diff --git a/signadot/operator/Chart.yaml b/signadot/operator/Chart.yaml index 8b7346d..81b4183 100644 --- a/signadot/operator/Chart.yaml +++ b/signadot/operator/Chart.yaml @@ -6,10 +6,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.12.0" +version: "0.13.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.12.0" +appVersion: "0.13.0" diff --git a/signadot/operator/templates/agent-deployment.yaml b/signadot/operator/templates/agent-deployment.yaml index b0660e3..9503891 100644 --- a/signadot/operator/templates/agent-deployment.yaml +++ b/signadot/operator/templates/agent-deployment.yaml @@ -48,8 +48,8 @@ spec: secretKeyRef: key: token name: cluster-agent - image: {{ with .Values.agent }}{{ .image | default "signadot/agent:v0.12.0" | quote }}{{ else }}signadot/agent:v0.12.0{{ end }} - imagePullPolicy: {{ with .Values.agent }}{{ .imagePullPolicy | default "IfNotPresent" | quote }}{{ else }}IfNotPresent{{ end }} + image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.13.0{{- end }}{{- else -}}signadot/agent:v0.13.0{{- end }}{{- else -}}signadot/agent:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: path: /nullz diff --git a/signadot/operator/templates/io-context-server-deployment.yaml b/signadot/operator/templates/io-context-server-deployment.yaml index ab7bc4b..c01a978 100644 --- a/signadot/operator/templates/io-context-server-deployment.yaml +++ b/signadot/operator/templates/io-context-server-deployment.yaml @@ -40,8 +40,8 @@ spec: - /app/io-context-server - -tls=secretns=signadot - -port=8443 - image: {{ with .Values.ioContextServer }}{{ .image | default "signadot/io-context-server:v0.12.0" | quote }}{{ else }}signadot/io-context-server:v0.12.0{{ end }} - imagePullPolicy: {{ with .Values.ioContextServer }}{{ .imagePullPolicy | default "IfNotPresent" | quote }}{{ else }}IfNotPresent{{ end }} + image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.13.0{{- end }}{{- else -}}signadot/io-context-server:v0.13.0{{- end }}{{- else -}}signadot/io-context-server:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: io-context-server ports: - containerPort: 8443 diff --git a/signadot/operator/templates/resources.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/resources.signadot.com-customresourcedefinition.yaml index d2c25d0..6c2a4f3 100644 --- a/signadot/operator/templates/resources.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/resources.signadot.com-customresourcedefinition.yaml @@ -879,6 +879,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1490,6 +1502,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2107,6 +2131,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2349,12 +2385,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -2735,12 +2802,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4103,6 +4184,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4714,6 +4807,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5331,6 +5436,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5573,12 +5690,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -5959,12 +6107,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: diff --git a/signadot/operator/templates/routeserver-deployment.yaml b/signadot/operator/templates/routeserver-deployment.yaml index 30d43f8..df5e644 100644 --- a/signadot/operator/templates/routeserver-deployment.yaml +++ b/signadot/operator/templates/routeserver-deployment.yaml @@ -36,8 +36,8 @@ spec: {{- end }} spec: containers: - - image: {{ with .Values.routeServer }}{{ .image | default "signadot/route-server:v0.12.0" | quote }}{{ else }}signadot/route-server:v0.12.0{{ end }} - imagePullPolicy: {{ with .Values.routeServer }}{{ .imagePullPolicy | default "IfNotPresent" | quote }}{{ else }}IfNotPresent{{ end }} + - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.13.0{{- end }}{{- else -}}signadot/route-server:v0.13.0{{- end }}{{- else -}}signadot/route-server:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} name: routeserver ports: - containerPort: 8080 diff --git a/signadot/operator/templates/signadot-agent-clusterrole.yaml b/signadot/operator/templates/signadot-agent-clusterrole.yaml index 38c6cc5..95d5f05 100644 --- a/signadot/operator/templates/signadot-agent-clusterrole.yaml +++ b/signadot/operator/templates/signadot-agent-clusterrole.yaml @@ -16,8 +16,10 @@ rules: - apiGroups: - signadot.com resources: + - resources - signadotsandboxes - signadotroutes + - signadotexternalworkloads - signadotresources - resources - signadotobjectlifecyclemethods diff --git a/signadot/operator/templates/signadot-controller-manager-deployment.yaml b/signadot/operator/templates/signadot-controller-manager-deployment.yaml index 89ff84f..c8c2d4d 100644 --- a/signadot/operator/templates/signadot-controller-manager-deployment.yaml +++ b/signadot/operator/templates/signadot-controller-manager-deployment.yaml @@ -42,8 +42,8 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 - image: {{ with .Values.kubeRBACProxy }}{{ .image | default "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0" | quote }}{{ else }}gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0{{ end }} - imagePullPolicy: {{ with .Values }}{{ with .kubeRBACProxy }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + image: {{ with .Values }}{{ with .kubeRBACProxy }}{{ with .image }}{{ . | quote}}{{- else -}}gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0{{- end }}{{- else -}}gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0{{- end }}{{- else -}}gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .kubeRBACProxy }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} name: kube-rbac-proxy ports: - containerPort: 8443 @@ -58,37 +58,37 @@ spec: - name: ALLOWED_NAMESPACES value: {{ range $i, $val := .Values.allowedNamespaces }}{{ if gt $i 0 }},{{ end }}{{ $val }}{{ else }}""{{ end }} - name: SIDECAR_INIT_IMAGE_PULL_POLICY - value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: SIDECAR_INIT_IMAGE_PULL_SECRET - value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullSecret }}{{.}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: ROUTE_SIDECAR_IMAGE_PULL_POLICY - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: ROUTE_SIDECAR_IMAGE_PULL_SECRET - value: {{ with .Values }}{{ with .routeSidecar }}{{ with .imagePullSecret }}{{.}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: IO_INIT_IMAGE_PULL_POLICY - value: {{ with .Values }}{{ with .ioInit }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + value: {{ with .Values }}{{ with .ioInit }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: IO_INIT_IMAGE_PULL_SECRET - value: {{ with .Values }}{{ with .ioInit }}{{ with .imagePullSecret }}{{.}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + value: {{ with .Values }}{{ with .ioInit }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: IO_SIDECAR_IMAGE_PULL_POLICY - value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: IO_SIDECAR_IMAGE_PULL_SECRET - value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullSecret }}{{.}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + value: {{ with .Values }}{{ with .ioSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: EXECPOD_SIDECAR_IMAGE_PULL_POLICY - value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullPolicy }}{{.}}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} - name: EXECPOD_SIDECAR_IMAGE_PULL_SECRET - value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullSecret }}{{.}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .imagePullSecret }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} - name: SIDECAR_INIT_IMAGE - value: {{ with .Values.routeInit }}{{ .image | default "signadot/sd-init-networking:latest" | quote }}{{ else }}signadot/sd-init-networking:latest{{ end }} + value: {{ with .Values }}{{ with .routeInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }}{{- else -}}signadot/sd-init-networking:latest{{- end }} - name: ROUTE_SIDECAR_IMAGE - value: {{ with .Values.routeSidecar }}{{ .image | default "signadot/route-sidecar:v0.12.0" | quote }}{{ else }}signadot/route-sidecar:v0.12.0{{ end }} + value: {{ with .Values }}{{ with .routeSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-sidecar:v0.13.0{{- end }}{{- else -}}signadot/route-sidecar:v0.13.0{{- end }}{{- else -}}signadot/route-sidecar:v0.13.0{{- end }} - name: EXECPOD_SIDECAR_IMAGE - value: {{ with .Values.execpodSidecar }}{{ .image | default "signadot/execpod-sidecar:v0.12.0" | quote }}{{ else }}signadot/execpod-sidecar:v0.12.0{{ end }} + value: {{ with .Values }}{{ with .execpodSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/execpod-sidecar:v0.13.0{{- end }}{{- else -}}signadot/execpod-sidecar:v0.13.0{{- end }}{{- else -}}signadot/execpod-sidecar:v0.13.0{{- end }} - name: IO_INIT_IMAGE - value: {{ with .Values.ioInit }}{{ .image | default "signadot/io-init:v0.12.0" | quote }}{{ else }}signadot/io-init:v0.12.0{{ end }} + value: {{ with .Values }}{{ with .ioInit }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-init:v0.13.0{{- end }}{{- else -}}signadot/io-init:v0.13.0{{- end }}{{- else -}}signadot/io-init:v0.13.0{{- end }} - name: IO_SIDECAR_IMAGE - value: {{ with .Values.ioSidecar }}{{ .image | default "signadot/io-sidecar:v0.12.0" | quote }}{{ else }}signadot/io-sidecar:v0.12.0{{ end }} - image: {{ with .Values.operator }}{{ .image | default "signadot/operator:v0.12.0" | quote }}{{ else }}signadot/operator:v0.12.0{{ end }} - imagePullPolicy: {{ with .Values.operator }}{{ .imagePullPolicy | default "IfNotPresent" | quote }}{{ else }}IfNotPresent{{ end }} + value: {{ with .Values }}{{ with .ioSidecar }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-sidecar:v0.13.0{{- end }}{{- else -}}signadot/io-sidecar:v0.13.0{{- end }}{{- else -}}signadot/io-sidecar:v0.13.0{{- end }} + image: {{ with .Values }}{{ with .operator }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/operator:v0.13.0{{- end }}{{- else -}}signadot/operator:v0.13.0{{- end }}{{- else -}}signadot/operator:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .operator }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} livenessProbe: httpGet: path: /healthz @@ -108,11 +108,11 @@ spec: periodSeconds: 10 resources: limits: - cpu: {{ with .Values.operator }}{{ .cpu | default "100m" | quote }}{{ else }}100m{{ end }} - memory: {{ with .Values.operator }}{{ .memory | default "512Mi" | quote }}{{ else }}512Mi{{ end }} + cpu: {{ with .Values }}{{ with .operator }}{{ with .cpu }}{{ . | quote}}{{- else -}}100m{{- end }}{{- else -}}100m{{- end }}{{- else -}}100m{{- end }} + memory: {{ with .Values }}{{ with .operator }}{{ with .memory }}{{ . | quote}}{{- else -}}512Mi{{- end }}{{- else -}}512Mi{{- end }}{{- else -}}512Mi{{- end }} requests: - cpu: {{ with .Values.operator }}{{ .cpu | default "100m" | quote }}{{ else }}100m{{ end }} - memory: {{ with .Values.operator }}{{ .memory | default "512Mi" | quote }}{{ else }}512Mi{{ end }} + cpu: {{ with .Values }}{{ with .operator }}{{ with .cpu }}{{ . | quote}}{{- else -}}100m{{- end }}{{- else -}}100m{{- end }}{{- else -}}100m{{- end }} + memory: {{ with .Values }}{{ with .operator }}{{ with .memory }}{{ . | quote}}{{- else -}}512Mi{{- end }}{{- else -}}512Mi{{- end }}{{- else -}}512Mi{{- end }} securityContext: allowPrivilegeEscalation: false volumeMounts: diff --git a/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml b/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml index 23019bb..6a30e9e 100644 --- a/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml +++ b/signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml @@ -79,6 +79,7 @@ rules: - networking.istio.io resources: - virtualservices + - serviceentries verbs: - create - delete diff --git a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml index a6d8520..c0e7875 100644 --- a/signadot/operator/templates/signadot-manager-role-clusterrole.yaml +++ b/signadot/operator/templates/signadot-manager-role-clusterrole.yaml @@ -48,6 +48,32 @@ rules: - get - patch - update +- apiGroups: + - signadot.com + resources: + - signadotexternalworkloads + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - signadotexternalworkloads/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - signadotexternalworkloads/status + verbs: + - get + - patch + - update - apiGroups: - signadot.com resources: diff --git a/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml new file mode 100644 index 0000000..aee25c9 --- /dev/null +++ b/signadot/operator/templates/signadotexternalworkloads.signadot.com-customresourcedefinition.yaml @@ -0,0 +1,228 @@ +# This file is generated. Do not edit. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: signadotexternalworkloads.signadot.com +spec: + group: signadot.com + names: + kind: SignadotExternalWorkload + listKind: SignadotExternalWorkloadList + plural: signadotexternalworkloads + shortNames: + - sdxw + singular: signadotexternalworkload + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + baseline: + description: Baseline specifies the target workload to which this + external workload applies. + properties: + apiVersion: + description: APIVersion specifies the API Version (e.g. "apps/v1") + of the object to patch. + type: string + kind: + description: Kind specifies the Kind (e.g. "Deployment") of the + object to patch. + type: string + name: + description: Name specifies the name of the object to patch. + type: string + namespace: + description: Namespace optionally specifies which namespace will + be searched. + type: string + required: + - apiVersion + - kind + - name + type: object + name: + description: 'Name of the external workload, this is an arbitrary + string defined by the user (eg: "apiserver" or "playground-api")' + maxLength: 30 + pattern: ^$|^[a-z]([a-z0-9-]*[a-zA-Z0-9])?$ + type: string + routingKey: + description: RoutingKey is a unique short key that can be provided + to context propagation mechanisms. + type: string + tunnel: + description: Tunnel defines that this external workload will be accessed + via a reverse tunnel, in Tunnel Proxy. + properties: + baselineToLocals: + description: List of ports to be forwarded to the workstation + items: + properties: + baselinePort: + description: Baseline container port + format: int32 + type: integer + localAddress: + description: TCP Address to which it is to be routed, for + example "localhost:8080" + type: string + required: + - baselinePort + - localAddress + type: object + type: array + required: + - baselineToLocals + type: object + workloadID: + description: WorkloadID is the UID of the underlying workload. + type: string + required: + - baseline + - name + - routingKey + - workloadID + type: object + status: + description: ResourceStatus defines status of a Resource + properties: + conditions: + description: 'Conditions is a list of conditions that matches the + conventions expected by kubectl, allowing our CRDs to work with: + kubectl wait --for=condition=...' + items: + description: "StatusCondition is a condition struct that matches + the conventions expected by kubectl, allowing our CRDs to work + with: kubectl wait --for=condition=... \n StatusConditions must + follow the following discipline in reconciliation: The operator + MUST always populate all the condition types in a SignadotSandboxStatus + struct, irrespective of whether the condition is known or not + (see corev1.ConditionUnknown) so that access via a k8s client + can determine whether the capability is supported in the operator." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration provides the Generation of the last + Resource seen by the controller. + format: int64 + type: integer + tunnel: + description: Tunnel exposes the status of the tunnel behind this external + workload + properties: + health: + description: Is there an active tunnel to the workstation? + properties: + connected: + description: Is there an active reverse tunnel to the workstation? + type: boolean + lastCheckTime: + description: Last time we performed a health check + format: date-time + type: string + lastConnectedTime: + description: Last time we got a successful health check + format: date-time + type: string + required: + - connected + type: object + info: + description: Reference to reverse tunnel exposing the workload + properties: + controlPort: + description: This is the control port for this tunnel, used + for health check control + format: int32 + type: integer + labels: + additionalProperties: + type: string + description: Tunnel labels (information about the connected + client) + type: object + tunnelProxyPodIP: + description: Tunnel proxy pod ip + type: string + tunnelProxyPodName: + description: Tunnel proxy pod name + type: string + workloadPorts: + description: This is a map from the workload source port as + a string to the port in which it is exposed in the Tunnel + proxy. + items: + description: Baseline port mapping to proxy port + properties: + baseline: + description: An exposed port on the baseline + format: int32 + type: integer + proxy: + description: The corresponding proxy port + format: int32 + type: integer + required: + - baseline + - proxy + type: object + type: array + required: + - controlPort + - tunnelProxyPodIP + - tunnelProxyPodName + - workloadPorts + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/signadot/operator/templates/signadotobjectlifecyclemethods.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotobjectlifecyclemethods.signadot.com-customresourcedefinition.yaml index eb91ee7..a788d8a 100644 --- a/signadot/operator/templates/signadotobjectlifecyclemethods.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotobjectlifecyclemethods.signadot.com-customresourcedefinition.yaml @@ -875,6 +875,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1486,6 +1498,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2103,6 +2127,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2345,12 +2381,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -2731,12 +2798,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4093,6 +4174,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4704,6 +4797,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5321,6 +5426,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5563,12 +5680,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -5949,12 +6097,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: diff --git a/signadot/operator/templates/signadotresourceplugins.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotresourceplugins.signadot.com-customresourcedefinition.yaml index d424572..454ddb6 100644 --- a/signadot/operator/templates/signadotresourceplugins.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotresourceplugins.signadot.com-customresourcedefinition.yaml @@ -1881,6 +1881,31 @@ spec: description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3285,6 +3310,31 @@ spec: containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4723,6 +4773,31 @@ spec: description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5348,6 +5423,63 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to those + containers which consume them by name. \n This is an + alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim inside + the Pod. Containers that need access to the ResourceClaim + reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name of + a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is the + name of a ResourceClaimTemplate object in + the same namespace as this pod. \n The template + will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name. + Pod validation will reject the pod if the + concatenated name is not valid for a ResourceClaim + (e.g. too long). \n An existing ResourceClaim + with that name that is not owned by the pod + will not be used for the pod to avoid using + an unrelated resource by mistake. Scheduling + and pod startup are then blocked until the + unrelated ResourceClaim is removed. \n This + field is immutable and no changes will be + made to the corresponding ResourceClaim by + the control plane after creating the ResourceClaim." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to @@ -5367,6 +5499,27 @@ spec: by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. More + info: https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness. + \n This is an alpha-level feature enabled by PodSchedulingReadiness + feature gate." + items: + description: PodSchedulingGate is associated to a Pod + to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each scheduling + gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -5482,9 +5635,15 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to the - container's primary GID. If unspecified, no groups - will be added to any container. Note that this field - cannot be set when spec.os.name is windows. + container's primary GID, the fsGroup (if specified), + and group memberships defined in the container image + for the uid of the container process. If unspecified, + no additional groups are added to any container. + Note that group memberships defined in the container + image for the uid of the container process are still + effective, even if they are not included in this + list. Note that this field cannot be set when spec.os.name + is windows. items: format: int64 type: integer @@ -5785,8 +5944,8 @@ spec: are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. \n If this value is nil, the behavior is equivalent - to the Honor policy. This is a alpha-level feature - enabled by the NodeInclusionPolicyInPodTopologySpread + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." type: string nodeTaintsPolicy: @@ -5798,7 +5957,7 @@ spec: Ignore: node taints are ignored. All nodes are included. \n If this value is nil, the behavior is equivalent to the Ignore policy. This is a - alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread + beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." type: string topologyKey: @@ -6384,10 +6543,14 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of the - specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field - will always have the same contents - as the DataSourceRef field.' + specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource + contents will be copied to dataSourceRef, + and dataSourceRef contents will be + copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace + is specified, then dataSourceRef will + not be copied to dataSource.' properties: apiGroup: description: APIGroup is the group @@ -6415,33 +6578,43 @@ spec: the object from which to populate the volume with data, if a non-empty volume is desired. This may be any - local object from a non-empty API - group (non core object) or a PersistentVolumeClaim + object from a non-empty API group + (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will - replace the functionality of the DataSource + replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, - both fields (DataSource and DataSourceRef) - will be set to the same value automatically - if one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows any - non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores + when namespace isn''t specified in + dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to + the same value automatically if one + of them is empty and the other is + non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t + set to the same value and must be + empty. There are three important differences + between dataSource and dataSourceRef: + * While dataSource only allows two + specific types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values (dropping them), - DataSourceRef preserves all values, + dataSourceRef preserves all values, and generates an error if a disallowed - value is specified. (Beta) Using - this field requires the AnyVolumeDataSource - feature gate to be enabled.' + value is specified. * While dataSource + only allows local objects, dataSourceRef + allows objects in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to + be enabled. (Alpha) Using the namespace + field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled.' properties: apiGroup: description: APIGroup is the group @@ -6460,6 +6633,19 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name @@ -6475,6 +6661,34 @@ spec: recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is + immutable. It can only be set + for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry in + pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: diff --git a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml index ed4671d..43acd2d 100644 --- a/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml +++ b/signadot/operator/templates/signadotsandboxes.signadot.com-customresourcedefinition.yaml @@ -184,6 +184,70 @@ spec: type: string type: array type: object + externalWorkloads: + description: This is the list of externally controlled workloads this + sandbox will route traffic to. + items: + properties: + baseline: + description: Baseline specifies the target workload to which + this external workload applies. + properties: + apiVersion: + description: APIVersion specifies the API Version (e.g. + "apps/v1") of the object to patch. + type: string + kind: + description: Kind specifies the Kind (e.g. "Deployment") + of the object to patch. + type: string + name: + description: Name specifies the name of the object to patch. + type: string + namespace: + description: Namespace optionally specifies which namespace + will be searched. + type: string + required: + - apiVersion + - kind + - name + type: object + name: + description: 'Name of the external workload, this is an arbitrary + string defined by the user (eg: "apiserver" or "playground-api")' + maxLength: 30 + pattern: ^$|^[a-z]([a-z0-9-]*[a-zA-Z0-9])?$ + type: string + tunnel: + description: Tunnel defines that this external workload will + be accessed via a reverse tunnel, in Tunnel Proxy. + properties: + baselineToLocals: + description: List of ports to be forwarded to the workstation + items: + properties: + baselinePort: + description: Baseline container port + format: int32 + type: integer + localAddress: + description: TCP Address to which it is to be routed, + for example "localhost:8080" + type: string + required: + - baselinePort + - localAddress + type: object + type: array + required: + - baselineToLocals + type: object + required: + - baseline + - name + type: object + type: array id: description: "ID should be a unique identifier for the sandbox. \n It can be up to 32 characters, consisting of lowercase alphanumeric @@ -1039,6 +1103,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1650,6 +1726,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2267,6 +2355,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2509,12 +2609,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -2895,12 +3026,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4266,6 +4411,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4877,6 +5034,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5494,6 +5663,18 @@ spec: type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5736,12 +5917,43 @@ spec: - conditionType type: object type: array + resourceClaims: + items: + properties: + name: + type: string + source: + properties: + resourceClaimName: + type: string + resourceClaimTemplateName: + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: type: string runtimeClassName: type: string schedulerName: type: string + schedulingGates: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: properties: fsGroup: @@ -6122,12 +6334,26 @@ spec: type: string name: type: string + namespace: + type: string required: - kind - name type: object resources: properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -6774,6 +7000,101 @@ spec: have been cloned and customized. format: int32 type: integer + externalWorkloads: + description: Status of each of the external workloads + items: + properties: + name: + description: Name of the external workload + type: string + tunnel: + description: Tunnel exposes the status of the tunnel behind + this external workload + properties: + health: + description: Is there an active tunnel to the workstation? + properties: + connected: + description: Is there an active reverse tunnel to the + workstation? + type: boolean + lastCheckTime: + description: Last time we performed a health check + format: date-time + type: string + lastConnectedTime: + description: Last time we got a successful health check + format: date-time + type: string + required: + - connected + type: object + info: + description: Reference to reverse tunnel exposing the workload + properties: + controlPort: + description: This is the control port for this tunnel, + used for health check control + format: int32 + type: integer + labels: + additionalProperties: + type: string + description: Tunnel labels (information about the connected + client) + type: object + tunnelProxyPodIP: + description: Tunnel proxy pod ip + type: string + tunnelProxyPodName: + description: Tunnel proxy pod name + type: string + workloadPorts: + description: This is a map from the workload source + port as a string to the port in which it is exposed + in the Tunnel proxy. + items: + description: Baseline port mapping to proxy port + properties: + baseline: + description: An exposed port on the baseline + format: int32 + type: integer + proxy: + description: The corresponding proxy port + format: int32 + type: integer + required: + - baseline + - proxy + type: object + type: array + required: + - controlPort + - tunnelProxyPodIP + - tunnelProxyPodName + - workloadPorts + type: object + type: object + required: + - name + type: object + type: array + managedResources: + description: Status of each of the managed resources + items: + properties: + name: + description: Name of the resource + type: string + ready: + description: Readiness of the resource + type: boolean + required: + - name + - ready + type: object + type: array observedGeneration: format: int64 type: integer @@ -6786,7 +7107,7 @@ spec: additionalProperties: type: boolean description: ReadyManagedResources is a map from resource name to - ready status + ready status This field has been deprecated. type: object readyResources: description: ReadyResources is the number of signadot resources which diff --git a/signadot/operator/templates/tunnel-api-clusterrole.yaml b/signadot/operator/templates/tunnel-api-clusterrole.yaml new file mode 100644 index 0000000..351f232 --- /dev/null +++ b/signadot/operator/templates/tunnel-api-clusterrole.yaml @@ -0,0 +1,30 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - signadot.com + resources: + - signadotsandboxes + verbs: + - get + - list + - watch diff --git a/signadot/operator/templates/tunnel-api-clusterrolebinding.yaml b/signadot/operator/templates/tunnel-api-clusterrolebinding.yaml new file mode 100644 index 0000000..a8a154a --- /dev/null +++ b/signadot/operator/templates/tunnel-api-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tunnel-api +subjects: +- kind: ServiceAccount + name: tunnel-api + namespace: signadot diff --git a/signadot/operator/templates/tunnel-api-config-role.yaml b/signadot/operator/templates/tunnel-api-config-role.yaml new file mode 100644 index 0000000..207875d --- /dev/null +++ b/signadot/operator/templates/tunnel-api-config-role.yaml @@ -0,0 +1,23 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api-config + namespace: signadot +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/signadot/operator/templates/tunnel-api-config-rolebinding.yaml b/signadot/operator/templates/tunnel-api-config-rolebinding.yaml new file mode 100644 index 0000000..5d9087f --- /dev/null +++ b/signadot/operator/templates/tunnel-api-config-rolebinding.yaml @@ -0,0 +1,22 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api-config + namespace: signadot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tunnel-api-config +subjects: +- kind: ServiceAccount + name: tunnel-api + namespace: signadot diff --git a/signadot/operator/templates/tunnel-api-deployment.yaml b/signadot/operator/templates/tunnel-api-deployment.yaml new file mode 100644 index 0000000..27381ab --- /dev/null +++ b/signadot/operator/templates/tunnel-api-deployment.yaml @@ -0,0 +1,61 @@ +# This file is generated. Do not edit. +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api + namespace: signadot +spec: +{{- if and .Values .Values.tunnel .Values.tunnel.api .Values.tunnel.api.replicas }} + replicas: {{ .Values.tunnel.api.replicas }} +{{- end }} + selector: + matchLabels: + app: tunnel-api +{{- if and .Values .Values.tunnel .Values.tunnel.api .Values.tunnel.api.strategy }} + strategy: +{{ toYaml .Values.tunnel.api.strategy | indent 10 }} +{{- end }} + template: + metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.podAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + app: tunnel-api + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + spec: + containers: + - args: +{{- if and .Values .Values.tunnel .Values.tunnel.config .Values.tunnel.config.externalDNS .Values.tunnel.config.externalDNS.server }} + - --external-dns-server={{ .Values.tunnel.config.externalDNS.server }} +{{- end }} +{{- if and .Values .Values.tunnel .Values.tunnel.config .Values.tunnel.config.externalDNS .Values.tunnel.config.externalDNS.syncInterval }} + - --external-dns-resync-interval={{ .Values.tunnel.config.externalDNS.syncInterval }} +{{- end }} + image: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-api:v0.13.0{{- end }}{{- else -}}signadot/tunnel-api:v0.13.0{{- end }}{{- else -}}signadot/tunnel-api:v0.13.0{{- end }}{{- else -}}signadot/tunnel-api:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .api }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} + name: tunnel-api + ports: + - containerPort: 9070 +{{- if and .Values .Values.tunnel .Values.tunnel.api .Values.tunnel.api.resources }} + resources: +{{ toYaml .Values.tunnel.api.resources | indent 10 }} +{{- end }} + serviceAccountName: tunnel-api diff --git a/signadot/operator/templates/tunnel-api-service.yaml b/signadot/operator/templates/tunnel-api-service.yaml new file mode 100644 index 0000000..0cde48a --- /dev/null +++ b/signadot/operator/templates/tunnel-api-service.yaml @@ -0,0 +1,25 @@ +# This file is generated. Do not edit. +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.serviceAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.serviceLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api + namespace: signadot +spec: + ports: + - port: 9070 + selector: + app: tunnel-api diff --git a/signadot/operator/templates/tunnel-api-serviceaccount.yaml b/signadot/operator/templates/tunnel-api-serviceaccount.yaml new file mode 100644 index 0000000..5dea986 --- /dev/null +++ b/signadot/operator/templates/tunnel-api-serviceaccount.yaml @@ -0,0 +1,14 @@ +# This file is generated. Do not edit. +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-api + namespace: signadot diff --git a/signadot/operator/templates/tunnel-auditor-config-configmap.yaml b/signadot/operator/templates/tunnel-auditor-config-configmap.yaml new file mode 100644 index 0000000..976a530 --- /dev/null +++ b/signadot/operator/templates/tunnel-auditor-config-configmap.yaml @@ -0,0 +1,358 @@ +# This file is generated. Do not edit. +apiVersion: v1 +data: + config.yaml: | + admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /tmp/envoy-admin.log + address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 9901 + + static_resources: + listeners: + + # Inbound + # ------------------------------------------------------------------------- + - name: inbound_listener + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + + listener_filters: + - name: tls_inspector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + - name: http_inspector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.http_inspector.v3.HttpInspector + - name: original_dst + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst + + filter_chains: + # TLS proxy + - filter_chain_match: + transport_protocol: tls + filters: + - name: envoy.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp-tls + access_log: + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + common_config: + log_name: "inbound_tls" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + cluster: passthrough_proxy + + # HTTP/gRPC proxy + - filter_chain_match: + application_protocols: + - "http/1.0" + - "http/1.1" + - "h2c" + - "h2" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + codec_type: AUTO + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/stdout + log_format: + json_format: + start_time: "%START_TIME%" + request_id: "%REQ(X-REQUEST-ID)%" + request_method: "%REQ(:METHOD)%" + protocol: "%PROTOCOL%" + host: "%REQ(:AUTHORITY)% (%UPSTREAM_HOST%)" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + user_agent: "%REQ(USER-AGENT)%" + duration: "%DURATION%" + bytes_sent: "%BYTES_SENT%" + bytes_received: "%BYTES_RECEIVED%" + origin: "%DOWNSTREAM_REMOTE_ADDRESS%" + response_code: "%RESPONSE_CODE%" + response_code_details: "%RESPONSE_CODE_DETAILS%" + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + common_config: + log_name: "inbound_http" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + additional_request_headers_to_log: + additional_response_headers_to_log: + http_filters: + - name: envoy.filters.http.lua + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + filename: /etc/lua/inbound-rules.lua + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: passthrough_proxy + timeout: 0s + idleTimeout: 3600s + maxStreamDuration: + maxStreamDuration: 0s + maxStreamDuration: 0s + + # TCP proxy + - filters: + - name: envoy.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + access_log: + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + common_config: + log_name: "inbound_tcp" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + cluster: passthrough_proxy + + + # Outbound + # ------------------------------------------------------------------------- + - name: outbound_listener + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10001 + + listener_filters: + - name: tls_inspector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + - name: http_inspector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.http_inspector.v3.HttpInspector + - name: original_dst + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst + + filter_chains: + # TLS proxy + - filter_chain_match: + transport_protocol: tls + filters: + - name: envoy.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp-tls + access_log: + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + common_config: + log_name: "outbound_tls" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + cluster: passthrough_proxy + + # HTTP/gRPC forward proxy + - filter_chain_match: + application_protocols: + - "http/1.0" + - "http/1.1" + - "h2c" + - "h2" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + codec_type: AUTO + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/stdout + log_format: + json_format: + start_time: "%START_TIME%" + request_id: "%REQ(X-REQUEST-ID)%" + request_method: "%REQ(:METHOD)%" + protocol: "%PROTOCOL%" + host: "%REQ(:AUTHORITY)% (%UPSTREAM_HOST%)" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + user_agent: "%REQ(USER-AGENT)%" + duration: "%DURATION%" + bytes_sent: "%BYTES_SENT%" + bytes_received: "%BYTES_RECEIVED%" + origin: "%DOWNSTREAM_REMOTE_ADDRESS%" + response_code: "%RESPONSE_CODE%" + response_code_details: "%RESPONSE_CODE_DETAILS%" + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + common_config: + log_name: "outbound_http" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + additional_request_headers_to_log: + additional_response_headers_to_log: + http_filters: + - name: envoy.filters.http.dynamic_forward_proxy + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig + dns_cache_config: + name: dynamic_forward_proxy_cache_config + dns_lookup_family: V4_ONLY + - name: envoy.filters.http.lua + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + filename: /etc/lua/outbound-rules.lua + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy + timeout: 0s + idleTimeout: 3600s + maxStreamDuration: + maxStreamDuration: 0s + maxStreamDuration: 0s + + # TCP filter + - filters: + - name: envoy.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + access_log: + - name: envoy.access_loggers.http_grpc + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + common_config: + log_name: "outbound_tcp" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: grpc_als_cluster + cluster: passthrough_proxy + + # Clusters + # ------------------------------------------------------------------------- + clusters: + # Dynamic forward + - name: dynamic_forward_proxy + connect_timeout: 1s + lb_policy: CLUSTER_PROVIDED + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + upstream_http_protocol_options: + auto_sni: true + auto_san_validation: true + use_downstream_protocol_config: + http_protocol_options: {} + http2_protocol_options: {} + cluster_type: + name: envoy.clusters.dynamic_forward_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig + dns_cache_config: + name: dynamic_forward_proxy_cache_config + dns_lookup_family: V4_ONLY + + # Passthrough + - name: passthrough_proxy + type: ORIGINAL_DST + connect_timeout: 10s + lb_policy: CLUSTER_PROVIDED + dns_lookup_family: V4_ONLY + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: {} + http2_protocol_options: {} + + # gRPC Access Log Sink + - name: grpc_als_cluster + connect_timeout: 5s + type: STATIC + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + load_assignment: + cluster_name: grpc_als_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 5000 + inbound-rules.lua: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .inboundRulesLuaScript }}{{ . | quote}}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }} + outbound-rules.lua: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .outboundRulesLuaScript }}{{ . | quote}}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }}{{- else -}}"function envoy_on_request(request_handle)\n -- sample blocking rule\n local blockRequestHeader = request_handle:headers():get(\"sd-block-request\")\n if blockRequestHeader ~= nil and blockRequestHeader == 'true' then\n request_handle:respond({[\":status\"] = \"403\"}, \"signadot: forbidden\")\n end\nend\n"{{- end }} +kind: ConfigMap +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.configMapAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + sd-component: auditor + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.configMapLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-auditor-config + namespace: signadot diff --git a/signadot/operator/templates/tunnel-cidrs-configmap.yaml b/signadot/operator/templates/tunnel-cidrs-configmap.yaml new file mode 100644 index 0000000..5e26a12 --- /dev/null +++ b/signadot/operator/templates/tunnel-cidrs-configmap.yaml @@ -0,0 +1,22 @@ +# This file is generated. Do not edit. +apiVersion: v1 +data: + cidr.yaml: {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .cidrs }}{{ . | quote}}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} +kind: ConfigMap +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.configMapAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.configMapLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-cidrs + namespace: signadot diff --git a/signadot/operator/templates/tunnel-proxy-clusterrole.yaml b/signadot/operator/templates/tunnel-proxy-clusterrole.yaml new file mode 100644 index 0000000..8161d3e --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-clusterrole.yaml @@ -0,0 +1,25 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy +rules: +- apiGroups: + - signadot.com + resources: + - signadotexternalworkloads + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/signadot/operator/templates/tunnel-proxy-clusterrolebinding.yaml b/signadot/operator/templates/tunnel-proxy-clusterrolebinding.yaml new file mode 100644 index 0000000..e0d1f1a --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tunnel-proxy +subjects: +- kind: ServiceAccount + name: tunnel-proxy + namespace: signadot diff --git a/signadot/operator/templates/tunnel-proxy-deployment.yaml b/signadot/operator/templates/tunnel-proxy-deployment.yaml new file mode 100644 index 0000000..753a824 --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-deployment.yaml @@ -0,0 +1,124 @@ +# This file is generated. Do not edit. +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy + namespace: signadot +spec: +{{- if and .Values .Values.tunnel .Values.tunnel.proxy .Values.tunnel.proxy.replicas }} + replicas: {{ .Values.tunnel.proxy.replicas }} +{{- end }} + selector: + matchLabels: + app: tunnel-proxy +{{- if and .Values .Values.tunnel .Values.tunnel.proxy .Values.tunnel.proxy.strategy }} + strategy: +{{ toYaml .Values.tunnel.proxy.strategy | indent 10 }} +{{- end }} + template: + metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.podAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + app: tunnel-proxy + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + spec: + containers: + - env: + - name: DISABLE_SSH_TUNNEL + value: {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .disableSSH }}{{ . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }} + - name: DISABLE_XAP_TUNNEL + value: {{ with .Values }}{{ with .tunnel }}{{ with .config }}{{ with .disableXAP }}{{ . | quote}}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }}{{- else -}}"false"{{- end }} + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-proxy:v0.13.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.0{{- end }}{{- else -}}signadot/tunnel-proxy:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .proxy }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }} + name: tunnel-proxy + ports: + - containerPort: 1080 + - containerPort: 5000 + - containerPort: 2222 + - containerPort: 7777 + - containerPort: 8001 +{{- if and .Values .Values.tunnel .Values.tunnel.proxy .Values.tunnel.proxy.resources }} + resources: +{{ toYaml .Values.tunnel.proxy.resources | indent 10 }} +{{- end }} + - args: + - -c + - /etc/config.yaml + command: + - envoy + image: envoyproxy/envoy:v1.26.1 + name: auditor + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1011 + volumeMounts: + - mountPath: /etc/config.yaml + name: tunnel-auditor-config + subPath: config.yaml + - mountPath: /etc/lua/inbound-rules.lua + name: tunnel-auditor-config + subPath: inbound-rules.lua + - mountPath: /etc/lua/outbound-rules.lua + name: tunnel-auditor-config + subPath: outbound-rules.lua + - mountPath: /var/log + name: varlog + - mountPath: /usr/local/share/lua + name: luarocks + initContainers: + - env: + - name: LUA_ROCKS + value: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .luaRocks }}{{ . }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }}{{- else -}}""{{- end }} + - name: INBOUND_AUDITOR_PORT + value: "10000" + - name: OUTBOUND_AUDITOR_PORT + value: "10001" + image: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/tunnel-auditor-init:v0.13.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.0{{- end }}{{- else -}}signadot/tunnel-auditor-init:v0.13.0{{- end }} + imagePullPolicy: {{ with .Values }}{{ with .tunnel }}{{ with .auditor }}{{ with .init }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }} + name: auditor-init + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + volumeMounts: + - mountPath: /var/log + name: varlog + - mountPath: /usr/local/share/lua + name: luarocks + serviceAccountName: tunnel-proxy + volumes: + - configMap: + name: tunnel-auditor-config + name: tunnel-auditor-config + - emptyDir: {} + name: varlog + - emptyDir: {} + name: luarocks diff --git a/signadot/operator/templates/tunnel-proxy-role.yaml b/signadot/operator/templates/tunnel-proxy-role.yaml new file mode 100644 index 0000000..23b337f --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-role.yaml @@ -0,0 +1,25 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy + namespace: signadot +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - delete diff --git a/signadot/operator/templates/tunnel-proxy-rolebinding.yaml b/signadot/operator/templates/tunnel-proxy-rolebinding.yaml new file mode 100644 index 0000000..45d7885 --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-rolebinding.yaml @@ -0,0 +1,22 @@ +# This file is generated. Do not edit. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy + namespace: signadot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tunnel-proxy +subjects: +- kind: ServiceAccount + name: tunnel-proxy + namespace: signadot diff --git a/signadot/operator/templates/tunnel-proxy-service.yaml b/signadot/operator/templates/tunnel-proxy-service.yaml new file mode 100644 index 0000000..fb2b010 --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-service.yaml @@ -0,0 +1,34 @@ +# This file is generated. Do not edit. +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.serviceAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.serviceLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy + namespace: signadot +spec: + ports: + - name: als + port: 5000 + - name: socks5 + port: 1080 + - name: revtun-ssh + port: 2222 + - name: revtun-xap + port: 7777 + - name: metrics + port: 8001 + selector: + app: tunnel-proxy diff --git a/signadot/operator/templates/tunnel-proxy-serviceaccount.yaml b/signadot/operator/templates/tunnel-proxy-serviceaccount.yaml new file mode 100644 index 0000000..0e87e0a --- /dev/null +++ b/signadot/operator/templates/tunnel-proxy-serviceaccount.yaml @@ -0,0 +1,14 @@ +# This file is generated. Do not edit. +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- range $key, $val := .Values.commonAnnotations }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + labels: + {{- range $key, $val := .Values.commonLabels }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + name: tunnel-proxy + namespace: signadot