALICO_TAG magnum_cluster_api/resources.py | cut -d'"' -f2) 37 | curl -o magnum_cluster_api/manifests/calico/${CALICO_TAG}.yaml https://raw.githubusercontent.com/projectcalico/calico/${CALICO_TAG}/manifests/calico.yaml 38 | sed -i 's|docker.io/calico/|quay.io/calico/|g' magnum_cluster_api/manifests/calico/${CALICO_TAG}.yaml 39 | - id: replace-docker-io-calico 40 | name: replace docker.io to quay.io for calico 41 | language: system 42 | files: ^magnum_cluster_api/manifests/calico/.*\.yaml$ 43 | entry: sed -i 's|docker.io/calico/|quay.io/calico/|g' 44 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "magnum-cluster-api" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [build-dependencies] 7 | glob = "0.3" 8 | syn = { version = "2.0.100", features = ["full", "parsing"] } 9 | quote = "1.0" 10 | proc-macro2 = "1.0" 11 | heck = "0.5" 12 | 13 | [dependencies] 14 | backon = "1.5.0" 15 | base64 = "0.22.1" 16 | cluster_feature_derive = { path = "crates/cluster_feature_derive" } 17 | docker-image = "0.2.1" 18 | futures = "0.3.31" 19 | helm = { path = "crates/helm" } 20 | ignition-config = "0.5.0" 21 | include_dir = "0.7.4" 22 | indoc = "2.0.5" 23 | inventory = "0.3.19" 24 | json-patch = "4.0.0" 25 | k8s-openapi = { version = "0.24.0", features = ["schemars", "latest"] } 26 | kube = { version = "0.99.0", features = ["runtime", "derive"] } 27 | log = "0.4.27" 28 | maplit = "1.0.2" 29 | pyo3-async-runtimes = { version = "0.25.0", features = ["tokio-runtime"] } 30 | pyo3-log = "0.12.1" 31 | pythonize = "0.25.0" 32 | schemars = "0.8.21" 33 | serde = "1.0.218" 34 | serde_json = "1.0.138" 35 | serde_plain = "1.0.2" 36 | serde_yaml = "0.9.34" 37 | thiserror = "2.0.11" 38 | tokio = { version = "1.43.0", features = ["macros", "rt-multi-thread"] } 39 | typed-builder = "0.21.0" 40 | 41 | [dependencies.pyo3] 42 | version = "0.25.0" 43 | features = ["abi3-py38", "serde"] 44 | 45 | [features] 46 | extension-module = ["pyo3/extension-module"] 47 | default = [] 48 | 49 | [dev-dependencies] 50 | gtmpl = "0.7.1" 51 | http = "1.3.1" 52 | mockall = "0.13.1" 53 | pretty_assertions = "1.4.1" 54 | rstest = "0.25.0" 55 | serde_gtmpl = { path = "crates/serde_gtmpl" } 56 | tower-test = "0.4.0" 57 | 58 | [workspace] 59 | members = ["crates/cluster_feature_derive", "crates/helm", "crates/serde_gtmpl"] 60 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1.15 2 | 3 | FROM alpine:3.21 AS registry-base 4 | RUN apk add --no-cache docker-registry 5 | ADD registry/config.yml /etc/docker-registry/config.yml 6 | 7 | FROM registry-base AS registry-loader 8 | COPY --from=ghcr.io/astral-sh/uv:0.7.8 /uv /uvx /bin/ 9 | RUN apk add --no-cache cargo crane gcc linux-headers musl-dev netcat-openbsd py3-pip python3-dev 10 | COPY . /src 11 | WORKDIR /src 12 | RUN <> /run/kubeadm/kubeadm.yaml 14 | --- 15 | apiVersion: kubeproxy.config.k8s.io/v1alpha1 16 | kind: KubeProxyConfiguration 17 | metricsBindAddress: "0.0.0.0:10249" 18 | EOF 19 | -------------------------------------------------------------------------------- /devstack/override-defaults: -------------------------------------------------------------------------------- 1 | GLANCE_LIMIT_IMAGE_SIZE_TOTAL=10000 2 | KEYSTONE_ADMIN_ENDPOINT=true 3 | LIBVIRT_CPU_MODE=host-passthrough 4 | LIBVIRT_TYPE=kvm 5 | VOLUME_BACKING_FILE_SIZE=50G 6 | -------------------------------------------------------------------------------- /devstack/settings: -------------------------------------------------------------------------------- 1 | define_plugin magnum-cluster-api 2 | 3 | plugin_requires magnum-cluster-api barbican 4 | plugin_requires magnum-cluster-api magnum 5 | plugin_requires magnum-cluster-api manila 6 | plugin_requires magnum-cluster-api octavia 7 | 8 | # NOTE(mnaser): We can probably enable this again once the following merges 9 | # https://review.opendev.org/c/openstack/ovn-octavia-provider/+/942940 10 | # plugin_requires magnum-cluster-api ovn-octavia-provider 11 | 12 | enable_service magnum-cluster-api 13 | -------------------------------------------------------------------------------- /docs/SUMMARY.md: -------------------------------------------------------------------------------- 1 | - User Guide 2 | - [Getting Started](user/getting-started.md) 3 | - user/*.md 4 | - Administrator Guide 5 | - admin/*.md 6 | - Developer Guide 7 | - developer/*.md 8 | -------------------------------------------------------------------------------- /docs/developer/cluster-topology.md: -------------------------------------------------------------------------------- 1 | # Cluster Topology 2 | 3 | The Cluster API driver for Magnum makes use of the Cluster topology feature of the Cluster API project. This allows it to delegate all of the work around building resources such as the `OpenStackCluster`, `MachineDeployments` and everything else managed entire by the Cluster API instead of the driver creating all of these resources. 4 | 5 | In order to do this, the driver creates a [`ClusterClass`](https://cluster-api.sigs.k8s.io/tasks/experimental-features/cluster-class/write-clusterclass) resource which is called `magnum-v{VERSION}` where `{VERSION}` is the current version of the driver because of the following reasons: 6 | 7 | - This allows us to have multiple different versions of the `ClusterClass` because it is an immutable resource. 8 | - This prevents causing a rollout of existing clusters should a change happen to the underlying `ClusterClass`. 9 | 10 | It's important to note that there are only _one_ scenarios where the `spec.topology.class` for a given `Cluster` will be modified and this will be when a cluster upgrade is done. This is because there is an expectation by the user that a rolling restart operation will occur if a cluster upgrade is requested. No other action should be allowed to change the `spec.topology.class` of a `Cluster`. 11 | 12 | For users, it's important to keep in mind that if they want to use a newer `ClusterClass` in order to make sure of a new feature available in a newer `ClusterClass`, they can simply do an upgrade within Magnum to the same cluster template and it will actually force an update of the `spec.topology.class`, which might then naturally cause a full rollout to occur. 13 | -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/index.md -------------------------------------------------------------------------------- /docs/static/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/logo.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-create-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-create-info.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-create-mgmt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-create-mgmt.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-create-network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-create-network.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-create-size.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-create-size.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-created-show.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-created-show.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-list-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-list-create.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-postcreate-list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-postcreate-list.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-postcreate-show.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-postcreate-show.png -------------------------------------------------------------------------------- /docs/static/user/getting-started/cluster-template-list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/docs/static/user/getting-started/cluster-template-list.png -------------------------------------------------------------------------------- /docs/user/images.md: -------------------------------------------------------------------------------- 1 | # Images 2 | 3 | ## Operating System Images 4 | 5 | The Cluster API driver for Magnum relies on specific OpenStack images containing 6 | all necessary dependencies for deploying Kubernetes clusters. These images are 7 | pre-configured with Kubernetes binaries, container runtimes, networking 8 | components, and other required software. 9 | 10 | The images used by the Cluster API driver for Magnum are built using the 11 | [`kubernetes-sigs/image-builder`](https://github.com/kubernetes-sigs/image-builder) 12 | project. This project provides a comprehensive and flexible framework for 13 | constructing Kubernetes-specific images. 14 | 15 | ### Building Images 16 | 17 | In order to simplify the process of building images, the Cluster API driver for 18 | Magnum provides a small Python utility which wraps the `image-builder` project. 19 | 20 | To build the images, run the following command: 21 | 22 | ```console 23 | $ pip install magnum-cluster-api 24 | $ magnum-cluster-api-image-builder --version v1.26.2 25 | ``` 26 | 27 | In the example above, this command will build the images for Kubernetes version 28 | `v1.26.2`. The `--version` flag is optional and defaults to `v1.26.2`. 29 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "flake-utils": { 4 | "inputs": { 5 | "systems": "systems" 6 | }, 7 | "locked": { 8 | "lastModified": 1731533236, 9 | "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 10 | "owner": "numtide", 11 | "repo": "flake-utils", 12 | "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 13 | "type": "github" 14 | }, 15 | "original": { 16 | "owner": "numtide", 17 | "repo": "flake-utils", 18 | "type": "github" 19 | } 20 | }, 21 | "nixpkgs": { 22 | "locked": { 23 | "lastModified": 1742237028, 24 | "narHash": "sha256-xlpHmgBxUnvHo8FNnju0sgnEyasb4gC607b+keqjmX8=", 25 | "owner": "NixOS", 26 | "repo": "nixpkgs", 27 | "rev": "9bc8a90931262245919a26f995c1f24c6c70d3fe", 28 | "type": "github" 29 | }, 30 | "original": { 31 | "owner": "NixOS", 32 | "ref": "nixpkgs-unstable", 33 | "repo": "nixpkgs", 34 | "type": "github" 35 | } 36 | }, 37 | "root": { 38 | "inputs": { 39 | "flake-utils": "flake-utils", 40 | "nixpkgs": "nixpkgs" 41 | } 42 | }, 43 | "systems": { 44 | "locked": { 45 | "lastModified": 1681028828, 46 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 47 | "owner": "nix-systems", 48 | "repo": "default", 49 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 50 | "type": "github" 51 | }, 52 | "original": { 53 | "owner": "nix-systems", 54 | "repo": "default", 55 | "type": "github" 56 | } 57 | } 58 | }, 59 | "root": "root", 60 | "version": 7 61 | } 62 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs = { 3 | nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; 4 | flake-utils.url = "github:numtide/flake-utils"; 5 | }; 6 | 7 | outputs = { self, nixpkgs, flake-utils }: 8 | flake-utils.lib.eachDefaultSystem 9 | (system: 10 | let 11 | pkgs = import nixpkgs { 12 | inherit system; 13 | }; 14 | 15 | python = pkgs.python312; 16 | in 17 | { 18 | devShell = pkgs.mkShell 19 | { 20 | LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib"; 21 | PYO3_PYTHON = "${python}/bin/python"; 22 | RUST_SRC_PATH = "${pkgs.rust.packages.stable.rustPlatform.rustLibSrc}"; 23 | 24 | buildInputs = with pkgs; [ 25 | bashInteractive 26 | black 27 | cargo 28 | clippy 29 | glibcLocales 30 | kind 31 | kubernetes-helm 32 | patchutils 33 | pre-commit 34 | python.pkgs.tox 35 | python.pkgs.uv 36 | renovate 37 | rust-analyzer 38 | rustc 39 | rustfmt 40 | ]; 41 | }; 42 | } 43 | ); 44 | } 45 | -------------------------------------------------------------------------------- /hack/setup-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -xe 2 | 3 | # Copyright (c) 2024 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | # Install Docker 18 | curl -fsSL https://get.docker.com -o /tmp/get-docker.sh 19 | sudo sh /tmp/get-docker.sh 20 | sudo usermod -aG docker $USER 21 | 22 | # Docker tinks with firewalls 23 | sudo iptables -I DOCKER-USER -j ACCEPT 24 | -------------------------------------------------------------------------------- /hack/setup-helm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -xe 2 | 3 | # Copyright (c) 2024 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | # Versions to test 18 | HELM_VERSION=${HELM_VERSION:-v3.10.3} 19 | 20 | # Install `helm` CLI 21 | curl -Lo /tmp/helm.tar.gz "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" 22 | tar -zxvf /tmp/helm.tar.gz -C /tmp 23 | sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm 24 | rm -rf /tmp/helm.tar.gz /tmp/linux-amd64/ 25 | -------------------------------------------------------------------------------- /hack/setup-kind.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -xe 2 | 3 | # Copyright (c) 2024 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | # Versions to test 18 | KIND_VERSION=${KIND_VERSION:-v0.16.0} 19 | 20 | # Install `kind` CLI 21 | sudo curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 22 | sudo chmod +x /usr/local/bin/kind 23 | 24 | # Create a `kind` cluster inside "docker" group 25 | newgrp docker < /dev/null 18 | } 19 | 20 | # wait for SPIRE server to be reachable till $TIMEOUT is reached 21 | start_time=$(date +%s) 22 | while true; do 23 | if call_tcp_endpoint_with_timeout "$ADDR" "$CONN_TIMEOUT"; then 24 | echo "SPIRE server is reachable" 25 | break 26 | fi 27 | 28 | if [ $(( $(date +%s) - start_time )) -gt "$TIMEOUT" ]; then 29 | echo "Timed out waiting for spire server to be reachable" 30 | exit 1 31 | fi 32 | 33 | echo "Waiting for spire server to be reachable" 34 | sleep 1 35 | done 36 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "0001-01-01T00:00:00Z" 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if (and (.Values.preflight.enabled) (not (.Values.agent)) (not (.Values.operator.enabled))) }} 2 | You have successfully ran the preflight check. 3 | Now make sure to check the number of READY pods is the same as the number of running cilium pods. 4 | Then make sure the cilium preflight deployment is also marked READY 1/1. 5 | If you have an issues please refer to the CNP Validation section in the upgrade guide. 6 | {{- else if (and (.Values.hubble.enabled) (.Values.hubble.relay.enabled)) }} 7 | {{- if (.Values.hubble.ui.enabled) }} 8 | You have successfully installed {{ title .Chart.Name }} with Hubble Relay and Hubble UI. 9 | {{- else }} 10 | You have successfully installed {{ title .Chart.Name }} with Hubble Relay. 11 | {{- end }} 12 | {{- else if .Values.hubble.enabled }} 13 | You have successfully installed {{ title .Chart.Name }} with Hubble. 14 | {{- else if (and (.Values.hubble.ui.enabled) (.Values.hubble.ui.standalone.enabled)) }} 15 | You have successfully installed {{ title .Chart.Name }} with standalone Hubble UI. 16 | {{- else }} 17 | You have successfully installed {{ title .Chart.Name }}. 18 | {{- end }} 19 | 20 | Your release version is {{ .Chart.Version }}. 21 | 22 | For any further help, visit https://docs.cilium.io/en/v{{ (semver .Chart.Version).Major }}.{{ (semver .Chart.Version).Minor }}/gettinghelp 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium 6 | {{- with .Values.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.cilium.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/cilium-agent/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/name: cilium-agent 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.dashboards.label }} 16 | {{ $.Values.dashboards.label }}: {{ ternary $.Values.dashboards.labelValue "1" (not (empty $.Values.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.dashboards.annotations $.Values.annotations }} 19 | annotations: 20 | {{- with $.Values.dashboards.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-agent/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.cilium.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.cilium.annotations .Values.annotations }} 8 | annotations: 9 | {{- with .Values.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.cilium.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-ca-bundle-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.tls.caBundle.enabled .Values.tls.caBundle.content -}} 2 | --- 3 | apiVersion: v1 4 | kind: {{ .Values.tls.caBundle.useSecret | ternary "Secret" "ConfigMap" }} 5 | metadata: 6 | name: {{ .Values.tls.caBundle.name }} 7 | namespace: {{ .Release.Namespace }} 8 | {{ .Values.tls.caBundle.useSecret | ternary "stringData" "data" }}: 9 | {{ .Values.tls.caBundle.key }}: | 10 | {{- .Values.tls.caBundle.content | nindent 4 }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-ca-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if or 2 | (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm")) 3 | (and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm")) 4 | (and .Values.tls.ca.key .Values.tls.ca.cert) 5 | -}} 6 | 7 | {{- $_ := include "cilium.ca.setup" . -}} 8 | --- 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: {{ .commonCASecretName }} 13 | namespace: {{ .Release.Namespace }} 14 | data: 15 | ca.crt: {{ .commonCA.Cert | b64enc }} 16 | ca.key: {{ .commonCA.Key | b64enc }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-envoy/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }} 2 | 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: cilium-envoy-config 8 | namespace: {{ .Release.Namespace }} 9 | {{- with .Values.envoy.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | data: 14 | {{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} 15 | 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-envoy/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: cilium-envoy 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }} 8 | annotations: 9 | {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} 10 | prometheus.io/scrape: "true" 11 | prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }} 12 | {{- end }} 13 | {{- with .Values.envoy.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | labels: 18 | k8s-app: cilium-envoy 19 | app.kubernetes.io/name: cilium-envoy 20 | app.kubernetes.io/part-of: cilium 21 | io.cilium/app: proxy 22 | spec: 23 | clusterIP: None 24 | type: ClusterIP 25 | selector: 26 | k8s-app: cilium-envoy 27 | ports: 28 | - name: envoy-metrics 29 | port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} 30 | protocol: TCP 31 | targetPort: envoy-metrics 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-envoy/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.serviceAccounts.envoy.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.envoy.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.envoy.annotations .Values.envoy.annotations }} 8 | annotations: 9 | {{- with .Values.envoy.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.envoy.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-envoy/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled .Values.envoy.prometheus.serviceMonitor.enabled }} 2 | --- 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: cilium-envoy 7 | namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/part-of: cilium 10 | app.kubernetes.io/name: cilium-envoy 11 | {{- with .Values.envoy.prometheus.serviceMonitor.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- if or .Values.envoy.prometheus.serviceMonitor.annotations .Values.envoy.annotations }} 15 | annotations: 16 | {{- with .Values.envoy.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} 20 | {{- toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- end }} 23 | spec: 24 | selector: 25 | matchLabels: 26 | k8s-app: cilium-envoy 27 | namespaceSelector: 28 | matchNames: 29 | - {{ .Release.Namespace }} 30 | endpoints: 31 | - port: envoy-metrics 32 | interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }} 33 | honorLabels: true 34 | path: /metrics 35 | {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }} 36 | relabelings: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }} 40 | metricRelabelings: 41 | {{- toYaml . | nindent 4 }} 42 | {{- end }} 43 | targetLabels: 44 | - k8s-app 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-flowlog-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.export.dynamic.enabled .Values.hubble.export.dynamic.config.createConfigMap }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.hubble.export.dynamic.config.configMapName }} 7 | namespace: {{ .Release.Namespace }} 8 | data: 9 | flowlogs.yaml: | 10 | flowLogs: 11 | {{ .Values.hubble.export.dynamic.config.content | toYaml | indent 4 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-gateway-api-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gatewayAPI.enabled -}} 2 | {{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }} 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: GatewayClass 5 | metadata: 6 | name: cilium 7 | spec: 8 | controllerName: io.cilium/gateway-controller 9 | {{- end}} 10 | {{- end}} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-ingress-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressController.enabled -}} 2 | apiVersion: networking.k8s.io/v1 3 | kind: IngressClass 4 | metadata: 5 | name: cilium 6 | {{- if .Values.ingressController.default }} 7 | annotations: 8 | ingressclass.kubernetes.io/is-default-class: "true" 9 | {{- end}} 10 | spec: 11 | controller: cilium.io/ingress-controller 12 | {{- end}} 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeinit.enabled .Values.serviceAccounts.nodeinit.enabled .Values.serviceAccounts.nodeinit.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.nodeinit.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.nodeinit.annotations .Values.nodeinit.annotations }} 8 | annotations: 9 | {{- with .Values.nodeinit.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.nodeinit.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "cilium.operator.cloud" -}} 2 | {{- $cloud := "generic" -}} 3 | {{- if .Values.eni.enabled -}} 4 | {{- $cloud = "aws" -}} 5 | {{- else if .Values.azure.enabled -}} 6 | {{- $cloud = "azure" -}} 7 | {{- else if .Values.alibabacloud.enabled -}} 8 | {{- $cloud = "alibabacloud" -}} 9 | {{- end -}} 10 | {{- $cloud -}} 11 | {{- end -}} 12 | 13 | {{- define "cilium.operator.imageDigestName" -}} 14 | {{- $imageDigest := (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.genericDigest) "" -}} 15 | {{- if .Values.eni.enabled -}} 16 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.awsDigest) "" -}} 17 | {{- else if .Values.azure.enabled -}} 18 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.azureDigest) "" -}} 19 | {{- else if .Values.alibabacloud.enabled -}} 20 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.alibabacloudDigest) "" -}} 21 | {{- end -}} 22 | {{- $imageDigest -}} 23 | {{- end -}} 24 | 25 | {{/* 26 | Return cilium operator image 27 | */}} 28 | {{- define "cilium.operator.image" -}} 29 | {{- if .Values.operator.image.override -}} 30 | {{- printf "%s" .Values.operator.image.override -}} 31 | {{- else -}} 32 | {{- $cloud := include "cilium.operator.cloud" . }} 33 | {{- $imageDigest := include "cilium.operator.imageDigestName" . }} 34 | {{- printf "%s-%s%s:%s%s" .Values.operator.image.repository $cloud .Values.operator.image.suffix .Values.operator.image.tag $imageDigest -}} 35 | {{- end -}} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-operator 6 | {{- with .Values.operator.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.operator.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.operator.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/cilium-operator/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.operator.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/name: cilium-operator 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.operator.dashboards.label }} 16 | {{ $.Values.operator.dashboards.label }}: {{ ternary $.Values.operator.dashboards.labelValue "1" (not (empty $.Values.operator.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.operator.dashboards.annotations $.Values.operator.annotations }} 19 | annotations: 20 | {{- with $.Values.operator.dashboards.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.operator.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.operator.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.operator.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-operator 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | io.cilium/app: operator 14 | name: cilium-operator 15 | app.kubernetes.io/name: cilium-operator 16 | app.kubernetes.io/part-of: cilium 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | io.cilium/app: operator 27 | name: cilium-operator 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.sync .Values.ingressController.secretsNamespace.name }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: cilium-operator-ingress-secrets 7 | namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | rules: 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - create 21 | - delete 22 | - update 23 | - patch 24 | {{- end }} 25 | 26 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.sync .Values.gatewayAPI.secretsNamespace.name }} 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: Role 30 | metadata: 31 | name: cilium-operator-gateway-secrets 32 | namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} 33 | {{- with .Values.operator.annotations }} 34 | annotations: 35 | {{- toYaml . | nindent 4 }} 36 | {{- end }} 37 | labels: 38 | app.kubernetes.io/part-of: cilium 39 | rules: 40 | - apiGroups: 41 | - "" 42 | resources: 43 | - secrets 44 | verbs: 45 | - create 46 | - delete 47 | - update 48 | - patch 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.operator.enabled }} 2 | {{- if .Values.azure.enabled }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-azure 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | type: Opaque 13 | data: 14 | AZURE_CLIENT_ID: {{ default "" .Values.azure.clientID | b64enc | quote }} 15 | AZURE_CLIENT_SECRET: {{ default "" .Values.azure.clientSecret | b64enc | quote }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: cilium-operator 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.operator.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | io.cilium/app: operator 13 | name: cilium-operator 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: cilium-operator 16 | spec: 17 | clusterIP: None 18 | type: ClusterIP 19 | ports: 20 | - name: metrics 21 | port: 9963 22 | protocol: TCP 23 | targetPort: prometheus 24 | selector: 25 | io.cilium/app: operator 26 | name: cilium-operator 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-operator/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} 2 | {{- if and .Values.eni.enabled .Values.eni.iamRole }} 3 | {{ $_ := set .Values.serviceAccounts.operator.annotations "eks.amazonaws.com/role-arn" .Values.eni.iamRole }} 4 | {{- end}} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.serviceAccounts.operator.name | quote }} 10 | namespace: {{ .Release.Namespace }} 11 | {{- if or .Values.serviceAccounts.operator.annotations .Values.operator.annotations }} 12 | annotations: 13 | {{- with .Values.operator.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.serviceAccounts.operator.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-pre-flight 6 | {{- with .Values.preflight.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-pre-flight 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.preflight.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.preflight.validateCNPs .Values.preflight.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.preflight.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-pre-flight-check 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.preflight.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: cilium-pre-flight-check-deployment 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: cilium-pre-flight-check 16 | kubernetes.io/cluster-service: "true" 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | k8s-app: cilium-pre-flight-check-deployment 27 | kubernetes.io/cluster-service: "true" 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-preflight/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.preflight.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.preflight.annotations .Values.preflight.annotations }} 8 | annotations: 9 | {{- with .Values.preflight.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.preflight.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-resource-quota.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.resourceQuotas.enabled (and (ne .Release.Namespace "kube-system") .Values.gke.enabled) }} 2 | {{- if .Values.agent }} 3 | apiVersion: v1 4 | kind: ResourceQuota 5 | metadata: 6 | name: cilium-resource-quota 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | hard: 10 | pods: {{ .Values.resourceQuotas.cilium.hard.pods | quote }} 11 | scopeSelector: 12 | matchExpressions: 13 | - operator: In 14 | scopeName: PriorityClass 15 | values: 16 | - system-node-critical 17 | {{- end }} 18 | {{- if .Values.operator.enabled }} 19 | --- 20 | apiVersion: v1 21 | kind: ResourceQuota 22 | metadata: 23 | name: cilium-operator-resource-quota 24 | namespace: {{ .Release.Namespace }} 25 | spec: 26 | hard: 27 | pods: {{ .Values.resourceQuotas.operator.hard.pods | quote }} 28 | scopeSelector: 29 | matchExpressions: 30 | - operator: In 31 | scopeName: PriorityClass 32 | values: 33 | - system-cluster-critical 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/cilium-secrets-namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- $secretNamespaces := dict -}} 2 | {{- range $cfg := tuple .Values.ingressController .Values.gatewayAPI .Values.envoyConfig .Values.bgpControlPlane -}} 3 | {{- if and $cfg.enabled $cfg.secretsNamespace.create $cfg.secretsNamespace.name -}} 4 | {{- $_ := set $secretNamespaces $cfg.secretsNamespace.name 1 -}} 5 | {{- end -}} 6 | {{- end -}} 7 | 8 | {{- range $name, $_ := $secretNamespaces }} 9 | --- 10 | apiVersion: v1 11 | kind: Namespace 12 | metadata: 13 | name: {{ $name | quote }} 14 | {{- end}} 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "clustermesh-apiserver-generate-certs.admin-common-name" -}} 2 | admin-{{ .Values.cluster.name }} 3 | {{- end -}} 4 | 5 | {{- define "clustermesh-apiserver-generate-certs.remote-common-name" -}} 6 | {{- if eq .Values.clustermesh.apiserver.tls.authMode "cluster" -}} 7 | remote-{{ .Values.cluster.name }} 8 | {{- else -}} 9 | remote 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: clustermesh-apiserver 6 | labels: 7 | app.kubernetes.io/part-of: cilium 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | rules: 13 | - apiGroups: 14 | - cilium.io 15 | resources: 16 | - ciliumnodes 17 | - ciliumendpoints 18 | - ciliumidentities 19 | verbs: 20 | - create 21 | - apiGroups: 22 | - cilium.io 23 | resources: 24 | - ciliumexternalworkloads/status 25 | - ciliumnodes 26 | - ciliumidentities 27 | verbs: 28 | - update 29 | - apiGroups: 30 | - cilium.io 31 | resources: 32 | - ciliumendpoints 33 | - ciliumendpoints/status 34 | verbs: 35 | - patch 36 | - apiGroups: 37 | - cilium.io 38 | resources: 39 | - ciliumidentities 40 | - ciliumexternalworkloads 41 | - ciliumendpoints 42 | - ciliumnodes 43 | verbs: 44 | - get 45 | - list 46 | - watch 47 | - apiGroups: 48 | - apiextensions.k8s.io 49 | resources: 50 | - customresourcedefinitions 51 | verbs: 52 | - list 53 | - watch 54 | - apiGroups: 55 | - "" 56 | resources: 57 | - endpoints 58 | - namespaces 59 | - services 60 | verbs: 61 | - get 62 | - list 63 | - watch 64 | - apiGroups: 65 | - discovery.k8s.io 66 | resources: 67 | - endpointslices 68 | verbs: 69 | - get 70 | - list 71 | - watch 72 | {{- end }} 73 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: clustermesh-apiserver 6 | labels: 7 | app.kubernetes.io/part-of: cilium 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: clustermesh-apiserver 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- $kvstoreMetricsEnabled := and .Values.clustermesh.apiserver.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled -}} 2 | {{- if and 3 | (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) 4 | (or .Values.clustermesh.apiserver.metrics.enabled $kvstoreMetricsEnabled .Values.clustermesh.apiserver.metrics.etcd.enabled) }} 5 | apiVersion: v1 6 | kind: Service 7 | metadata: 8 | name: clustermesh-apiserver-metrics 9 | namespace: {{ .Release.Namespace }} 10 | {{- with .Values.clustermesh.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | labels: 15 | k8s-app: clustermesh-apiserver 16 | app.kubernetes.io/part-of: cilium 17 | app.kubernetes.io/name: clustermesh-apiserver 18 | app.kubernetes.io/component: metrics 19 | spec: 20 | clusterIP: None 21 | type: ClusterIP 22 | ports: 23 | {{- if .Values.clustermesh.apiserver.metrics.enabled }} 24 | - name: apiserv-metrics 25 | port: {{ .Values.clustermesh.apiserver.metrics.port }} 26 | protocol: TCP 27 | targetPort: apiserv-metrics 28 | {{- end }} 29 | {{- if $kvstoreMetricsEnabled }} 30 | - name: kvmesh-metrics 31 | port: {{ .Values.clustermesh.apiserver.metrics.kvstoremesh.port }} 32 | protocol: TCP 33 | targetPort: kvmesh-metrics 34 | {{- end }} 35 | {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} 36 | - name: etcd-metrics 37 | port: {{ .Values.clustermesh.apiserver.metrics.etcd.port }} 38 | protocol: TCP 39 | targetPort: etcd-metrics 40 | {{- end }} 41 | selector: 42 | k8s-app: clustermesh-apiserver 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.clustermesh.apiserver.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: clustermesh-apiserver 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: clustermesh-apiserver 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: clustermesh-apiserver 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: clustermesh-apiserver 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.clustermeshApiserver.annotations .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- with .Values.clustermesh.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-admin-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-admin-cert 16 | commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }} 17 | dnsNames: 18 | - localhost 19 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-client-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-client-cert 16 | commonName: externalworkload 17 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-remote-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-remote-cert 16 | commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }} 17 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-server-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-server-cert 16 | commonName: clustermesh-apiserver.cilium.io 17 | dnsNames: 18 | - clustermesh-apiserver.cilium.io 19 | - "*.mesh.cilium.io" 20 | - "clustermesh-apiserver.{{ .Release.Namespace }}.svc" 21 | {{- range $dns := .Values.clustermesh.apiserver.tls.server.extraDnsNames }} 22 | - {{ $dns | quote }} 23 | {{- end }} 24 | ipAddresses: 25 | - "127.0.0.1" 26 | - "::1" 27 | {{- range $ip := .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} 28 | - {{ $ip | quote }} 29 | {{- end }} 30 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.clustermesh.apiserver.tls.auto.schedule }} 2 | apiVersion: {{ include "cronjob.apiVersion" . }} 3 | kind: CronJob 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: clustermesh-apiserver-generate-certs 13 | app.kubernetes.io/part-of: cilium 14 | spec: 15 | schedule: {{ .Values.clustermesh.apiserver.tls.auto.schedule | quote }} 16 | concurrencyPolicy: Forbid 17 | jobTemplate: 18 | {{- include "clustermesh-apiserver-generate-certs.job.spec" . | nindent 4 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: clustermesh-apiserver-generate-certs 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: clustermesh-apiserver-generate-certs 10 | app.kubernetes.io/part-of: cilium 11 | annotations: 12 | "helm.sh/hook": post-install,post-upgrade 13 | {{- with .Values.certgen.annotations.job }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.clustermesh.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{ include "clustermesh-apiserver-generate-certs.job.spec" . }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/part-of: cilium 13 | rules: 14 | - apiGroups: 15 | - "" 16 | resources: 17 | - secrets 18 | verbs: 19 | - create 20 | - apiGroups: 21 | - "" 22 | resources: 23 | - secrets 24 | resourceNames: 25 | - cilium-ca 26 | verbs: 27 | - get 28 | - update 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - secrets 33 | resourceNames: 34 | - clustermesh-apiserver-server-cert 35 | - clustermesh-apiserver-admin-cert 36 | - clustermesh-apiserver-remote-cert 37 | - clustermesh-apiserver-client-cert 38 | verbs: 39 | - update 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/part-of: cilium 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: Role 16 | name: clustermesh-apiserver-generate-certs 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.clustermeshcertgen.annotations .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.clustermesh.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := include "clustermesh-apiserver-generate-certs.admin-common-name" . -}} 4 | {{- $dns := list "localhost" }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: clustermesh-apiserver-admin-cert 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.clustermesh.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .commonCA.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := "externalworkload" }} 4 | {{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: clustermesh-apiserver-client-cert 10 | namespace: {{ .Release.Namespace }} 11 | {{- with .Values.clustermesh.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | type: kubernetes.io/tls 16 | data: 17 | ca.crt: {{ .commonCA.Cert | b64enc }} 18 | tls.crt: {{ $cert.Cert | b64enc }} 19 | tls.key: {{ $cert.Key | b64enc }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := include "clustermesh-apiserver-generate-certs.remote-common-name" . -}} 4 | {{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: clustermesh-apiserver-remote-cert 10 | namespace: {{ .Release.Namespace }} 11 | {{- with .Values.clustermesh.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | type: kubernetes.io/tls 16 | data: 17 | ca.crt: {{ .commonCA.Cert | b64enc }} 18 | tls.crt: {{ $cert.Cert | b64enc }} 19 | tls.key: {{ $cert.Key | b64enc }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := "clustermesh-apiserver.cilium.io" }} 4 | {{- $ip := concat (list "127.0.0.1" "::1") .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} 5 | {{- $dns := concat (list $cn "*.mesh.cilium.io" (printf "clustermesh-apiserver.%s.svc" .Release.Namespace)) .Values.clustermesh.apiserver.tls.server.extraDnsNames }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: clustermesh-apiserver-server-cert 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.clustermesh.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .commonCA.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-admin-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.admin.cert | required "missing clustermesh.apiserver.tls.admin.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.admin.key | required "missing clustermesh.apiserver.tls.admin.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-client-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.client.cert | required "missing clustermesh.apiserver.tls.client.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.client.key | required "missing clustermesh.apiserver.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-remote-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.remote.cert | required "missing clustermesh.apiserver.tls.remote.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.remote.key | required "missing clustermesh.apiserver.tls.remote.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-server-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.server.cert | required "missing clustermesh.apiserver.tls.server.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.server.key | required "missing clustermesh.apiserver.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.clustermesh.apiserver.tls.authMode "legacy" }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: clustermesh-remote-users 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | data: 15 | users.yaml: | 16 | users: 17 | {{- if .Values.clustermesh.apiserver.kvstoremesh.enabled }} 18 | - name: remote-{{ .Values.cluster.name }} 19 | role: remote 20 | {{- end }} 21 | {{- range .Values.clustermesh.config.clusters }} 22 | - name: remote-{{ .name }} 23 | role: remote 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-config/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "clustermesh-config-generate-etcd-cfg" }} 2 | {{- $cluster := index . 0 -}} 3 | {{- $domain := index . 1 -}} 4 | {{- $override := index . 2 -}} 5 | {{- /* The parenthesis around $cluster.tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 6 | {{- $prefix := ternary "common-" (printf "%s." $cluster.name) (or (ne $override "") (empty ($cluster.tls).cert) (empty ($cluster.tls).key)) -}} 7 | 8 | endpoints: 9 | {{- if ne $override "" }} 10 | - {{ $override }} 11 | {{- else if $cluster.ips }} 12 | - https://{{ $cluster.name }}.{{ $domain }}:{{ $cluster.port }} 13 | {{- else }} 14 | - https://{{ $cluster.address | required "missing clustermesh.apiserver.config.clusters.address" }}:{{ $cluster.port }} 15 | {{- end }} 16 | {{- if not (empty ($cluster.tls).caCert) }} 17 | {{- /* The custom CA configuration takes effect only if a custom certificate and key are also set */}} 18 | trusted-ca-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client-ca.crt 19 | {{- else }} 20 | trusted-ca-file: /var/lib/cilium/clustermesh/common-etcd-client-ca.crt 21 | {{- end }} 22 | key-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client.key 23 | cert-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client.crt 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.clustermesh.config.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-clustermesh 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | {{- $kvstoremesh := and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled }} 14 | {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $kvstoremesh }} 15 | {{- range .Values.clustermesh.config.clusters }} 16 | {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $override) | b64enc }} 17 | {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 18 | {{- if and (eq $override "") (.tls).cert (.tls).key }} 19 | {{- if .tls.caCert }} 20 | {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} 21 | {{- end }} 22 | {{ .name }}.etcd-client.key: {{ .tls.key }} 23 | {{ .name }}.etcd-client.crt: {{ .tls.cert }} 24 | {{- end }} 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled .Values.clustermesh.apiserver.kvstoremesh.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-kvstoremesh 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | {{- range .Values.clustermesh.config.clusters }} 14 | {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain "") | b64enc }} 15 | {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 16 | {{- if and (.tls).cert (.tls).key }} 17 | {{- if .tls.caCert }} 18 | {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} 19 | {{- end }} 20 | {{ .name }}.etcd-client.key: {{ .tls.key }} 21 | {{ .name }}.etcd-client.crt: {{ .tls.cert }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: cilium-etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - etcd.database.coreos.com 15 | resources: 16 | - etcdclusters 17 | verbs: 18 | - get 19 | - delete 20 | - create 21 | - update 22 | - apiGroups: 23 | - apiextensions.k8s.io 24 | resources: 25 | - customresourcedefinitions 26 | verbs: 27 | - delete 28 | - get 29 | - create 30 | - apiGroups: 31 | - "" 32 | resources: 33 | - deployments 34 | verbs: 35 | - delete 36 | - create 37 | - get 38 | - update 39 | - apiGroups: 40 | - "" 41 | resources: 42 | - pods 43 | verbs: 44 | - list 45 | - get 46 | - delete 47 | - apiGroups: 48 | - apps 49 | resources: 50 | - deployments 51 | verbs: 52 | - delete 53 | - create 54 | - get 55 | - update 56 | - apiGroups: 57 | - "" 58 | resources: 59 | - componentstatuses 60 | verbs: 61 | - get 62 | - apiGroups: 63 | - extensions 64 | resources: 65 | - deployments 66 | verbs: 67 | - delete 68 | - create 69 | - get 70 | - update 71 | - apiGroups: 72 | - "" 73 | resources: 74 | - secrets 75 | verbs: 76 | - get 77 | - create 78 | - delete 79 | {{- end }} 80 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-etcd-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.etcd.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.etcd.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} 8 | annotations: 9 | {{- with .Values.etcd.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.etcd.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - etcd.database.coreos.com 15 | resources: 16 | - etcdclusters 17 | - etcdbackups 18 | - etcdrestores 19 | verbs: 20 | - '*' 21 | - apiGroups: 22 | - apiextensions.k8s.io 23 | resources: 24 | - customresourcedefinitions 25 | verbs: 26 | - '*' 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - pods 31 | - services 32 | - endpoints 33 | - persistentvolumeclaims 34 | - events 35 | - deployments 36 | verbs: 37 | - '*' 38 | - apiGroups: 39 | - apps 40 | resources: 41 | - deployments 42 | verbs: 43 | - '*' 44 | - apiGroups: 45 | - extensions 46 | resources: 47 | - deployments 48 | verbs: 49 | - create 50 | - get 51 | - list 52 | - patch 53 | - update 54 | - apiGroups: 55 | - "" 56 | resources: 57 | - secrets 58 | verbs: 59 | - get 60 | {{- end }} 61 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: etcd-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: cilium-etcd-sa 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: cilium-etcd-sa 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} 8 | annotations: 9 | {{- with .Values.etcd.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.etcd.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.etcd.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.etcd.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-etcd-operator 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.etcd.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | io.cilium/app: etcd-operator 14 | name: cilium-etcd-operator 15 | app.kubernetes.io/name: cilium-etcd-operator 16 | app.kubernetes.io/part-of: cilium 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | io.cilium/app: etcd-operator 27 | name: cilium-etcd-operator 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-relay/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled }} 2 | # We use a separate service from hubble-relay which can be exposed externally 3 | kind: Service 4 | apiVersion: v1 5 | metadata: 6 | name: hubble-relay-metrics 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.relay.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-relay 14 | spec: 15 | clusterIP: None 16 | type: ClusterIP 17 | selector: 18 | k8s-app: hubble-relay 19 | ports: 20 | - name: metrics 21 | port: {{ .Values.hubble.relay.prometheus.port }} 22 | protocol: TCP 23 | targetPort: prometheus 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.hubble.relay.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: hubble-relay 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.relay.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-relay 14 | app.kubernetes.io/name: hubble-relay 15 | app.kubernetes.io/part-of: cilium 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: hubble-relay 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-relay/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: hubble-relay 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.relay.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: hubble-relay 13 | app.kubernetes.io/name: hubble-relay 14 | app.kubernetes.io/part-of: cilium 15 | spec: 16 | type: {{ .Values.hubble.relay.service.type | quote }} 17 | selector: 18 | k8s-app: hubble-relay 19 | ports: 20 | - protocol: TCP 21 | {{- if .Values.hubble.relay.servicePort }} 22 | port: {{ .Values.hubble.relay.servicePort }} 23 | {{- else }} 24 | port: {{ .Values.hubble.relay.tls.server.enabled | ternary 443 80 }} 25 | {{- end }} 26 | targetPort: {{ .Values.hubble.relay.listenPort }} 27 | {{- if and (eq "NodePort" .Values.hubble.relay.service.type) .Values.hubble.relay.service.nodePort }} 28 | nodePort: {{ .Values.hubble.relay.service.nodePort }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-relay/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.serviceAccounts.relay.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.relay.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.relay.annotations .Values.hubble.relay.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.relay.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.relay.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-relay/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled .Values.hubble.relay.prometheus.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: hubble-relay 6 | namespace: {{ .Values.hubble.relay.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- if or .Values.hubble.relay.prometheus.serviceMonitor.annotations .Values.hubble.relay.annotations }} 12 | annotations: 13 | {{- with .Values.hubble.relay.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | spec: 21 | selector: 22 | matchLabels: 23 | k8s-app: hubble-relay 24 | namespaceSelector: 25 | matchNames: 26 | - {{ .Release.Namespace }} 27 | endpoints: 28 | - port: metrics 29 | interval: {{ .Values.hubble.relay.prometheus.serviceMonitor.interval | quote }} 30 | path: /metrics 31 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.relabelings }} 32 | relabelings: 33 | {{- toYaml . | nindent 4 }} 34 | {{- end }} 35 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.metricRelabelings }} 36 | metricRelabelings: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: hubble-ui 6 | {{- with .Values.hubble.ui.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - networking.k8s.io 15 | resources: 16 | - networkpolicies 17 | verbs: 18 | - get 19 | - list 20 | - watch 21 | - apiGroups: 22 | - "" 23 | resources: 24 | - componentstatuses 25 | - endpoints 26 | - namespaces 27 | - nodes 28 | - pods 29 | - services 30 | verbs: 31 | - get 32 | - list 33 | - watch 34 | - apiGroups: 35 | - apiextensions.k8s.io 36 | resources: 37 | - customresourcedefinitions 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: 43 | - cilium.io 44 | resources: 45 | - "*" 46 | verbs: 47 | - get 48 | - list 49 | - watch 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: hubble-ui 6 | {{- with .Values.hubble.ui.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: hubble-ui 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.ui.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: hubble-ui-nginx 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.ui.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | nginx.conf: {{ include "hubble-ui.nginx.conf" . | trim | quote }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }} 2 | {{- $baseUrl := .Values.hubble.ui.baseUrl -}} 3 | apiVersion: {{ template "ingress.apiVersion" . }} 4 | kind: Ingress 5 | metadata: 6 | name: hubble-ui 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: hubble-ui 10 | app.kubernetes.io/name: hubble-ui 11 | app.kubernetes.io/part-of: cilium 12 | {{- with .Values.hubble.ui.ingress.labels }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- if or .Values.hubble.ui.ingress.annotations .Values.hubble.ui.annotations }} 16 | annotations: 17 | {{- with .Values.hubble.ui.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- with .Values.hubble.ui.ingress.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- end }} 24 | spec: 25 | {{- if .Values.hubble.ui.ingress.className }} 26 | ingressClassName: {{ .Values.hubble.ui.ingress.className }} 27 | {{- end }} 28 | {{- if .Values.hubble.ui.ingress.tls }} 29 | tls: 30 | {{- toYaml .Values.hubble.ui.ingress.tls | nindent 4 }} 31 | {{- end }} 32 | rules: 33 | {{- range .Values.hubble.ui.ingress.hosts }} 34 | - host: {{ . }} 35 | http: 36 | paths: 37 | - path: {{ $baseUrl | quote }} 38 | {{- include "ingress.paths" $ | nindent 12 }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.hubble.ui.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: hubble-ui 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.ui.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-ui 14 | app.kubernetes.io/name: hubble-ui 15 | app.kubernetes.io/part-of: cilium 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: hubble-ui 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: hubble-ui 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.hubble.ui.service.annotations .Values.hubble.ui.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.ui.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.hubble.ui.service.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | labels: 17 | k8s-app: hubble-ui 18 | app.kubernetes.io/name: hubble-ui 19 | app.kubernetes.io/part-of: cilium 20 | spec: 21 | type: {{ .Values.hubble.ui.service.type | quote }} 22 | selector: 23 | k8s-app: hubble-ui 24 | ports: 25 | - name: http 26 | port: 80 27 | targetPort: 8081 28 | {{- if and (eq "NodePort" .Values.hubble.ui.service.type) .Values.hubble.ui.service.nodePort }} 29 | nodePort: {{ .Values.hubble.ui.service.nodePort }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble-ui/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.ui.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.ui.annotations .Values.hubble.ui.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.ui.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.ui.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.hubble.metrics.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/hubble/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.hubble.metrics.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: hubble 13 | app.kubernetes.io/name: hubble 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.hubble.metrics.dashboards.label }} 16 | {{ $.Values.hubble.metrics.dashboards.label }}: {{ ternary $.Values.hubble.metrics.dashboards.labelValue "1" (not (empty $.Values.hubble.metrics.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.hubble.metrics.dashboards.annotations $.Values.hubble.annotations }} 19 | annotations: 20 | {{- with $.Values.hubble.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.hubble.metrics.dashboards.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: hubble-metrics 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: hubble 9 | app.kubernetes.io/name: hubble 10 | app.kubernetes.io/part-of: cilium 11 | annotations: 12 | {{- with .Values.hubble.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- with .Values.hubble.metrics.serviceAnnotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- if not .Values.hubble.metrics.serviceMonitor.enabled }} 19 | prometheus.io/scrape: "true" 20 | prometheus.io/port: {{ .Values.hubble.metrics.port | quote }} 21 | {{- end }} 22 | spec: 23 | clusterIP: None 24 | type: ClusterIP 25 | ports: 26 | - name: hubble-metrics 27 | port: {{ .Values.hubble.metrics.port }} 28 | protocol: TCP 29 | targetPort: hubble-metrics 30 | selector: 31 | k8s-app: cilium 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/peer-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: hubble-peer 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/part-of: cilium 14 | app.kubernetes.io/name: hubble-peer 15 | spec: 16 | selector: 17 | k8s-app: cilium 18 | ports: 19 | - name: peer-service 20 | {{- if .Values.hubble.peerService.servicePort }} 21 | port: {{ .Values.hubble.peerService.servicePort }} 22 | {{- else }} 23 | port: {{ .Values.hubble.tls.enabled | ternary 443 80 }} 24 | {{- end }} 25 | protocol: TCP 26 | targetPort: {{ .Values.hubble.peerService.targetPort }} 27 | {{- if semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion }} 28 | internalTrafficPolicy: Local 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: hubble 6 | namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/part-of: cilium 9 | {{- with .Values.hubble.metrics.serviceMonitor.labels }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- if or .Values.hubble.metrics.serviceMonitor.annotations .Values.hubble.annotations }} 13 | annotations: 14 | {{- with .Values.hubble.annotations }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- with .Values.hubble.metrics.serviceMonitor.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- end }} 21 | spec: 22 | selector: 23 | matchLabels: 24 | k8s-app: hubble 25 | namespaceSelector: 26 | matchNames: 27 | - {{ .Release.Namespace }} 28 | endpoints: 29 | - port: hubble-metrics 30 | interval: {{ .Values.hubble.metrics.serviceMonitor.interval | quote }} 31 | honorLabels: true 32 | path: /metrics 33 | {{- with .Values.hubble.metrics.serviceMonitor.relabelings }} 34 | relabelings: 35 | {{- toYaml . | nindent 4 }} 36 | {{- end }} 37 | {{- with .Values.hubble.metrics.serviceMonitor.metricRelabelings }} 38 | metricRelabelings: 39 | {{- toYaml . | nindent 4 }} 40 | {{- end }} 41 | {{- if .Values.hubble.metrics.serviceMonitor.jobLabel }} 42 | jobLabel: {{ .Values.hubble.metrics.serviceMonitor.jobLabel | quote }} 43 | {{- end }} 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-relay-client-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-relay-client-certs 16 | commonName: "*.hubble-relay.cilium.io" 17 | dnsNames: 18 | - "*.hubble-relay.cilium.io" 19 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 20 | privateKey: 21 | rotationPolicy: Always 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-relay-server-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-relay-server-certs 16 | commonName: "*.hubble-relay.cilium.io" 17 | dnsNames: 18 | - "*.hubble-relay.cilium.io" 19 | {{- range $dns := .Values.hubble.relay.tls.server.extraDnsNames }} 20 | - {{ $dns | quote }} 21 | {{- end }} 22 | {{- if .Values.hubble.relay.tls.server.extraIpAddresses }} 23 | ipAddresses: 24 | {{- range $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} 25 | - {{ $ip | quote }} 26 | {{- end }} 27 | {{- end }} 28 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 29 | privateKey: 30 | rotationPolicy: Always 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }} 2 | {{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} 3 | --- 4 | apiVersion: cert-manager.io/v1 5 | kind: Certificate 6 | metadata: 7 | name: hubble-server-certs 8 | namespace: {{ .Release.Namespace }} 9 | {{- with .Values.hubble.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | spec: 14 | issuerRef: 15 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 16 | secretName: hubble-server-certs 17 | commonName: {{ $cn | quote }} 18 | dnsNames: 19 | - {{ $cn | quote }} 20 | {{- range $dns := .Values.hubble.tls.server.extraDnsNames }} 21 | - {{ $dns | quote }} 22 | {{- end }} 23 | {{- if .Values.hubble.tls.server.extraIpAddresses }} 24 | ipAddresses: 25 | {{- range $ip := .Values.hubble.tls.server.extraIpAddresses }} 26 | - {{ $ip | quote }} 27 | {{- end }} 28 | {{- end }} 29 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 30 | privateKey: 31 | rotationPolicy: Always 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-ui-client-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-ui-client-certs 16 | commonName: "*.hubble-ui.cilium.io" 17 | dnsNames: 18 | - "*.hubble-ui.cilium.io" 19 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 20 | privateKey: 21 | rotationPolicy: Always 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: hubble-generate-certs 6 | {{- with .Values.hubble.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - secrets 17 | verbs: 18 | - create 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - secrets 23 | resourceNames: 24 | - hubble-server-certs 25 | - hubble-relay-client-certs 26 | - hubble-relay-server-certs 27 | verbs: 28 | - update 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - secrets 33 | resourceNames: 34 | - cilium-ca 35 | verbs: 36 | - get 37 | - update 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: hubble-generate-certs 6 | {{- with .Values.hubble.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: hubble-generate-certs 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.hubble.tls.auto.schedule }} 2 | apiVersion: {{ include "cronjob.apiVersion" . }} 3 | kind: CronJob 4 | metadata: 5 | name: hubble-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: hubble-generate-certs 9 | app.kubernetes.io/name: hubble-generate-certs 10 | app.kubernetes.io/part-of: cilium 11 | {{- if or .Values.certgen.annotations.cronJob .Values.hubble.annotations }} 12 | annotations: 13 | {{- with .Values.hubble.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.certgen.annotations.cronJob }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | spec: 21 | schedule: {{ .Values.hubble.tls.auto.schedule | quote }} 22 | concurrencyPolicy: Forbid 23 | jobTemplate: 24 | {{- include "hubble-generate-certs.job.spec" . | nindent 4 }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-cronjob/job.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: hubble-generate-certs 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: hubble-generate-certs 10 | app.kubernetes.io/name: hubble-generate-certs 11 | app.kubernetes.io/part-of: cilium 12 | annotations: 13 | "helm.sh/hook": post-install,post-upgrade 14 | {{- with .Values.certgen.annotations.job }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- with .Values.hubble.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{ include "hubble-generate-certs.job.spec" . }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.hubblecertgen.annotations .Values.hubble.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.hubblecertgen.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-helm/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Generate TLS certificates for Hubble Server and Hubble Relay. 3 | 4 | Note: Always use this template as follows: 5 | 6 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 7 | 8 | The assignment to `$_` is required because we store the generated CI in a global `ca` variable. 9 | Please, don't try to "simplify" this, as without this trick, every generated 10 | certificate would be signed by a different CA. 11 | */}} 12 | {{- define "hubble-generate-certs.helm.setup-ca" }} 13 | {{- if not .ca }} 14 | {{- $ca := "" -}} 15 | {{- $crt := .Values.tls.ca.cert -}} 16 | {{- $key := .Values.tls.ca.key -}} 17 | {{- if and $crt $key }} 18 | {{- $ca = buildCustomCert $crt $key -}} 19 | {{- else }} 20 | {{- $_ := include "cilium.ca.setup" . -}} 21 | {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} 22 | {{- $crt := index .data "ca.crt" }} 23 | {{- $key := index .data "ca.key" }} 24 | {{- $ca = buildCustomCert $crt $key -}} 25 | {{- else }} 26 | {{- $ca = .commonCA -}} 27 | {{- end }} 28 | {{- end }} 29 | {{- $_ := set . "ca" $ca -}} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-relay.cilium.io" }} 4 | {{- $dns := list $cn }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: hubble-relay-client-certs 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.hubble.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .ca.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-relay.cilium.io" }} 4 | {{- $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} 5 | {{- $dns := prepend .Values.hubble.relay.tls.server.extraDnsNames $cn }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: hubble-relay-server-certs 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.hubble.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .ca.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-helm/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} 4 | {{- $ip := .Values.hubble.tls.server.extraIpAddresses }} 5 | {{- $dns := prepend .Values.hubble.tls.server.extraDnsNames $cn }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: hubble-server-certs 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.hubble.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .ca.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-ui.cilium.io" }} 4 | {{- $dns := list $cn }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: hubble-ui-client-certs 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.hubble.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .ca.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-relay-client-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.relay.tls.client.cert | required "missing hubble.relay.tls.client.cert" }} 15 | tls.key: {{ .Values.hubble.relay.tls.client.key | required "missing hubble.relay.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-relay-server-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.relay.tls.server.cert | required "missing hubble.relay.tls.server.cert" }} 15 | tls.key: {{ .Values.hubble.relay.tls.server.key | required "missing hubble.relay.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-provided/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-server-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.tls.server.cert | required "missing hubble.tls.server.cert" }} 15 | tls.key: {{ .Values.hubble.tls.server.key | required "missing hubble.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-ui-client-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.ui.tls.client.cert | required "missing hubble.ui.tls.client.cert" }} 15 | tls.key: {{ .Values.hubble.ui.tls.client.key | required "missing hubble.ui.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/agent/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | rules: 11 | # Required cluster role to allow spire-agent to query k8s API server 12 | - apiGroups: [ "" ] 13 | resources: [ "pods","nodes","nodes/proxy" ] 14 | verbs: [ "get" ] 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/agent/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | --- 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | roleRef: 12 | kind: ClusterRole 13 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 14 | apiGroup: rbac.authorization.k8s.io 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 18 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/agent/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/bundle-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: spire-bundle 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled (not .Values.authentication.mutual.spire.install.existingNamespace) -}} 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.namespace }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | rules: 12 | # ClusterRole to allow spire-server node attestor to query Token Review API 13 | - apiGroups: [ "authentication.k8s.io" ] 14 | resources: [ "tokenreviews" ] 15 | verbs: [ "create" ] 16 | # Required cluster role to allow spire-server to query k8s API server 17 | # for pods for psat attestation 18 | - apiGroups: [ "" ] 19 | resources: [ "pods" ] 20 | verbs: [ "get" ] 21 | # Required cluster role to allow spire-server to query k8s API server 22 | # for nodes for psat attestation 23 | - apiGroups: [ "" ] 24 | resources: [ "nodes","nodes/proxy" ] 25 | verbs: [ "get" ] 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | roleRef: 11 | kind: ClusterRole 12 | name: spire-server 13 | apiGroup: rbac.authorization.k8s.io 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 17 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | rules: 12 | # Role (namespace scoped) to be able to push certificate bundles to a configmap 13 | - apiGroups: [ "" ] 14 | resources: [ "configmaps" ] 15 | verbs: [ "patch", "get", "list" ] 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: spire-server 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 18 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 19 | --- 20 | kind: RoleBinding 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | metadata: 23 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod 24 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 25 | {{- with .Values.authentication.mutual.spire.annotations }} 26 | annotations: 27 | {{- toYaml . | nindent 4 }} 28 | {{- end }} 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod 33 | subjects: 34 | - kind: ServiceAccount 35 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 36 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: spire-server 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- with .Values.authentication.mutual.spire.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- with .Values.authentication.mutual.spire.install.server.service.labels }} 17 | labels: 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | spec: 21 | type: {{ .Values.authentication.mutual.spire.install.server.service.type }} 22 | ports: 23 | - name: grpc 24 | port: 8081 25 | targetPort: grpc 26 | protocol: TCP 27 | selector: 28 | app: spire-server 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cilium/templates/spire/server/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.27.2 3 | description: Scales Kubernetes worker nodes within autoscaling groups. 4 | home: https://github.com/kubernetes/autoscaler 5 | icon: https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png 6 | maintainers: 7 | - email: guyjtempleton@googlemail.com 8 | name: gjtempleton 9 | name: cluster-autoscaler 10 | sources: 11 | - https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler 12 | type: application 13 | version: 9.29.1 14 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "0001-01-01T00:00:00Z" 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if or .Values.autoDiscovery.clusterName .Values.autoscalingGroups -}} 2 | 3 | To verify that cluster-autoscaler has started, run: 4 | 5 | kubectl --namespace={{ .Release.Namespace }} get pods -l "app.kubernetes.io/name={{ template "cluster-autoscaler.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" 6 | 7 | {{- else -}} 8 | 9 | ############################################################################## 10 | #### ERROR: You must specify values for either #### 11 | #### autoDiscovery.clusterName or autoscalingGroups[] #### 12 | ############################################################################## 13 | 14 | The deployment and pod will not be created and the installation is not functional 15 | See README: 16 | open https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler 17 | 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.rbac.clusterScoped -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 7 | name: {{ template "cluster-autoscaler.fullname" . }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: {{ template "cluster-autoscaler.fullname" . }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ template "cluster-autoscaler.serviceAccountName" . }} 15 | namespace: {{ .Release.Namespace }} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget -}} 2 | apiVersion: {{ template "podDisruptionBudget.apiVersion" . }} 3 | kind: PodDisruptionBudget 4 | metadata: 5 | labels: 6 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 7 | name: {{ template "cluster-autoscaler.fullname" . }} 8 | namespace: {{ .Release.Namespace }} 9 | spec: 10 | selector: 11 | matchLabels: 12 | {{ include "cluster-autoscaler.instance-name" . | indent 6 }} 13 | {{- if .Values.podDisruptionBudget }} 14 | {{ toYaml .Values.podDisruptionBudget | nindent 2 }} 15 | {{- end }} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.pspEnabled }} 2 | apiVersion: {{ template "podsecuritypolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "cluster-autoscaler.fullname" . }} 6 | labels: 7 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 8 | spec: 9 | # Prevents running in privileged mode 10 | privileged: false 11 | # Required to prevent escalations to root. 12 | allowPrivilegeEscalation: false 13 | requiredDropCapabilities: 14 | - ALL 15 | volumes: 16 | - 'configMap' 17 | - 'secret' 18 | - 'hostPath' 19 | - 'emptyDir' 20 | - 'projected' 21 | - 'downwardAPI' 22 | hostNetwork: {{ .Values.hostNetwork }} 23 | hostIPC: false 24 | hostPID: false 25 | runAsUser: 26 | rule: RunAsAny 27 | seLinux: 28 | rule: RunAsAny 29 | supplementalGroups: 30 | rule: 'MustRunAs' 31 | ranges: 32 | # Forbid adding the root group. 33 | - min: 1 34 | max: 65535 35 | fsGroup: 36 | rule: 'MustRunAs' 37 | ranges: 38 | # Forbid adding the root group. 39 | - min: 1 40 | max: 65535 41 | readOnlyRootFilesystem: false 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/priority-expander-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if hasKey .Values.extraArgs "expander" }} 2 | {{- if and (.Values.expanderPriorities) (include "cluster-autoscaler.priorityExpanderEnabled" .) -}} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: cluster-autoscaler-priority-expander 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 10 | {{- if .Values.priorityConfigMapAnnotations }} 11 | annotations: 12 | {{ toYaml .Values.priorityConfigMapAnnotations | indent 4 }} 13 | {{- end }} 14 | data: 15 | priorities: |- 16 | {{- if kindIs "string" .Values.expanderPriorities }} 17 | {{ .Values.expanderPriorities | indent 4 }} 18 | {{- else }} 19 | {{- range $k,$v := .Values.expanderPriorities }} 20 | {{ $k | int }}: 21 | {{- toYaml $v | nindent 6 }} 22 | {{- end -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheusRule.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: {{ include "cluster-autoscaler.fullname" . }} 6 | {{- if .Values.prometheusRule.namespace }} 7 | namespace: {{ .Values.prometheusRule.namespace }} 8 | {{- end }} 9 | labels: {{- toYaml .Values.prometheusRule.additionalLabels | nindent 4 }} 10 | spec: 11 | groups: 12 | - name: {{ include "cluster-autoscaler.fullname" . }} 13 | interval: {{ .Values.prometheusRule.interval }} 14 | rules: {{- tpl (toYaml .Values.prometheusRule.rules) . | nindent 8 }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | labels: 6 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 7 | name: {{ template "cluster-autoscaler.fullname" . }} 8 | namespace: {{ .Release.Namespace }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: Role 12 | name: {{ template "cluster-autoscaler.fullname" . }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ template "cluster-autoscaler.serviceAccountName" . }} 16 | namespace: {{ .Release.Namespace }} 17 | {{- end -}} 18 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if or (eq .Values.cloudProvider "azure") (and (eq .Values.cloudProvider "aws") (not (has "" (list .Values.awsAccessKeyID .Values.awsSecretAccessKey)))) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "cluster-autoscaler.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | data: 8 | {{- if eq .Values.cloudProvider "azure" }} 9 | ClientID: "{{ .Values.azureClientID | b64enc }}" 10 | ClientSecret: "{{ .Values.azureClientSecret | b64enc }}" 11 | ResourceGroup: "{{ .Values.azureResourceGroup | b64enc }}" 12 | SubscriptionID: "{{ .Values.azureSubscriptionID | b64enc }}" 13 | TenantID: "{{ .Values.azureTenantID | b64enc }}" 14 | VMType: "{{ .Values.azureVMType | b64enc }}" 15 | ClusterName: "{{ .Values.azureClusterName | b64enc }}" 16 | NodeResourceGroup: "{{ .Values.azureNodeResourceGroup | b64enc }}" 17 | {{- else if eq .Values.cloudProvider "aws" }} 18 | AwsAccessKeyId: "{{ .Values.awsAccessKeyID | b64enc }}" 19 | AwsSecretAccessKey: "{{ .Values.awsSecretAccessKey | b64enc }}" 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.service.create }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.service.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 11 | {{- if .Values.service.labels }} 12 | {{ toYaml .Values.service.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "cluster-autoscaler.fullname" . }} 15 | namespace: {{ .Release.Namespace }} 16 | spec: 17 | {{- if .Values.service.clusterIP }} 18 | clusterIP: "{{ .Values.service.clusterIP }}" 19 | {{- end }} 20 | {{- if .Values.service.externalIPs }} 21 | externalIPs: 22 | {{ toYaml .Values.service.externalIPs | indent 4 }} 23 | {{- end }} 24 | {{- if .Values.service.loadBalancerIP }} 25 | loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" 26 | {{- end }} 27 | {{- if .Values.service.loadBalancerSourceRanges }} 28 | loadBalancerSourceRanges: 29 | {{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} 30 | {{- end }} 31 | ports: 32 | - port: {{ .Values.service.servicePort }} 33 | protocol: TCP 34 | targetPort: 8085 35 | name: {{ .Values.service.portName }} 36 | selector: 37 | {{ include "cluster-autoscaler.instance-name" . | indent 4 }} 38 | type: "{{ .Values.service.type }}" 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.rbac.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 7 | name: {{ template "cluster-autoscaler.serviceAccountName" . }} 8 | namespace: {{ .Release.Namespace }} 9 | {{- if .Values.rbac.serviceAccount.annotations }} 10 | annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }} 11 | {{- end }} 12 | automountServiceAccountToken: {{ .Values.rbac.serviceAccount.automountServiceAccountToken }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "cluster-autoscaler.fullname" . }} 6 | {{- if .Values.serviceMonitor.namespace }} 7 | namespace: {{ .Values.serviceMonitor.namespace }} 8 | {{- end }} 9 | annotations: 10 | {{ toYaml .Values.serviceMonitor.annotations | indent 4 }} 11 | labels: 12 | {{- range $key, $value := .Values.serviceMonitor.selector }} 13 | {{ $key }}: {{ $value | quote }} 14 | {{- end }} 15 | spec: 16 | selector: 17 | matchLabels: 18 | {{ include "cluster-autoscaler.instance-name" . | indent 6 }} 19 | endpoints: 20 | - port: {{ .Values.service.portName }} 21 | interval: {{ .Values.serviceMonitor.interval }} 22 | path: {{ .Values.serviceMonitor.path }} 23 | {{- if .Values.serviceMonitor.metricRelabelings }} 24 | metricRelabelings: 25 | {{ tpl (toYaml .Values.serviceMonitor.metricRelabelings | indent 6) . }} 26 | {{- end }} 27 | namespaceSelector: 28 | matchNames: 29 | - {{.Release.Namespace}} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/cluster-autoscaler/templates/vpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.vpa.enabled -}} 2 | apiVersion: autoscaling.k8s.io/v1 3 | kind: VerticalPodAutoscaler 4 | metadata: 5 | labels: 6 | {{ include "cluster-autoscaler.labels" . | indent 4 }} 7 | name: {{ template "cluster-autoscaler.fullname" . }} 8 | namespace: {{ .Release.Namespace }} 9 | spec: 10 | targetRef: 11 | apiVersion: {{ template "deployment.apiVersion" . }} 12 | kind: Deployment 13 | name: {{ template "cluster-autoscaler.fullname" . }} 14 | updatePolicy: 15 | updateMode: {{ .Values.vpa.updateMode | quote }} 16 | resourcePolicy: 17 | containerPolicies: 18 | - containerName: {{ template "cluster-autoscaler.name" . }} 19 | {{- .Values.vpa.containerPolicy | toYaml | nindent 6 }} 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: k8s-keystone-auth 3 | description: A Helm chart for k8s-keystone-auth 4 | type: application 5 | version: 0.1.0 6 | appVersion: v1.29.0 7 | sources: 8 | - https://github.com/kubernetes/cloud-provider-openstack/ 9 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Here is a reference https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/keystone-auth/using-keystone-webhook-authenticator-and-authorizer.md 2 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: system:{{ include "k8s-keystone-auth.fullname" . }} 5 | labels: 6 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 7 | {{- with .Values.serviceAccount.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - configmaps 16 | - services 17 | - pods 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: system:{{ include "k8s-keystone-auth.fullname" . }} 5 | labels: 6 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 7 | {{- with .Values.serviceAccount.annotations }} 8 | annotations: 9 | rbac.authorization.kubernetes.io/autoupdate: "true" 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:{{ include "k8s-keystone-auth.fullname" . }} 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ include "k8s-keystone-auth.serviceAccountName" . }} 19 | namespace: {{ .Release.Namespace }} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/configmap-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "k8s-keystone-auth.fullname" . }}-policy 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 8 | data: 9 | policies: {{ toJson .Values.conf.policy | quote }} 10 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/configmap-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "k8s-keystone-auth.fullname" . }}-sync 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 8 | data: 9 | syncConfig: | 10 | {{ .Values.conf.sync_config | indent 4 }} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/secret-ca.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (empty .Values.conf.ca_cert) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "k8s-keystone-auth.fullname" . }}-ca 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 9 | stringData: 10 | cloud_ca.crt: | 11 | {{ .Values.conf.ca_cert | indent 4 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "k8s-keystone-auth.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 8 | spec: 9 | type: {{ .Values.service.type }} 10 | ports: 11 | - port: {{ .Values.service.port }} 12 | targetPort: {{ .Values.service.port }} 13 | protocol: TCP 14 | name: https 15 | selector: 16 | {{- include "k8s-keystone-auth.selectorLabels" . | nindent 4 }} 17 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/k8s-keystone-auth/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ include "k8s-keystone-auth.serviceAccountName" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "k8s-keystone-auth.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: v1.32.0 3 | description: Cinder CSI Chart for OpenStack 4 | home: https://github.com/kubernetes/cloud-provider-openstack 5 | icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png 6 | maintainers: 7 | - email: mnasiadka@gmail.com 8 | name: mnasiadka 9 | - email: matt@stackhpc.com 10 | name: mkjpryor 11 | name: openstack-cinder-csi 12 | version: 2.32.0 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/README.md: -------------------------------------------------------------------------------- 1 | # Cinder CSI volume provisioner 2 | 3 | Deploys a Cinder csi provisioner to your cluster, with the appropriate storageClass. 4 | 5 | ## How To install 6 | - Enable deployment of storageclasses using `storageClass.enabled` 7 | - Tag the retain or delete class as default class using `storageClass.delete.isDefault` in your value yaml 8 | - Set `storageClass..allowVolumeExpansion` to `true` or `false` 9 | 10 | First add the repo: 11 | 12 | helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack 13 | helm repo update 14 | 15 | If you are using Helm v3: 16 | 17 | helm install cinder-csi cpo/openstack-cinder-csi 18 | 19 | If you are using Helm v2: 20 | 21 | helm install --name cinder-csi cpo/openstack-cinder-csi 22 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "0001-01-01T00:00:00Z" 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Use the following storageClass csi-cinder-sc-retain and csi-cinder-sc-delete only for RWO volumes. -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/cinder-csi-driver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: cinder.csi.openstack.org 5 | spec: 6 | attachRequired: true 7 | podInfoOnMount: true 8 | volumeLifecycleModes: 9 | - Persistent 10 | - Ephemeral 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csi.plugin.podMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | labels: 6 | {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }} 7 | {{- if .Values.csi.plugin.podMonitor.additionalLabels }} 8 | {{- toYaml .Values.csi.plugin.podMonitor.additionalLabels | nindent 4 }} 9 | {{- end }} 10 | name: {{ include "cinder-csi.name" . }}-controllerplugin 11 | namespace: {{ .Release.Namespace }} 12 | annotations: 13 | {{- with .Values.commonAnnotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | podMetricsEndpoints: 18 | - interval: 30s 19 | port: http 20 | scheme: http 21 | jobLabel: component 22 | selector: 23 | matchLabels: 24 | {{- include "cinder-csi.controllerplugin.matchLabels" . | nindent 6 }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/custom_storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.storageClass.custom -}} 2 | {{ .Values.storageClass.custom }} 3 | {{- end }} 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/nodeplugin-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: csi-cinder-node-sa 5 | namespace: {{ .Release.Namespace }} 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | name: csi-nodeplugin-role 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["events"] 14 | verbs: ["get", "list", "watch", "create", "update", "patch"] 15 | 16 | --- 17 | kind: ClusterRoleBinding 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | metadata: 20 | name: csi-nodeplugin-binding 21 | subjects: 22 | - kind: ServiceAccount 23 | name: csi-cinder-node-sa 24 | namespace: {{ .Release.Namespace }} 25 | roleRef: 26 | kind: ClusterRole 27 | name: csi-nodeplugin-role 28 | apiGroup: rbac.authorization.k8s.io 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.secret.create) (.Values.secret.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.secret.name }} 6 | namespace: {{ .Release.Namespace }} 7 | type: Opaque 8 | stringData: 9 | {{ .Values.secret.data | toYaml | trimSuffix "\n" | nindent 2 }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cinder-csi/templates/storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.storageClass.enabled }} 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: csi-cinder-sc-delete 6 | {{- if .Values.storageClass.delete.isDefault }} 7 | annotations: 8 | storageclass.kubernetes.io/is-default-class: "true" 9 | {{- end }} 10 | provisioner: cinder.csi.openstack.org 11 | reclaimPolicy: Delete 12 | allowVolumeExpansion: {{ .Values.storageClass.delete.allowVolumeExpansion }} 13 | --- 14 | apiVersion: storage.k8s.io/v1 15 | kind: StorageClass 16 | metadata: 17 | name: csi-cinder-sc-retain 18 | {{- if .Values.storageClass.retain.isDefault }} 19 | annotations: 20 | storageclass.kubernetes.io/is-default-class: "true" 21 | {{- end }} 22 | provisioner: cinder.csi.openstack.org 23 | reclaimPolicy: Retain 24 | allowVolumeExpansion: {{ .Values.storageClass.retain.allowVolumeExpansion }} 25 | {{- end }} -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 2.14.1 5 | digest: sha256:ac04d66e6abb3cfc89f4c10e49d79770c352c510744bc51e3595937721b7f41a 6 | generated: "2025-02-26T08:14:46.884339222Z" 7 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: v1.32.0 3 | dependencies: 4 | - name: common 5 | repository: https://charts.bitnami.com/bitnami 6 | version: 2.14.1 7 | description: Openstack Cloud Controller Manager Helm Chart 8 | home: https://github.com/kubernetes/cloud-provider-openstack 9 | icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png 10 | maintainers: 11 | - email: f.kloeker@telekom.de 12 | name: eumel8 13 | url: https://www.telekom.com 14 | name: openstack-cloud-controller-manager 15 | version: 2.32.0 16 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/Chart.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | category: Infrastructure 3 | licenses: Apache-2.0 4 | apiVersion: v2 5 | appVersion: 2.14.1 6 | description: A Library Helm Chart for grouping common logic between bitnami charts. 7 | This chart is not deployable by itself. 8 | home: https://bitnami.com 9 | icon: https://bitnami.com/downloads/logos/bitnami-mark.png 10 | keywords: 11 | - common 12 | - helper 13 | - template 14 | - function 15 | - bitnami 16 | maintainers: 17 | - name: VMware, Inc. 18 | url: https://github.com/bitnami/charts 19 | name: common 20 | sources: 21 | - https://github.com/bitnami/charts 22 | type: library 23 | version: 2.14.1 24 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/templates/_storage.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright VMware, Inc. 3 | SPDX-License-Identifier: APACHE-2.0 4 | */}} 5 | 6 | {{/* vim: set filetype=mustache: */}} 7 | {{/* 8 | Return the proper Storage Class 9 | {{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} 10 | */}} 11 | {{- define "common.storage.class" -}} 12 | 13 | {{- $storageClass := .persistence.storageClass -}} 14 | {{- if .global -}} 15 | {{- if .global.storageClass -}} 16 | {{- $storageClass = .global.storageClass -}} 17 | {{- end -}} 18 | {{- end -}} 19 | 20 | {{- if $storageClass -}} 21 | {{- if (eq "-" $storageClass) -}} 22 | {{- printf "storageClassName: \"\"" -}} 23 | {{- else }} 24 | {{- printf "storageClassName: %s" $storageClass -}} 25 | {{- end -}} 26 | {{- end -}} 27 | 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright VMware, Inc. 3 | SPDX-License-Identifier: APACHE-2.0 4 | */}} 5 | 6 | {{/* vim: set filetype=mustache: */}} 7 | {{/* 8 | Renders a value that contains template perhaps with scope if the scope is present. 9 | Usage: 10 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} 11 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} 12 | */}} 13 | {{- define "common.tplvalues.render" -}} 14 | {{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} 15 | {{- if contains "{{" (toJson .value) }} 16 | {{- if .scope }} 17 | {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} 18 | {{- else }} 19 | {{- tpl $value .context }} 20 | {{- end }} 21 | {{- else }} 22 | {{- $value }} 23 | {{- end }} 24 | {{- end -}} 25 | 26 | {{/* 27 | Merge a list of values that contains template after rendering them. 28 | Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge 29 | Usage: 30 | {{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} 31 | */}} 32 | {{- define "common.tplvalues.merge" -}} 33 | {{- $dst := dict -}} 34 | {{- range .values -}} 35 | {{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} 36 | {{- end -}} 37 | {{ $dst | toYaml }} 38 | {{- end -}} 39 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/templates/_warnings.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright VMware, Inc. 3 | SPDX-License-Identifier: APACHE-2.0 4 | */}} 5 | 6 | {{/* vim: set filetype=mustache: */}} 7 | {{/* 8 | Warning about using rolling tag. 9 | Usage: 10 | {{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} 11 | */}} 12 | {{- define "common.warnings.rollingTag" -}} 13 | 14 | {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} 15 | WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. 16 | +info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ 17 | {{- end }} 18 | 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright VMware, Inc. 2 | # SPDX-License-Identifier: APACHE-2.0 3 | 4 | ## bitnami/common 5 | ## It is required by CI/CD tools and processes. 6 | ## @skip exampleValue 7 | ## 8 | exampleValue: common-chart 9 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "0001-01-01T00:00:00Z" 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ .Values.clusterRoleName }} 5 | labels: {{- include "common.labels.standard" . | nindent 4 }} 6 | annotations: 7 | {{- with .Values.commonAnnotations }} 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | rules: 11 | - apiGroups: 12 | - coordination.k8s.io 13 | resources: 14 | - leases 15 | verbs: 16 | - get 17 | - create 18 | - update 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - events 23 | verbs: 24 | - create 25 | - patch 26 | - update 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - nodes 31 | verbs: 32 | - '*' 33 | - apiGroups: 34 | - "" 35 | resources: 36 | - nodes/status 37 | verbs: 38 | - patch 39 | - apiGroups: 40 | - "" 41 | resources: 42 | - services 43 | verbs: 44 | - list 45 | - patch 46 | - update 47 | - watch 48 | - apiGroups: 49 | - "" 50 | resources: 51 | - services/status 52 | verbs: 53 | - patch 54 | - apiGroups: 55 | - "" 56 | resources: 57 | - serviceaccounts/token 58 | verbs: 59 | - create 60 | - apiGroups: 61 | - "" 62 | resources: 63 | - serviceaccounts 64 | verbs: 65 | - create 66 | - get 67 | - apiGroups: 68 | - "" 69 | resources: 70 | - persistentvolumes 71 | verbs: 72 | - '*' 73 | - apiGroups: 74 | - "" 75 | resources: 76 | - endpoints 77 | verbs: 78 | - create 79 | - get 80 | - list 81 | - watch 82 | - update 83 | - apiGroups: 84 | - "" 85 | resources: 86 | - configmaps 87 | verbs: 88 | - get 89 | - list 90 | - watch 91 | - apiGroups: 92 | - "" 93 | resources: 94 | - secrets 95 | verbs: 96 | - list 97 | - get 98 | - watch 99 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceMonitor.enabled }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: system:{{ include "occm.name" . }}:auth-delegate 6 | labels: {{- include "common.labels.standard" . | nindent 4 }} 7 | annotations: 8 | {{- with .Values.commonAnnotations }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | subjects: 12 | - kind: User 13 | name: system:serviceaccount:{{ .Release.Namespace }}:{{ include "occm.name" . }} 14 | apiGroup: rbac.authorization.k8s.io 15 | roleRef: 16 | kind: ClusterRole 17 | name: system:auth-delegator 18 | apiGroup: rbac.authorization.k8s.io 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ .Values.clusterRoleName }} 6 | labels: {{- include "common.labels.standard" . | nindent 4 }} 7 | annotations: 8 | {{- with .Values.commonAnnotations }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.clusterRoleName }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.serviceAccountName }} 18 | namespace: {{ .Release.Namespace | quote }} 19 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.secret.create) (.Values.secret.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.secret.name | default "cloud-config" }} 6 | labels: {{- include "common.labels.standard" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- with .Values.commonAnnotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | type: Opaque 13 | data: 14 | {{ if .Values.cloudConfigContents -}} 15 | cloud.conf: | 16 | {{ .Values.cloudConfigContents | b64enc }} 17 | {{ else -}} 18 | cloud.conf: {{ include "cloudConfig" . | b64enc }} 19 | {{ end -}} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/service-sm.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceMonitor.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "occm.name" . }} 6 | labels: {{- include "common.labels.standard" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | annotations: 9 | {{- with .Values.commonAnnotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - name: http 15 | port: 10258 16 | protocol: TCP 17 | selector: 18 | {{- include "occm.controllermanager.matchLabels" . | nindent 4 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ .Values.serviceAccountName }} 5 | labels: {{- include "common.labels.standard" . | nindent 4 }} 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | {{- with .Values.commonAnnotations }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-cloud-controller-manager/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "occm.name" . }} 6 | labels: 7 | {{- include "common.labels.standard" . | nindent 4 }} 8 | {{- if .Values.serviceMonitor.additionalLabels }} 9 | {{- toYaml .Values.serviceMonitor.additionalLabels | nindent 4 }} 10 | {{- end }} 11 | namespace: {{ .Release.Namespace }} 12 | annotations: 13 | {{- with .Values.commonAnnotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | endpoints: 18 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 19 | interval: 30s 20 | port: http 21 | scheme: https 22 | tlsConfig: 23 | insecureSkipVerify: true 24 | jobLabel: component 25 | selector: 26 | matchLabels: 27 | {{- include "occm.controllermanager.matchLabels" . | nindent 6 }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: v1.32.0 3 | description: Manila CSI Chart for OpenStack 4 | home: http://github.com/kubernetes/cloud-provider-openstack 5 | icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png 6 | maintainers: 7 | - email: mnasiadka@gmail.com 8 | name: mnasiadka 9 | - email: matt@stackhpc.com 10 | name: mkjpryor 11 | name: openstack-manila-csi 12 | version: 2.32.0 13 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/README.md: -------------------------------------------------------------------------------- 1 | # Manila CSI provisioner 2 | 3 | First add the repo: 4 | 5 | helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack 6 | helm repo update 7 | 8 | If you are using Helm v3: 9 | 10 | helm install manila-csi cpo/openstack-manila-csi 11 | 12 | If you are using Helm v2: 13 | 14 | helm install --name manila-csi cpo/openstack-manila-csi 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "0001-01-01T00:00:00Z" 4 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | aggregationRule: 8 | clusterRoleSelectors: 9 | - matchLabels: 10 | rbac.manila.csi.openstack.org/aggregate-to-controller-{{ include "openstack-manila-csi.name" . }}: "true" 11 | rules: [] 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | subjects: 8 | - kind: ServiceAccount 9 | name: {{ include "openstack-manila-csi.serviceAccountName.controllerplugin" . }} 10 | namespace: {{ .Release.Namespace }} 11 | roleRef: 12 | kind: ClusterRole 13 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 14 | apiGroup: rbac.authorization.k8s.io 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-role.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["endpoints"] 11 | verbs: ["get", "watch", "list", "delete", "update", "create"] 12 | - apiGroups: [""] 13 | resources: ["configmaps"] 14 | verbs: ["get", "list", "watch", "create", "delete"] 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ include "openstack-manila-csi.serviceAccountName.controllerplugin" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: Role 14 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 15 | apiGroup: rbac.authorization.k8s.io 16 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-service.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.controllerplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | selector: 10 | app: {{ include "openstack-manila-csi.name" . }} 11 | component: {{ .Values.controllerplugin.name }} 12 | release: {{ .Release.Name }} 13 | ports: 14 | - name: dummy 15 | port: 12345 16 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/controllerplugin-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ include "openstack-manila-csi.serviceAccountName.controllerplugin" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.controllerplugin.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.shareProtocols }} 2 | apiVersion: storage.k8s.io/v1 3 | kind: CSIDriver 4 | metadata: 5 | name: {{ printf "%s.%s" .protocolSelector $.Values.driverName | lower }} 6 | spec: 7 | attachRequired: false 8 | podInfoOnMount: false 9 | fsGroupPolicy: {{ printf "%s" .fsGroupPolicy }} 10 | --- 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/nodeplugin-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.nodeplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.nodeplugin.labels" . | nindent 4 }} 7 | aggregationRule: 8 | clusterRoleSelectors: 9 | - matchLabels: 10 | rbac.manila.csi.openstack.org/aggregate-to-nodeplugin-{{ include "openstack-manila-csi.name" . }}: "true" 11 | rules: [] 12 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/nodeplugin-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.nodeplugin.fullname" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.nodeplugin.labels" . | nindent 4 }} 7 | subjects: 8 | - kind: ServiceAccount 9 | name: {{ include "openstack-manila-csi.serviceAccountName.nodeplugin" . }} 10 | namespace: {{ .Release.Namespace }} 11 | roleRef: 12 | kind: ClusterRole 13 | name: {{ include "openstack-manila-csi.nodeplugin.fullname" . }} 14 | apiGroup: rbac.authorization.k8s.io 15 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/nodeplugin-rules-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "openstack-manila-csi.nodeplugin.fullname" . }}-rules 5 | labels: 6 | {{- include "openstack-manila-csi.nodeplugin.labels" . | nindent 4 }} 7 | rbac.manila.csi.openstack.org/aggregate-to-nodeplugin-{{ include "openstack-manila-csi.name" . }}: "true" 8 | rules: 9 | - apiGroups: [""] 10 | resources: ["configmaps"] 11 | verbs: ["get", "list"] 12 | - apiGroups: [""] 13 | resources: ["nodes"] 14 | verbs: ["get", "list", "update"] 15 | - apiGroups: [""] 16 | resources: ["namespaces"] 17 | verbs: ["get", "list"] 18 | - apiGroups: [""] 19 | resources: ["persistentvolumes"] 20 | verbs: ["get", "list", "watch", "update"] 21 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/nodeplugin-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ include "openstack-manila-csi.serviceAccountName.nodeplugin" . }} 5 | labels: 6 | {{- include "openstack-manila-csi.nodeplugin.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/openstack-manila-csi/templates/runtimeconfig-cm.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csimanila.runtimeConfig.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: manila-csi-runtimeconf-cm 6 | namespace: {{ .Release.Namespace }} 7 | data: 8 | runtimeconfig.json: |- 9 | {{ .Values.csimanila.runtimeConfig.jsonData | indent 4 }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /magnum_cluster_api/charts/patches/cluster-autoscaler/001-add-omt-to-clusterrole.patch: -------------------------------------------------------------------------------- 1 | diff --git a/cluster-autoscaler/templates/clusterrole.yaml b/cluster-autoscaler/templates/clusterrole.yaml 2 | index 4ef2782..fb1dc2a 100644 3 | --- a/cluster-autoscaler/templates/clusterrole.yaml 4 | +++ b/cluster-autoscaler/templates/clusterrole.yaml 5 | @@ -170,5 +170,14 @@ rules: 6 | - list 7 | - update 8 | - watch 9 | + - apiGroups: 10 | + - infrastructure.cluster.x-k8s.io 11 | + resources: 12 | + - openstackmachinetemplates 13 | + verbs: 14 | + - get 15 | + - list 16 | + - update 17 | + - watch 18 | {{- end }} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /magnum_cluster_api/cmd/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/magnum_cluster_api/cmd/__init__.py -------------------------------------------------------------------------------- /magnum_cluster_api/cmd/proxy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from oslo_config import cfg 16 | from oslo_log import log as logging 17 | 18 | from magnum_cluster_api import service 19 | from magnum_cluster_api.proxy import manager 20 | 21 | CONF = cfg.CONF 22 | 23 | 24 | def main(): 25 | logging.register_options(CONF) 26 | logging.setup(CONF, "magnum-cluster-api-proxy") 27 | 28 | server = service.Service(manager=manager.ProxyManager) 29 | service.serve(server) 30 | service.wait() 31 | -------------------------------------------------------------------------------- /magnum_cluster_api/images.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import semver 16 | 17 | from magnum_cluster_api import conf 18 | 19 | CONF = conf.CONF 20 | 21 | PAUSE = "registry.k8s.io/pause:3.9" 22 | 23 | 24 | def get_cluster_autoscaler_image(version: str): 25 | parsed_version = semver.VersionInfo.parse(version[1:]) 26 | config_option = f"v{parsed_version.major}_{parsed_version.minor}_image" 27 | 28 | if hasattr(CONF.auto_scaling, config_option): 29 | return getattr(CONF.auto_scaling, config_option) 30 | 31 | raise ValueError( 32 | f"Unsupported Kubernetes version: {version}. " 33 | "Please specify a supported version in the cluster template." 34 | ) 35 | -------------------------------------------------------------------------------- /magnum_cluster_api/integrations/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/magnum_cluster_api/integrations/__init__.py -------------------------------------------------------------------------------- /magnum_cluster_api/integrations/manila.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from magnum import objects 16 | 17 | from magnum_cluster_api.integrations import common 18 | 19 | 20 | def is_enabled(cluster: objects.Cluster) -> bool: 21 | return common.is_enabled( 22 | cluster, "manila_csi_enabled", "sharev2" 23 | ) or common.is_enabled(cluster, "manila_csi_enabled", "share") 24 | 25 | 26 | def get_image(cluster: objects.Cluster) -> str: 27 | return common.get_cloud_provider_image( 28 | cluster, "manila_csi_plugin_tag", "manila-csi-plugin" 29 | ) 30 | -------------------------------------------------------------------------------- /magnum_cluster_api/manifests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/magnum_cluster_api/manifests/__init__.py -------------------------------------------------------------------------------- /magnum_cluster_api/manifests/nfs-csi/csi-nfs-driverinfo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: nfs.csi.k8s.io 5 | spec: 6 | attachRequired: false 7 | fsGroupPolicy: File 8 | volumeLifecycleModes: 9 | - Persistent 10 | -------------------------------------------------------------------------------- /magnum_cluster_api/privsep/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from oslo_privsep import capabilities, priv_context 16 | 17 | haproxy_pctxt = priv_context.PrivContext( 18 | __name__, 19 | cfg_section="magnum_cluster_api_haproxy", 20 | pypath=__name__ + ".haproxy_pctxt", 21 | capabilities=[capabilities.CAP_NET_ADMIN], 22 | ) 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/privsep/haproxy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import os 16 | import signal 17 | import subprocess 18 | 19 | from oslo_log import log as logging 20 | 21 | import magnum_cluster_api.privsep 22 | from magnum_cluster_api import conf 23 | 24 | CONF = conf.CONF 25 | LOG = logging.getLogger(__name__) 26 | 27 | 28 | @magnum_cluster_api.privsep.haproxy_pctxt.entrypoint 29 | def start(config_file): 30 | proc = subprocess.Popen(["haproxy", "-f", config_file]) 31 | 32 | try: 33 | retcode = proc.wait(timeout=5) 34 | if retcode != 0: 35 | LOG.error("HAproxy failed to start") 36 | except subprocess.TimeoutExpired: 37 | LOG.info("HAproxy started successfully") 38 | 39 | return proc.pid 40 | 41 | 42 | @magnum_cluster_api.privsep.haproxy_pctxt.entrypoint 43 | def reload(): 44 | """Reload HAproxy configuration""" 45 | 46 | with open(CONF.proxy.haproxy_pid_path, "r") as fd: 47 | pid = int(fd.read().strip()) 48 | 49 | os.kill(pid, signal.SIGUSR2) 50 | -------------------------------------------------------------------------------- /magnum_cluster_api/proxy/templates/haproxy.cfg.j2: -------------------------------------------------------------------------------- 1 | global 2 | master-worker 3 | log stdout format raw local0 4 | stats socket /var/run/haproxy.sock mode 666 expose-fd listeners level user 5 | pidfile {{ pid_file }} 6 | 7 | defaults 8 | log global 9 | timeout connect 5s 10 | timeout client 10s 11 | timeout server 10s 12 | 13 | frontend magnum 14 | bind {{ bind }}:{{ port }} 15 | tcp-request inspect-delay 5s 16 | tcp-request content accept if { req.ssl_hello_type 1 } 17 | use_backend %[req.ssl_sni,lower] 18 | 19 | {% for cluster in clusters -%} 20 | backend {{ cluster.name }}.magnum-system 21 | server apiserver {{ cluster.internal_ip }}:6443 namespace {{ cluster.namespace }} check 22 | {% endfor %} 23 | -------------------------------------------------------------------------------- /magnum_cluster_api/service.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from oslo_config import cfg # type: ignore 16 | from oslo_context import context # type: ignore 17 | from oslo_service import service # type: ignore 18 | 19 | CONF = cfg.CONF 20 | 21 | 22 | class Service(service.Service): 23 | def __init__(self, manager): 24 | super(Service, self).__init__() 25 | self.manager = manager() 26 | 27 | def start(self): 28 | self.tg.add_dynamic_timer(self.periodic_tasks) 29 | 30 | def periodic_tasks(self, raise_on_error=False): 31 | ctxt = context.get_admin_context() 32 | return self.manager.periodic_tasks(ctxt, raise_on_error=raise_on_error) 33 | 34 | 35 | # NOTE: the global launcher is to maintain the existing 36 | # functionality of calling service.serve + 37 | # service.wait 38 | _launcher = None 39 | 40 | 41 | def serve(server, workers=None): 42 | global _launcher 43 | if _launcher: 44 | raise RuntimeError("serve() can only be called once") 45 | 46 | _launcher = service.launch(CONF, server, workers=workers, restart_method="mutate") 47 | 48 | 49 | def wait(): 50 | _launcher.wait() 51 | -------------------------------------------------------------------------------- /magnum_cluster_api/sync.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import sherlock # type: ignore 16 | 17 | 18 | class ClusterLock(sherlock.KubernetesLock): 19 | """ 20 | A cluster lock that is used to lock the cluster for any operations 21 | across all of the conductor nodes. 22 | """ 23 | 24 | DEFAULT_EXPIRE: int = 60 25 | 26 | def __init__(self, cluster_id: str, expire: int = DEFAULT_EXPIRE): 27 | sherlock.configure( 28 | backend=sherlock.backends.KUBERNETES, 29 | retry_interval=1, 30 | ) 31 | 32 | super().__init__( 33 | lock_name="cluster-%s" % cluster_id, 34 | k8s_namespace="magnum-system", 35 | expire=expire, 36 | ) 37 | -------------------------------------------------------------------------------- /magnum_cluster_api/tests/functional/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/magnum_cluster_api/tests/functional/__init__.py -------------------------------------------------------------------------------- /magnum_cluster_api/tests/functional/conftest.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import pytest 16 | 17 | from magnum_cluster_api import objects 18 | 19 | 20 | @pytest.fixture 21 | def cluster( 22 | context, 23 | cluster_obj, 24 | ubuntu_driver, 25 | mock_validate_cluster, 26 | mock_osc, 27 | mock_certificates, 28 | ): 29 | try: 30 | ubuntu_driver.create_cluster(context, cluster_obj, 60) 31 | 32 | cluster_resource = objects.Cluster.for_magnum_cluster( 33 | ubuntu_driver.k8s_api, cluster_obj 34 | ) 35 | cluster_resource.wait_for_observed_generation_changed( 36 | existing_observed_generation=1 37 | ) 38 | 39 | cluster_obj.save.assert_called_once() 40 | cluster_obj.save.reset_mock() 41 | 42 | yield cluster_obj 43 | finally: 44 | ubuntu_driver.delete_cluster(context, cluster_obj) 45 | -------------------------------------------------------------------------------- /magnum_cluster_api/tests/unit/test_sync.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 VEXXHOST, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from unittest import TestCase, mock 16 | 17 | from oslo_utils import uuidutils 18 | 19 | from magnum_cluster_api.sync import ClusterLock 20 | 21 | 22 | @mock.patch("kubernetes.config.load_config") 23 | class ClusterLockTestCase(TestCase): 24 | def test_cluster_lock_init_with_no_expire(self, mock_load_config): 25 | cluster_id = uuidutils.generate_uuid() 26 | 27 | lock = ClusterLock(cluster_id) 28 | 29 | self.assertEqual(lock.lock_name, "cluster-%s" % cluster_id) 30 | self.assertEqual(lock.k8s_namespace, "magnum-system") 31 | self.assertEqual(lock.expire, ClusterLock.DEFAULT_EXPIRE) 32 | 33 | def test_cluster_lock_init_with_expire(self, mock_load_config): 34 | cluster_id = uuidutils.generate_uuid() 35 | expire = 60 36 | 37 | lock = ClusterLock(cluster_id, expire) 38 | 39 | self.assertEqual(lock.lock_name, "cluster-%s" % cluster_id) 40 | self.assertEqual(lock.k8s_namespace, "magnum-system") 41 | self.assertEqual(lock.expire, expire) 42 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: Cluster API driver for Magnum 2 | theme: 3 | name: material 4 | features: 5 | - content.tabs.link 6 | - navigation.tracking 7 | markdown_extensions: 8 | - admonition 9 | - def_list 10 | - pymdownx.details 11 | - pymdownx.superfences 12 | - pymdownx.tabbed: 13 | alternate_style: true 14 | plugins: 15 | - literate-nav: 16 | nav_file: SUMMARY.md 17 | copyright: Cluster API driver for Magnum is a community effort led by VEXXHOST, Inc. 18 | -------------------------------------------------------------------------------- /registry/config.yml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | log: 3 | fields: 4 | service: registry 5 | storage: 6 | cache: 7 | blobdescriptor: inmemory 8 | filesystem: 9 | rootdirectory: /var/lib/registry 10 | http: 11 | addr: :5000 12 | headers: 13 | X-Content-Type-Options: [nosniff] 14 | health: 15 | storagedriver: 16 | enabled: true 17 | interval: 10s 18 | threshold: 3 19 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "local>vexxhost/.github" 5 | ], 6 | "baseBranches": [ 7 | "main" 8 | ], 9 | "packageRules": [ 10 | { 11 | "enabled": false, 12 | "matchFileNames": [ 13 | "magnum_cluster_api/charts/**" 14 | ] 15 | }, 16 | { 17 | "groupName": "pyo3", 18 | "matchPackageNames": [ 19 | "pyo3", 20 | "pyo3-async-runtimes", 21 | "pyo3-log", 22 | "pythonize" 23 | ] 24 | }, 25 | { 26 | "groupName": "kube-rs", 27 | "matchPackageNames": [ 28 | "kube", 29 | "k8s-openapi" 30 | ] 31 | } 32 | ], 33 | "customManagers": [ 34 | { 35 | "customType": "regex", 36 | "fileMatch": [ 37 | "magnum_cluster_api/resources.py" 38 | ], 39 | "matchStrings": [ 40 | "CALICO_TAG = \"v(?.*?)\"" 41 | ], 42 | "datasourceTemplate": "github-releases", 43 | "depNameTemplate": "projectcalico/calico", 44 | "depTypeTemplate": "requires", 45 | "versioningTemplate": "semver", 46 | "autoReplaceStringTemplate": "CALICO_TAG = \"v{{{newValue}}}\"" 47 | } 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vexxhost/magnum-cluster-api/01cabe9663679f4da61e5a6762e3f80923196e7f/setup.cfg -------------------------------------------------------------------------------- /src/addons/csi.rs: -------------------------------------------------------------------------------- 1 | use crate::addons::ImageDetails; 2 | use serde::{Deserialize, Serialize}; 3 | 4 | #[derive(Debug, Deserialize, PartialEq, Serialize)] 5 | pub struct CSIComponent { 6 | pub image: ImageDetails, 7 | } 8 | -------------------------------------------------------------------------------- /src/clients/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod kubernetes; 2 | -------------------------------------------------------------------------------- /src/cluster_api/mod.rs: -------------------------------------------------------------------------------- 1 | #![allow(clippy::all)] 2 | pub mod clusterclasses; 3 | pub mod clusterresourcesets; 4 | pub mod clusters; 5 | pub mod kubeadmconfigtemplates; 6 | pub mod kubeadmcontrolplane; 7 | pub mod kubeadmcontrolplanetemplates; 8 | pub mod machines; 9 | pub mod openstackclustertemplates; 10 | pub mod openstackmachinetemplates; 11 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | mod addons; 2 | mod client; 3 | mod clients; 4 | mod cluster_api; 5 | mod driver; 6 | mod features; 7 | mod magnum; 8 | mod monitor; 9 | mod resources; 10 | 11 | use pyo3::{prelude::*, Bound}; 12 | 13 | #[pymodule] 14 | fn magnum_cluster_api(m: &Bound<'_, PyModule>) -> PyResult<()> { 15 | pyo3_log::init(); 16 | 17 | m.add_class::()?; 18 | m.add_class::()?; 19 | m.add_class::()?; 20 | 21 | Ok(()) 22 | } 23 | -------------------------------------------------------------------------------- /tools/sync-audit-policy: -------------------------------------------------------------------------------- 1 | #!/bin/bash -xe 2 | 3 | # Copyright (c) 2023 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | curl -Lo /tmp/configure-helper.sh https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/gce/gci/configure-helper.sh 18 | source /tmp/configure-helper.sh 19 | create-master-audit-policy magnum_cluster_api/manifests/audit/policy.yaml 20 | -------------------------------------------------------------------------------- /tools/sync-k8s-image-builds: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | # Copyright (c) 2023 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | RELEASES=( 18 | "v1.23" 19 | "v1.24" 20 | "v1.25" 21 | ) 22 | 23 | # Loop over all of the releases and get the latest patch release 24 | for RELEASE in ${RELEASES[@]}; do 25 | LATEST_TAG=$(gh release list --repo kubernetes/kubernetes | grep ${RELEASE} | head -1 | awk '{ print $2 }') 26 | 27 | magnum-cluster-api-image-builder --version ${LATEST_TAG} 28 | openstack object create --name ubuntu-2004-${LATEST_TAG}.qcow2 magnum-capi /tmp/image-builder-*/images/capi/output/ubuntu-2004-kube-${LATEST_TAG}/ubuntu-2004-kube-${LATEST_TAG} 29 | 30 | LINE="* [${LATEST_TAG}](https://object-storage.public.mtl1.vexxhost.net/swift/v1/a91f106f55e64246babde7402c21b87a/magnum-capi/ubuntu-2004-${LATEST_TAG}.qcow2)" 31 | sed -i "s%* \[${RELEASE}.*%${LINE}%g" README.md 32 | done 33 | -------------------------------------------------------------------------------- /tools/sync-nfs-csi-manifests: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (c) 2023 VEXXHOST, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 6 | # not use this file except in compliance with the License. You may obtain 7 | # a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 | # License for the specific language governing permissions and limitations 15 | # under the License. 16 | 17 | # This script is used to sync the CCM manifests from the CCM repo to the 18 | # manifests folder. 19 | 20 | import requests 21 | import yaml 22 | 23 | MANIFESTS = set( 24 | [ 25 | "csi-nfs-node.yaml", 26 | "csi-nfs-controller.yaml", 27 | "csi-nfs-driverinfo.yaml", 28 | "rbac-csi-nfs.yaml", 29 | ] 30 | ) 31 | NFS_CSI_TAG = "v4.2.0" 32 | 33 | 34 | for manifest in MANIFESTS: 35 | url = f"https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/deploy/{NFS_CSI_TAG}/{manifest}" # noqa E501 36 | 37 | docs = [] 38 | r = requests.get(url) 39 | 40 | for doc in yaml.safe_load_all(r.text): 41 | if doc["kind"] == "List": 42 | for item in doc["items"]: 43 | docs.append(item) 44 | else: 45 | docs.append(doc) 46 | 47 | with open(f"magnum_cluster_api/manifests/nfs-csi/{manifest}", "w") as fd: 48 | yaml.dump_all(docs, fd, default_flow_style=False) 49 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | minversion = 3.18 3 | envlist = py3 4 | 5 | [testenv] 6 | deps = 7 | fixtures 8 | oslotest 9 | pytest 10 | pytest-mock 11 | responses 12 | stestr 13 | 14 | [testenv:{unit,py3,py38,py39,py310}] 15 | commands = 16 | pytest magnum_cluster_api/tests/unit/ 17 | 18 | [testenv:functional] 19 | passenv = 20 | KUBECONFIG 21 | commands = 22 | stestr --test-path=./magnum_cluster_api/tests/functional run {posargs} 23 | stestr slowest 24 | -------------------------------------------------------------------------------- /zuul.d/jobs.yaml: -------------------------------------------------------------------------------- 1 | - job: 2 | name: magnum-cluster-api-tox 3 | parent: tox 4 | abstract: true 5 | pre-run: zuul.d/playbooks/tox/pre.yml 6 | 7 | - job: 8 | name: magnum-cluster-api-tox-unit 9 | parent: magnum-cluster-api-tox 10 | pre-run: zuul.d/playbooks/unit/pre.yml 11 | vars: 12 | tox_envlist: unit 13 | 14 | - job: 15 | name: magnum-cluster-api-tox-functional 16 | parent: magnum-cluster-api-tox 17 | pre-run: zuul.d/playbooks/functional/pre.yml 18 | vars: 19 | tox_envlist: functional 20 | tox_environment: 21 | KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config" 22 | -------------------------------------------------------------------------------- /zuul.d/playbooks/functional/pre.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | tasks: 3 | - shell: "{{ zuul.project.src_dir }}/hack/setup-kubectl.sh" 4 | - shell: "{{ zuul.project.src_dir }}/hack/setup-helm.sh" 5 | - shell: "{{ zuul.project.src_dir }}/hack/setup-docker.sh" 6 | - shell: "{{ zuul.project.src_dir }}/hack/setup-kind.sh" 7 | - shell: "{{ zuul.project.src_dir }}/hack/setup-capo.sh" 8 | -------------------------------------------------------------------------------- /zuul.d/playbooks/tox/pre.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | roles: 3 | - ensure-rust 4 | - ensure-uv 5 | 6 | tasks: 7 | - name: Run no-op command to build module 8 | ansible.builtin.command: uv run python3 --version 9 | args: 10 | chdir: "{{ zuul.project.src_dir }}" 11 | 12 | vars: 13 | ensure_uv_global_symlink: true 14 | -------------------------------------------------------------------------------- /zuul.d/playbooks/unit/pre.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | tasks: 3 | - shell: "{{ zuul.project.src_dir }}/hack/setup-helm.sh" 4 | -------------------------------------------------------------------------------- /zuul.d/project.yaml: -------------------------------------------------------------------------------- 1 | - project: 2 | check: 3 | jobs: 4 | - magnum-cluster-api-tox-functional 5 | - magnum-cluster-api-tox-unit 6 | gate: 7 | jobs: 8 | - magnum-cluster-api-tox-functional 9 | - magnum-cluster-api-tox-unit 10 | --------------------------------------------------------------------------------