From 4f2cf2b71faa6799c51d26d8924663fb62f019d6 Mon Sep 17 00:00:00 2001 From: Jian Qiu Date: Tue, 2 Jul 2024 22:04:15 +0800 Subject: [PATCH] Update deps to 1.30 (#546) Signed-off-by: Jian Qiu --- Makefile | 37 +- .../config/operator/operator.yaml | 23 +- .../config/operator/service_account.yaml | 2 + .../config/rbac/cluster_role.yaml | 2 + .../config/rbac/cluster_role_binding.yaml | 2 + .../helm-charts/latest/Chart.yaml | 11 + ...ter-management.io_clustermanagers.crd.yaml | 538 ++++++++++++++++ .../latest/templates/cluster_role.yaml | 146 +++++ .../templates/cluster_role_binding.yaml | 12 + .../latest/templates/operator.yaml | 71 +++ .../latest/templates/service_account.yaml | 5 + .../helm-charts/latest/values.yaml | 60 ++ ...cluster-manager.clusterserviceversion.yaml | 7 +- .../klusterlet.clusterserviceversion.yaml | 2 +- .../klusterlet/config/operator/operator.yaml | 31 +- .../config/operator/service_account.yaml | 2 + .../klusterlet/config/rbac/cluster_role.yaml | 2 + .../config/rbac/cluster_role_binding.yaml | 2 + .../klusterlet/helm-charts/latest/Chart.yaml | 11 + deploy/klusterlet/helm-charts/latest/all.yaml | 182 ++++++ ...cluster-management.io_klusterlets.crd.yaml | 579 ++++++++++++++++++ .../latest/templates/agent_namespace.yaml | 8 + .../bootstrap_kubeconfig_secret.yaml | 10 + .../latest/templates/cluster_role.yaml | 69 +++ .../templates/cluster_role_binding.yaml | 12 + .../templates/external_kubeconfig_secret.yaml | 10 + .../latest/templates/klusterlet.yaml | 34 + .../latest/templates/operator.yaml | 76 +++ .../latest/templates/priority_class.yaml | 10 + .../latest/templates/service_account.yaml | 5 + .../klusterlet/helm-charts/latest/values.yaml | 101 +++ .../klusterlet.clusterserviceversion.yaml | 7 +- hack/copy-crds.sh | 2 + 33 files changed, 2040 insertions(+), 31 deletions(-) create mode 100644 deploy/cluster-manager/helm-charts/latest/Chart.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/templates/cluster_role.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/templates/cluster_role_binding.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/templates/operator.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/templates/service_account.yaml create mode 100644 deploy/cluster-manager/helm-charts/latest/values.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/Chart.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/all.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/agent_namespace.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/bootstrap_kubeconfig_secret.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/cluster_role.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/cluster_role_binding.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/external_kubeconfig_secret.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/klusterlet.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/operator.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/priority_class.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/templates/service_account.yaml create mode 100644 deploy/klusterlet/helm-charts/latest/values.yaml diff --git a/Makefile b/Makefile index e13450c60..33b806b6a 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,10 @@ OPERATOR_SDK?=$(PERMANENT_TMP_GOPATH)/bin/operator-sdk OPERATOR_SDK_VERSION?=v1.32.0 operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK)) +HELM?=$(PERMANENT_TMP_GOPATH)/bin/helm +HELM_VERSION?=v3.14.0 +helm_gen_dir:=$(dir $(HELM)) + # RELEASED_CSV_VERSION is used to generate a released CSV manifests RELEASED_CSV_VERSION?=0.14.0 export RELEASED_CSV_VERSION @@ -30,12 +34,15 @@ CSV_VERSION?=9.9.9 export CSV_VERSION OPERATOR_SDK_ARCHOS:=linux_amd64 +HELM_ARCHOS:=linux-amd64 ifeq ($(GOHOSTOS),darwin) ifeq ($(GOHOSTARCH),amd64) OPERATOR_SDK_ARCHOS:=darwin_amd64 + HELM_ARCHOS:=darwin-amd64 endif ifeq ($(GOHOSTARCH),arm64) OPERATOR_SDK_ARCHOS:=darwin_arm64 + HELM_ARCHOS:=darwin-arm64 endif endif @@ -69,7 +76,17 @@ update: copy-crd update-csv test-unit: ensure-kubebuilder-tools -update-csv: ensure-operator-sdk +update-csv: ensure-operator-sdk ensure-operator-helm + $(HELM) template deploy/cluster-manager/helm-charts/latest --namespace=open-cluster-management -s templates/operator.yaml > deploy/cluster-manager/config/operator/operator.yaml + $(HELM) template deploy/cluster-manager/helm-charts/latest --namespace=open-cluster-management -s templates/service_account.yaml > deploy/cluster-manager/config/operator/service_account.yaml + $(HELM) template deploy/cluster-manager/helm-charts/latest --namespace=open-cluster-management -s templates/cluster_role.yaml > deploy/cluster-manager/config/rbac/cluster_role.yaml + $(HELM) template deploy/cluster-manager/helm-charts/latest --namespace=open-cluster-management -s templates/cluster_role_binding.yaml > deploy/cluster-manager/config/rbac/cluster_role_binding.yaml + + $(HELM) template deploy/klusterlet/helm-charts/latest --namespace=open-cluster-management -s templates/operator.yaml > deploy/klusterlet/config/operator/operator.yaml + $(HELM) template deploy/klusterlet/helm-charts/latest --namespace=open-cluster-management -s templates/service_account.yaml > deploy/klusterlet/config/operator/service_account.yaml + $(HELM) template deploy/klusterlet/helm-charts/latest --namespace=open-cluster-management -s templates/cluster_role.yaml > deploy/klusterlet/config/rbac/cluster_role.yaml + $(HELM) template deploy/klusterlet/helm-charts/latest --namespace=open-cluster-management -s templates/cluster_role_binding.yaml > deploy/klusterlet/config/rbac/cluster_role_binding.yaml + # update the replaces to released version in csv $(SED_CMD) -i 's/cluster-manager\.v[0-9]\+\.[0-9]\+\.[0-9]\+/cluster-manager\.v$(RELEASED_CSV_VERSION)/g' deploy/cluster-manager/config/manifests/bases/cluster-manager.clusterserviceversion.yaml $(SED_CMD) -i 's/klusterlet\.v[0-9]\+\.[0-9]\+\.[0-9]\+/klusterlet\.v$(RELEASED_CSV_VERSION)/g' deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml @@ -116,3 +133,21 @@ ifeq "" "$(wildcard $(OPERATOR_SDK))" else $(info Using existing operator-sdk from "$(OPERATOR_SDK)") endif + +ensure-operator-helm: +ifeq "" "$(wildcard $(HELM))" + $(info Installing helm into '$(HELM)') + mkdir -p '$(helm_gen_dir)' + curl -s -f -L https://get.helm.sh/helm-$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz -o '$(helm_gen_dir)$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz' + tar -zvxf '$(helm_gen_dir)/$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz' -C $(helm_gen_dir) + mv $(helm_gen_dir)/$(HELM_ARCHOS)/helm $(HELM) + rm -rf $(helm_gen_dir)/$(HELM_ARCHOS) + chmod +x '$(HELM)'; +else + $(info Using existing helm from "$(HELM)") +endif + +# Include the integration/e2e setup makefile. +include ./test/integration-test.mk +include ./test/e2e-test.mk +include ./test/olm-test.mk diff --git a/deploy/cluster-manager/config/operator/operator.yaml b/deploy/cluster-manager/config/operator/operator.yaml index e226e7ab7..275632258 100644 --- a/deploy/cluster-manager/config/operator/operator.yaml +++ b/deploy/cluster-manager/config/operator/operator.yaml @@ -1,3 +1,5 @@ +--- +# Source: cluster-manager/templates/operator.yaml kind: Deployment apiVersion: apps/v1 metadata: @@ -18,28 +20,31 @@ spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 70 - podAffinityTerm: - topologyKey: failure-domain.beta.kubernetes.io/zone + - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - cluster-manager - - weight: 30 - podAffinityTerm: - topologyKey: kubernetes.io/hostname + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 70 + - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - cluster-manager + topologyKey: kubernetes.io/hostname + weight: 30 + securityContext: + runAsNonRoot: true serviceAccountName: cluster-manager containers: - name: registration-operator image: quay.io/open-cluster-management/registration-operator:latest + imagePullPolicy: IfNotPresent args: - "/registration-operator" - "hub" @@ -52,10 +57,10 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false - runAsNonRoot: true readOnlyRootFilesystem: true + runAsNonRoot: true livenessProbe: httpGet: path: /healthz @@ -70,6 +75,8 @@ spec: port: 8443 initialDelaySeconds: 2 resources: + limits: + memory: 2Gi requests: cpu: 2m memory: 16Mi diff --git a/deploy/cluster-manager/config/operator/service_account.yaml b/deploy/cluster-manager/config/operator/service_account.yaml index ff23929e6..5752d09a5 100644 --- a/deploy/cluster-manager/config/operator/service_account.yaml +++ b/deploy/cluster-manager/config/operator/service_account.yaml @@ -1,3 +1,5 @@ +--- +# Source: cluster-manager/templates/service_account.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml index 6dd0a9eb1..3d74b1cbf 100644 --- a/deploy/cluster-manager/config/rbac/cluster_role.yaml +++ b/deploy/cluster-manager/config/rbac/cluster_role.yaml @@ -1,3 +1,5 @@ +--- +# Source: cluster-manager/templates/cluster_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/deploy/cluster-manager/config/rbac/cluster_role_binding.yaml b/deploy/cluster-manager/config/rbac/cluster_role_binding.yaml index 082d8dd25..d9ed886a0 100644 --- a/deploy/cluster-manager/config/rbac/cluster_role_binding.yaml +++ b/deploy/cluster-manager/config/rbac/cluster_role_binding.yaml @@ -1,3 +1,5 @@ +--- +# Source: cluster-manager/templates/cluster_role_binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/deploy/cluster-manager/helm-charts/latest/Chart.yaml b/deploy/cluster-manager/helm-charts/latest/Chart.yaml new file mode 100644 index 000000000..d45b442e5 --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cluster-manager +version: 9.9.9 +description: The Cluster Manager provides the multi-cluster hub, which can manage Kubernetes-based clusters across data centers, public clouds, and private clouds. This Helm Chart supports the installation and upgrade of ClusterManager. +type: application +keywords: + - open-cluster-management + - ClusterManager +home: https://open-cluster-management.io/ +sources: + - https://github.com/open-cluster-management-io/ocm diff --git a/deploy/cluster-manager/helm-charts/latest/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/deploy/cluster-manager/helm-charts/latest/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml new file mode 100644 index 000000000..8abdb8e37 --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml @@ -0,0 +1,538 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustermanagers.operator.open-cluster-management.io +spec: + group: operator.open-cluster-management.io + names: + kind: ClusterManager + listKind: ClusterManagerList + plural: clustermanagers + singular: clustermanager + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ClusterManager configures the controllers on the hub that govern + registration and work distribution for attached Klusterlets. In Default + mode, ClusterManager will only be deployed in open-cluster-management-hub + namespace. In Hosted mode, ClusterManager will be deployed in the namespace + with the same name as cluster manager. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + default: + deployOption: + mode: Default + description: Spec represents a desired deployment configuration of controllers + that govern registration and work distribution for attached Klusterlets. + properties: + addOnManagerConfiguration: + description: AddOnManagerConfiguration contains the configuration + of addon manager + properties: + featureGates: + description: 'FeatureGates represents the list of feature gates + for addon manager If it is set empty, default feature gates + will be used. If it is set, featuregate/Foo is an example of + one item in FeatureGates: 1. If featuregate/Foo does not exist, + registration-operator will discard it 2. If featuregate/Foo + exists and is false by default. It is now possible to set featuregate/Foo=[false|true] + 3. If featuregate/Foo exists and is true by default. If a cluster-admin + upgrading from 1 to 2 wants to continue having featuregate/Foo=false, + he can set featuregate/Foo=false before upgrading. Let''s say + the cluster-admin wants featuregate/Foo=false.' + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: Mode is either Enable, Disable, "" where "" + is Disable by default. In Enable mode, a valid feature + gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` + will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + type: object + addOnManagerImagePullSpec: + default: quay.io/open-cluster-management/addon-manager + description: AddOnManagerImagePullSpec represents the desired image + configuration of addon manager controller/webhook installed on hub. + type: string + deployOption: + default: + mode: Default + description: DeployOption contains the options of deploying a cluster-manager + Default mode is used if DeployOption is not set. + properties: + hosted: + description: Hosted includes configurations we need for clustermanager + in the Hosted mode. + properties: + registrationWebhookConfiguration: + description: RegistrationWebhookConfiguration represents the + customized webhook-server configuration of registration. + properties: + address: + description: Address represents the address of a webhook-server. + It could be in IP format or fqdn format. The Address + must be reachable by apiserver of the hub cluster. + pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + type: string + port: + default: 443 + description: Port represents the port of a webhook-server. + The default value of Port is 443. + format: int32 + maximum: 65535 + type: integer + required: + - address + type: object + workWebhookConfiguration: + description: WorkWebhookConfiguration represents the customized + webhook-server configuration of work. + properties: + address: + description: Address represents the address of a webhook-server. + It could be in IP format or fqdn format. The Address + must be reachable by apiserver of the hub cluster. + pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + type: string + port: + default: 443 + description: Port represents the port of a webhook-server. + The default value of Port is 443. + format: int32 + maximum: 65535 + type: integer + required: + - address + type: object + type: object + mode: + default: Default + description: 'Mode can be Default or Hosted. In Default mode, + the Hub is installed as a whole and all parts of Hub are deployed + in the same cluster. In Hosted mode, only crd and configurations + are installed on one cluster(defined as hub-cluster). Controllers + run in another cluster (defined as management-cluster) and connect + to the hub with the kubeconfig in secret of "external-hub-kubeconfig"(a + kubeconfig of hub-cluster with cluster-admin permission). Note: + Do not modify the Mode field once it''s applied.' + enum: + - Default + - Hosted + type: string + required: + - mode + type: object + nodePlacement: + description: NodePlacement enables explicit control over the scheduling + of the deployed pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: NodeSelector defines which Nodes the Pods are scheduled + on. The default is an empty list. + type: object + tolerations: + description: Tolerations are attached by pods to tolerate any + taint that matches the triple using the matching + operator . The default is an empty list. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + placementImagePullSpec: + default: quay.io/open-cluster-management/placement + description: PlacementImagePullSpec represents the desired image configuration + of placement controller/webhook installed on hub. + type: string + registrationConfiguration: + description: RegistrationConfiguration contains the configuration + of registration + properties: + autoApproveUsers: + description: AutoApproveUser represents a list of users that can + auto approve CSR and accept client. If the credential of the + bootstrap-hub-kubeconfig matches to the users, the cluster created + by the bootstrap-hub-kubeconfig will be auto-registered into + the hub cluster. This takes effect only when ManagedClusterAutoApproval + feature gate is enabled. + items: + type: string + type: array + featureGates: + description: 'FeatureGates represents the list of feature gates + for registration If it is set empty, default feature gates will + be used. If it is set, featuregate/Foo is an example of one + item in FeatureGates: 1. If featuregate/Foo does not exist, + registration-operator will discard it 2. If featuregate/Foo + exists and is false by default. It is now possible to set featuregate/Foo=[false|true] + 3. If featuregate/Foo exists and is true by default. If a cluster-admin + upgrading from 1 to 2 wants to continue having featuregate/Foo=false, + he can set featuregate/Foo=false before upgrading. Let''s say + the cluster-admin wants featuregate/Foo=false.' + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: Mode is either Enable, Disable, "" where "" + is Disable by default. In Enable mode, a valid feature + gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` + will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + type: object + registrationImagePullSpec: + default: quay.io/open-cluster-management/registration + description: RegistrationImagePullSpec represents the desired image + of registration controller/webhook installed on hub. + type: string + resourceRequirement: + description: ResourceRequirement specify QoS classes of deployments + managed by clustermanager. It applies to all the containers in the + deployments. + properties: + resourceRequirements: + description: ResourceRequirements defines resource requests and + limits when Type is ResourceQosClassResourceRequirement + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: + default: Default + enum: + - Default + - BestEffort + - ResourceRequirement + type: string + type: object + workConfiguration: + default: + workDriver: kube + description: WorkConfiguration contains the configuration of work + properties: + featureGates: + description: 'FeatureGates represents the list of feature gates + for work If it is set empty, default feature gates will be used. + If it is set, featuregate/Foo is an example of one item in FeatureGates: + 1. If featuregate/Foo does not exist, registration-operator + will discard it 2. If featuregate/Foo exists and is false by + default. It is now possible to set featuregate/Foo=[false|true] + 3. If featuregate/Foo exists and is true by default. If a cluster-admin + upgrading from 1 to 2 wants to continue having featuregate/Foo=false, + he can set featuregate/Foo=false before upgrading. Let''s say + the cluster-admin wants featuregate/Foo=false.' + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: Mode is either Enable, Disable, "" where "" + is Disable by default. In Enable mode, a valid feature + gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` + will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + workDriver: + default: kube + description: "WorkDriver represents the type of work driver. Possible + values are \"kube\", \"mqtt\", or \"grpc\". If not provided, + the default value is \"kube\". If set to non-\"kube\" drivers, + the klusterlet need to use the same driver. and the driver configuration + must be provided in a secret named \"work-driver-config\" in + the namespace where the cluster manager is running, adhering + to the following structure: config.yaml: | + \n For detailed driver configuration, please refer to the sdk-go + documentation: https://github.com/open-cluster-management-io/sdk-go/blob/main/pkg/cloudevents/README.md#supported-protocols-and-drivers" + enum: + - kube + - mqtt + - grpc + type: string + type: object + workImagePullSpec: + default: quay.io/open-cluster-management/work + description: WorkImagePullSpec represents the desired image configuration + of work controller/webhook installed on hub. + type: string + type: object + status: + description: Status represents the current status of controllers that + govern the lifecycle of managed clusters. + properties: + conditions: + description: 'Conditions contain the different condition statuses + for this ClusterManager. Valid condition types are: Applied: Components + in hub are applied. Available: Components in hub are available and + ready to serve. Progressing: Components in hub are in a transitioning + state. Degraded: Components in hub do not match the desired configuration + and only provide degraded service.' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + generations: + description: Generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1 + properties: + group: + description: group is the group of the resource that you're + tracking + type: string + lastGeneration: + description: lastGeneration is the last generation of the resource + that controller applies + format: int64 + type: integer + name: + description: name is the name of the resource that you're tracking + type: string + namespace: + description: namespace is where the resource that you're tracking + is + type: string + resource: + description: resource is the resource type of the resource that + you're tracking + type: string + version: + description: version is the version of the resource that you're + tracking + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + relatedResources: + description: RelatedResources are used to track the resources that + are related to this ClusterManager. + items: + description: RelatedResourceMeta represents the resource that is + managed by an operator + properties: + group: + description: group is the group of the resource that you're + tracking + type: string + name: + description: name is the name of the resource that you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the resource that + you're tracking + type: string + version: + description: version is the version of the thing you're tracking + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/cluster-manager/helm-charts/latest/templates/cluster_role.yaml b/deploy/cluster-manager/helm-charts/latest/templates/cluster_role.yaml new file mode 100644 index 000000000..6dd0a9eb1 --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/templates/cluster_role.yaml @@ -0,0 +1,146 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-manager +rules: +# Allow the registration-operator to create workload +- apiGroups: [""] + resources: ["configmaps", "namespaces", "serviceaccounts", "services"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] + resourceNames: + - "signer-secret" + - "registration-webhook-serving-cert" + - "work-webhook-serving-cert" + - "registration-controller-sa-kubeconfig" + - "registration-webhook-sa-kubeconfig" + - "work-webhook-sa-kubeconfig" + - "placement-controller-sa-kubeconfig" + - "work-controller-sa-kubeconfig" + - "addon-manager-controller-sa-kubeconfig" + - "external-hub-kubeconfig" + - "work-driver-config" + - "open-cluster-management-image-pull-credentials" +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create", "get"] +- apiGroups: ["", "events.k8s.io"] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings", "rolebindings"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "roles"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the registration-operator to create crds +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the registration-operator to update crds status +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions/status"] + verbs: ["update", "patch"] +# Allow the registration-operator to create apiservice +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the registration-operator to create validatingwebhookconfigurration +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the nuclues to manage clustermanager apis. +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["clustermanagers"] + verbs: ["get", "list", "watch", "update", "delete", "patch"] +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["clustermanagers/status"] + verbs: ["update", "patch"] +# Allow the registration-operator to create storageversionmigration +- apiGroups: ["migration.k8s.io"] + resources: ["storageversionmigrations"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Some rbac needed in cluster-manager +- apiGroups: ["addon.open-cluster-management.io"] + resources: ["managedclusteraddons", "clustermanagementaddons"] + verbs: ["create", "update", "patch", "get", "list", "watch", "delete"] +- apiGroups: ["addon.open-cluster-management.io"] + resources: ["managedclusteraddons/status", "clustermanagementaddons/status"] + verbs: ["patch", "update"] +- apiGroups: ["addon.open-cluster-management.io"] + resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"] + verbs: ["update"] +- apiGroups: ["addon.open-cluster-management.io"] + resources: [addondeploymentconfigs, "addontemplates"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch"] +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"] + verbs: ["update"] +- apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + verbs: ["approve", "sign"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclusters"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclustersetbindings", "placements", "addonplacementscores"] + verbs: ["get", "list", "watch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclustersets","placementdecisions"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclusters/status","managedclustersetbindings/status", "managedclustersets/status", "placements/status", "placementdecisions/status"] + verbs: ["update", "patch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["placements/finalizers"] + verbs: ["update"] +- apiGroups: ["register.open-cluster-management.io"] + resources: ["managedclusters/clientcertificates"] + verbs: ["renew"] +- apiGroups: ["register.open-cluster-management.io"] + resources: ["managedclusters/accept"] + verbs: ["update"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworkreplicasets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworkreplicasets/finalizers"] + verbs: ["update"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworks"] + verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch", "execute-as"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworks/status", "manifestworkreplicasets/status"] + verbs: ["update", "patch"] +- apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: ["flowschemas", "prioritylevelconfigurations"] + verbs: ["get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get"] diff --git a/deploy/cluster-manager/helm-charts/latest/templates/cluster_role_binding.yaml b/deploy/cluster-manager/helm-charts/latest/templates/cluster_role_binding.yaml new file mode 100644 index 000000000..2d7c84b56 --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/templates/cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-manager +subjects: +- kind: ServiceAccount + name: cluster-manager + namespace: {{ .Release.Namespace }} diff --git a/deploy/cluster-manager/helm-charts/latest/templates/operator.yaml b/deploy/cluster-manager/helm-charts/latest/templates/operator.yaml new file mode 100644 index 000000000..0d80fbb41 --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/templates/operator.yaml @@ -0,0 +1,71 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: cluster-manager + namespace: {{ .Release.Namespace }} + labels: + app: cluster-manager +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: cluster-manager + template: + metadata: + labels: + app: cluster-manager + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: cluster-manager + containers: + - name: registration-operator + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "/registration-operator" + - "hub" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + livenessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - name: tmpdir + mountPath: /tmp + volumes: + - name: tmpdir + emptyDir: { } diff --git a/deploy/cluster-manager/helm-charts/latest/templates/service_account.yaml b/deploy/cluster-manager/helm-charts/latest/templates/service_account.yaml new file mode 100644 index 000000000..66e42721f --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/templates/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-manager + namespace: {{ .Release.Namespace }} diff --git a/deploy/cluster-manager/helm-charts/latest/values.yaml b/deploy/cluster-manager/helm-charts/latest/values.yaml new file mode 100644 index 000000000..1b3e04f0c --- /dev/null +++ b/deploy/cluster-manager/helm-charts/latest/values.yaml @@ -0,0 +1,60 @@ +# Default values for cluster manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 3 + +image: + repository: quay.io/open-cluster-management/registration-operator + pullPolicy: IfNotPresent + tag: latest + + +imagePullSecrets: [] + +podSecurityContext: + runAsNonRoot: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + readOnlyRootFilesystem: true + + +resources: + requests: + cpu: 2m + memory: 16Mi + limits: + memory: 2Gi + + +nodeSelector: {} + +tolerations: [] + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 70 + podAffinityTerm: + topologyKey: failure-domain.beta.kubernetes.io/zone + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - cluster-manager + - weight: 30 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - cluster-manager diff --git a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml index cb8585907..db31fbdb4 100644 --- a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml +++ b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml @@ -59,7 +59,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2024-06-25T00:11:29Z" + createdAt: "2024-07-03T01:32:24Z" description: Manages the installation and upgrade of the ClusterManager. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -553,6 +553,7 @@ spec: fieldRef: fieldPath: metadata.name image: quay.io/open-cluster-management/registration-operator:latest + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -568,6 +569,8 @@ spec: scheme: HTTPS initialDelaySeconds: 2 resources: + limits: + memory: 2Gi requests: cpu: 2m memory: 16Mi @@ -582,6 +585,8 @@ spec: volumeMounts: - mountPath: /tmp name: tmpdir + securityContext: + runAsNonRoot: true serviceAccountName: cluster-manager volumes: - emptyDir: {} diff --git a/deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml index d5d8cfcca..5e8895dfe 100644 --- a/deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml +++ b/deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml @@ -23,7 +23,7 @@ spec: name: klusterlets.operator.open-cluster-management.io version: v1 description: | - The Klusterlet proivdes the registation to the Hub clusters as a managed cluster. This operator supports the installation and upgrade of Klusterlet. + The Klusterlet provides the registration to the Hub clusters as a managed cluster. This operator supports the installation and upgrade of Klusterlet. ## Prerequisites You need a Hub cluster which has installed ClusterManager. diff --git a/deploy/klusterlet/config/operator/operator.yaml b/deploy/klusterlet/config/operator/operator.yaml index 3930c5c04..e2a99451b 100644 --- a/deploy/klusterlet/config/operator/operator.yaml +++ b/deploy/klusterlet/config/operator/operator.yaml @@ -1,3 +1,5 @@ +--- +# Source: klusterlet/templates/operator.yaml kind: Deployment apiVersion: apps/v1 metadata: @@ -20,30 +22,31 @@ spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 70 - podAffinityTerm: - topologyKey: failure-domain.beta.kubernetes.io/zone + - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - klusterlet - - weight: 30 - podAffinityTerm: - topologyKey: kubernetes.io/hostname + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 70 + - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - klusterlet + topologyKey: kubernetes.io/hostname + weight: 30 serviceAccountName: klusterlet securityContext: runAsNonRoot: true containers: - name: klusterlet image: quay.io/open-cluster-management/registration-operator:latest + imagePullPolicy: IfNotPresent args: - "/registration-operator" - "klusterlet" @@ -56,10 +59,10 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false - runAsNonRoot: true readOnlyRootFilesystem: true + runAsNonRoot: true livenessProbe: httpGet: path: /healthz @@ -74,6 +77,8 @@ spec: port: 8443 initialDelaySeconds: 2 resources: + limits: + memory: 2Gi requests: cpu: 2m memory: 16Mi @@ -83,13 +88,3 @@ spec: volumes: - name: tmpdir emptyDir: { } - - # Uncomment the following configuration lines to add hostAliases for hub api server, - # if the server field in your hub cluster kubeconfig is a domain name instead of an ipv4 address. - # For example, https://xxx.yyy.zzz. - # hostAliases: - # - hostnames: - # set the target hostname - # - xxx.yyy.zzz - # set the target ipv4 address - # ip: 1.2.3.4 diff --git a/deploy/klusterlet/config/operator/service_account.yaml b/deploy/klusterlet/config/operator/service_account.yaml index cb080b355..cc3bb45b7 100644 --- a/deploy/klusterlet/config/operator/service_account.yaml +++ b/deploy/klusterlet/config/operator/service_account.yaml @@ -1,3 +1,5 @@ +--- +# Source: klusterlet/templates/service_account.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/deploy/klusterlet/config/rbac/cluster_role.yaml b/deploy/klusterlet/config/rbac/cluster_role.yaml index 2f7765a94..a10f9e323 100644 --- a/deploy/klusterlet/config/rbac/cluster_role.yaml +++ b/deploy/klusterlet/config/rbac/cluster_role.yaml @@ -1,3 +1,5 @@ +--- +# Source: klusterlet/templates/cluster_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/deploy/klusterlet/config/rbac/cluster_role_binding.yaml b/deploy/klusterlet/config/rbac/cluster_role_binding.yaml index 367753ac0..7f41de190 100644 --- a/deploy/klusterlet/config/rbac/cluster_role_binding.yaml +++ b/deploy/klusterlet/config/rbac/cluster_role_binding.yaml @@ -1,3 +1,5 @@ +--- +# Source: klusterlet/templates/cluster_role_binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/deploy/klusterlet/helm-charts/latest/Chart.yaml b/deploy/klusterlet/helm-charts/latest/Chart.yaml new file mode 100644 index 000000000..e400d8814 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: klusterlet +version: 9.9.9 +description: The Klusterlet provides the registration to the Hub clusters as a managed cluster. This operator supports the installation and upgrade of Klusterlet. +type: application +keywords: + - open-cluster-management + - klusterlet +home: https://open-cluster-management.io/ +sources: + - https://github.com/open-cluster-management-io/ocm diff --git a/deploy/klusterlet/helm-charts/latest/all.yaml b/deploy/klusterlet/helm-charts/latest/all.yaml new file mode 100644 index 000000000..0391860ab --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/all.yaml @@ -0,0 +1,182 @@ +--- +# Source: klusterlet/templates/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: klusterlet + namespace: default +--- +# Source: klusterlet/templates/cluster_role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: klusterlet +rules: +# Allow the registration-operator to create workload +- apiGroups: [""] + resources: ["configmaps", "serviceaccounts"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["update", "get", "list", "watch", "delete"] + resourceNames: + - "open-cluster-management-image-pull-credentials" + - "bootstrap-hub-kubeconfig" + - "hub-kubeconfig-secret" + - "external-managed-kubeconfig" + - "external-managed-kubeconfig-work" + - "external-managed-kubeconfig-registration" + - "external-managed-kubeconfig-agent" +# get pods and replicasets is for event creation +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: [ "apps" ] + resources: [ "replicasets" ] + verbs: [ "get" ] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "list", "update", "watch", "patch"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "events.k8s.io"] + resources: ["events"] + verbs: ["create", "patch", "update"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings", "rolebindings"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "roles"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "escalate", "bind"] +# Allow the registration-operator to create crds +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the registration-operator to manage klusterlet apis. +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["klusterlets"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["klusterlets/status"] + verbs: ["update", "patch"] +# Allow the registration-operator to update the appliedmanifestworks finalizer. +- apiGroups: ["work.open-cluster-management.io"] + resources: ["appliedmanifestworks"] + verbs: ["list", "update", "patch"] +--- +# Source: klusterlet/templates/cluster_role_binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: klusterlet +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: klusterlet +subjects: +- kind: ServiceAccount + name: klusterlet + namespace: default +--- +# Source: klusterlet/templates/operator.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: klusterlet + namespace: default + labels: + app: klusterlet +spec: + replicas: 3 + selector: + matchLabels: + app: klusterlet + template: + metadata: + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app: klusterlet + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - klusterlet + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 70 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - klusterlet + topologyKey: kubernetes.io/hostname + weight: 30 + serviceAccountName: klusterlet + securityContext: + runAsNonRoot: true + containers: + - name: klusterlet + image: "quay.io/open-cluster-management/registration-operator:latest" + imagePullPolicy: IfNotPresent + args: + - "/registration-operator" + - "klusterlet" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + livenessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + resources: + limits: + memory: 2Gi + requests: + cpu: 2m + memory: 16Mi + volumeMounts: + - name: tmpdir + mountPath: /tmp + volumes: + - name: tmpdir + emptyDir: { } diff --git a/deploy/klusterlet/helm-charts/latest/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/deploy/klusterlet/helm-charts/latest/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml new file mode 100644 index 000000000..dd4e3087e --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml @@ -0,0 +1,579 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: klusterlets.operator.open-cluster-management.io +spec: + group: operator.open-cluster-management.io + names: + kind: Klusterlet + listKind: KlusterletList + plural: klusterlets + singular: klusterlet + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Klusterlet represents controllers to install the resources for + a managed cluster. When configured, the Klusterlet requires a secret named + bootstrap-hub-kubeconfig in the agent namespace to allow API requests to + the hub for the registration protocol. In Hosted mode, the Klusterlet requires + an additional secret named external-managed-kubeconfig in the agent namespace + to allow API requests to the managed cluster for resources installation. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec represents the desired deployment configuration of Klusterlet + agent. + properties: + clusterName: + description: ClusterName is the name of the managed cluster to be + created on hub. The Klusterlet agent generates a random name if + it is not set, or discovers the appropriate cluster name on OpenShift. + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + deployOption: + description: DeployOption contains the options of deploying a klusterlet + properties: + mode: + description: 'Mode can be Default, Hosted, Singleton or SingletonHosted. + It is Default mode if not specified In Default mode, all klusterlet + related resources are deployed on the managed cluster. In Hosted + mode, only crd and configurations are installed on the spoke/managed + cluster. Controllers run in another cluster (defined as management-cluster) + and connect to the mangaged cluster with the kubeconfig in secret + of "external-managed-kubeconfig"(a kubeconfig of managed-cluster + with cluster-admin permission). In Singleton mode, registration/work + agent is started as a single deployment. In SingletonHosted + mode, agent is started as a single deployment in hosted mode. + Note: Do not modify the Mode field once it''s applied.' + type: string + type: object + externalServerURLs: + description: ExternalServerURLs represents a list of apiserver urls + and ca bundles that is accessible externally If it is set empty, + managed cluster has no externally accessible url that hub cluster + can visit. + items: + description: ServerURL represents the apiserver url and ca bundle + that is accessible externally + properties: + caBundle: + description: CABundle is the ca bundle to connect to apiserver + of the managed cluster. System certs are used if it is not + set. + format: byte + type: string + url: + description: URL is the url of apiserver endpoint of the managed + cluster. + type: string + type: object + type: array + hubApiServerHostAlias: + description: HubApiServerHostAlias contains the host alias for hub + api server. registration-agent and work-agent will use it to communicate + with hub api server. + properties: + hostname: + description: Hostname for the above IP address. + pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + type: string + ip: + description: IP address of the host file entry. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ + type: string + required: + - hostname + - ip + type: object + imagePullSpec: + description: ImagePullSpec represents the desired image configuration + of agent, it takes effect only when singleton mode is set. quay.io/open-cluster-management.io/registration-operator:latest + will be used if unspecified + type: string + namespace: + description: Namespace is the namespace to deploy the agent on the + managed cluster. The namespace must have a prefix of "open-cluster-management-", + and if it is not set, the namespace of "open-cluster-management-agent" + is used to deploy agent. In addition, the add-ons are deployed to + the namespace of "{Namespace}-addon". In the Hosted mode, this namespace + still exists on the managed cluster to contain necessary resources, + like service accounts, roles and rolebindings, while the agent is + deployed to the namespace with the same name as klusterlet on the + management cluster. + maxLength: 57 + pattern: ^open-cluster-management-[-a-z0-9]*[a-z0-9]$ + type: string + nodePlacement: + description: NodePlacement enables explicit control over the scheduling + of the deployed pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: NodeSelector defines which Nodes the Pods are scheduled + on. The default is an empty list. + type: object + tolerations: + description: Tolerations are attached by pods to tolerate any + taint that matches the triple using the matching + operator . The default is an empty list. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + priorityClassName: + description: PriorityClassName is the name of the PriorityClass that + will be used by the deployed klusterlet agent. It will be ignored + when the PriorityClass/v1 API is not available on the managed cluster. + type: string + registrationConfiguration: + description: RegistrationConfiguration contains the configuration + of registration + properties: + bootstrapKubeConfigs: + description: "BootstrapKubeConfigs defines the ordered list of + bootstrap kubeconfigs. The order decides which bootstrap kubeconfig + to use first when rebootstrap. \n When the agent loses the connection + to the current hub over HubConnectionTimeoutSeconds, or the + managedcluster CR is set `hubAcceptsClient=false` on the hub, + the controller marks the related bootstrap kubeconfig as \"failed\". + \n A failed bootstrapkubeconfig won't be used for the duration + specified by SkipFailedBootstrapKubeConfigSeconds. But if the + user updates the content of a failed bootstrapkubeconfig, the + \"failed\" mark will be cleared." + properties: + localSecretsConfig: + description: LocalSecretsConfig include a list of secrets + that contains the kubeconfigs for ordered bootstrap kubeconifigs. + The secrets must be in the same namespace where the agent + controller runs. + properties: + hubConnectionTimeoutSeconds: + default: 600 + description: HubConnectionTimeoutSeconds is used to set + the timeout of connecting to the hub cluster. When agent + loses the connection to the hub over the timeout seconds, + the agent do a rebootstrap. By default is 10 mins. + format: int32 + minimum: 180 + type: integer + kubeConfigSecrets: + description: KubeConfigSecrets is a list of secret names. + The secrets are in the same namespace where the agent + controller runs. + items: + properties: + name: + description: Name is the name of the secret. + type: string + type: object + type: array + type: object + type: + default: None + description: Type specifies the type of priority bootstrap + kubeconfigs. By default, it is set to None, representing + no priority bootstrap kubeconfigs are set. + enum: + - None + - LocalSecrets + type: string + type: object + clientCertExpirationSeconds: + description: clientCertExpirationSeconds represents the seconds + of a client certificate to expire. If it is not set or 0, the + default duration seconds will be set by the hub cluster. If + the value is larger than the max signing duration seconds set + on the hub cluster, the max signing duration seconds will be + set. + format: int32 + type: integer + clusterAnnotations: + additionalProperties: + type: string + description: ClusterAnnotations is annotations with the reserve + prefix "agent.open-cluster-management.io" set on ManagedCluster + when creating only, other actors can update it afterwards. + type: object + featureGates: + description: 'FeatureGates represents the list of feature gates + for registration If it is set empty, default feature gates will + be used. If it is set, featuregate/Foo is an example of one + item in FeatureGates: 1. If featuregate/Foo does not exist, + registration-operator will discard it 2. If featuregate/Foo + exists and is false by default. It is now possible to set featuregate/Foo=[false|true] + 3. If featuregate/Foo exists and is true by default. If a cluster-admin + upgrading from 1 to 2 wants to continue having featuregate/Foo=false, + he can set featuregate/Foo=false before upgrading. Let''s say + the cluster-admin wants featuregate/Foo=false.' + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: Mode is either Enable, Disable, "" where "" + is Disable by default. In Enable mode, a valid feature + gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` + will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + kubeAPIBurst: + default: 100 + description: 'KubeAPIBurst indicates the maximum burst of the + throttle while talking with apiserver of hub cluster from the + spoke cluster. If it is set empty, use the default value: 100' + format: int32 + type: integer + kubeAPIQPS: + default: 50 + description: 'KubeAPIQPS indicates the maximum QPS while talking + with apiserver of hub cluster from the spoke cluster. If it + is set empty, use the default value: 50' + format: int32 + type: integer + type: object + registrationImagePullSpec: + description: RegistrationImagePullSpec represents the desired image + configuration of registration agent. quay.io/open-cluster-management.io/registration:latest + will be used if unspecified. + type: string + resourceRequirement: + description: ResourceRequirement specify QoS classes of deployments + managed by klusterlet. It applies to all the containers in the deployments. + properties: + resourceRequirements: + description: ResourceRequirements defines resource requests and + limits when Type is ResourceQosClassResourceRequirement + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: + default: Default + enum: + - Default + - BestEffort + - ResourceRequirement + type: string + type: object + workConfiguration: + description: WorkConfiguration contains the configuration of work + properties: + appliedManifestWorkEvictionGracePeriod: + description: AppliedManifestWorkEvictionGracePeriod is the eviction + grace period the work agent will wait before evicting the AppliedManifestWorks, + whose corresponding ManifestWorks are missing on the hub cluster, + from the managed cluster. If not present, the default value + of the work agent will be used. + pattern: ^([0-9]+(s|m|h))+$ + type: string + featureGates: + description: 'FeatureGates represents the list of feature gates + for work If it is set empty, default feature gates will be used. + If it is set, featuregate/Foo is an example of one item in FeatureGates: + 1. If featuregate/Foo does not exist, registration-operator + will discard it 2. If featuregate/Foo exists and is false by + default. It is now possible to set featuregate/Foo=[false|true] + 3. If featuregate/Foo exists and is true by default. If a cluster-admin + upgrading from 1 to 2 wants to continue having featuregate/Foo=false, + he can set featuregate/Foo=false before upgrading. Let''s say + the cluster-admin wants featuregate/Foo=false.' + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: Mode is either Enable, Disable, "" where "" + is Disable by default. In Enable mode, a valid feature + gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` + will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + kubeAPIBurst: + default: 100 + description: 'KubeAPIBurst indicates the maximum burst of the + throttle while talking with apiserver of hub cluster from the + spoke cluster. If it is set empty, use the default value: 100' + format: int32 + type: integer + kubeAPIQPS: + default: 50 + description: 'KubeAPIQPS indicates the maximum QPS while talking + with apiserver of hub cluster from the spoke cluster. If it + is set empty, use the default value: 50' + format: int32 + type: integer + type: object + workImagePullSpec: + description: WorkImagePullSpec represents the desired image configuration + of work agent. quay.io/open-cluster-management.io/work:latest will + be used if unspecified. + type: string + type: object + status: + description: Status represents the current status of Klusterlet agent. + properties: + conditions: + description: 'Conditions contain the different condition statuses + for this Klusterlet. Valid condition types are: Applied: Components + have been applied in the managed cluster. Available: Components + in the managed cluster are available and ready to serve. Progressing: + Components in the managed cluster are in a transitioning state. + Degraded: Components in the managed cluster do not match the desired + configuration and only provide degraded service.' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + generations: + description: Generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1 + properties: + group: + description: group is the group of the resource that you're + tracking + type: string + lastGeneration: + description: lastGeneration is the last generation of the resource + that controller applies + format: int64 + type: integer + name: + description: name is the name of the resource that you're tracking + type: string + namespace: + description: namespace is where the resource that you're tracking + is + type: string + resource: + description: resource is the resource type of the resource that + you're tracking + type: string + version: + description: version is the version of the resource that you're + tracking + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + relatedResources: + description: RelatedResources are used to track the resources that + are related to this Klusterlet. + items: + description: RelatedResourceMeta represents the resource that is + managed by an operator + properties: + group: + description: group is the group of the resource that you're + tracking + type: string + name: + description: name is the name of the resource that you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the resource that + you're tracking + type: string + version: + description: version is the version of the thing you're tracking + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/klusterlet/helm-charts/latest/templates/agent_namespace.yaml b/deploy/klusterlet/helm-charts/latest/templates/agent_namespace.yaml new file mode 100644 index 000000000..a3b8efb1c --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/agent_namespace.yaml @@ -0,0 +1,8 @@ +{{- if .Values.agentNamespace }} +apiVersion: v1 +kind: Namespace +metadata: + annotations: + workload.openshift.io/allowed: "management" + name: {{ .Values.agentNamespace }} +{{- end }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/bootstrap_kubeconfig_secret.yaml b/deploy/klusterlet/helm-charts/latest/templates/bootstrap_kubeconfig_secret.yaml new file mode 100644 index 000000000..e483982c8 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/bootstrap_kubeconfig_secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.bootstrapHubKubeConfig }} +apiVersion: v1 +kind: Secret +metadata: + name: bootstrap-hub-kubeconfig + namespace: {{ .Values.agentNamespace }} +type: Opaque +data: + kubeconfig: {{ .Values.bootstrapHubKubeConfig }} +{{- end }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/cluster_role.yaml b/deploy/klusterlet/helm-charts/latest/templates/cluster_role.yaml new file mode 100644 index 000000000..2f7765a94 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/cluster_role.yaml @@ -0,0 +1,69 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: klusterlet +rules: +# Allow the registration-operator to create workload +- apiGroups: [""] + resources: ["configmaps", "serviceaccounts"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["update", "get", "list", "watch", "delete"] + resourceNames: + - "open-cluster-management-image-pull-credentials" + - "bootstrap-hub-kubeconfig" + - "hub-kubeconfig-secret" + - "external-managed-kubeconfig" + - "external-managed-kubeconfig-work" + - "external-managed-kubeconfig-registration" + - "external-managed-kubeconfig-agent" +# get pods and replicasets is for event creation +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: [ "apps" ] + resources: [ "replicasets" ] + verbs: [ "get" ] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "list", "update", "watch", "patch"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "events.k8s.io"] + resources: ["events"] + verbs: ["create", "patch", "update"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings", "rolebindings"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "roles"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "escalate", "bind"] +# Allow the registration-operator to create crds +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Allow the registration-operator to manage klusterlet apis. +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["klusterlets"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] +- apiGroups: ["operator.open-cluster-management.io"] + resources: ["klusterlets/status"] + verbs: ["update", "patch"] +# Allow the registration-operator to update the appliedmanifestworks finalizer. +- apiGroups: ["work.open-cluster-management.io"] + resources: ["appliedmanifestworks"] + verbs: ["list", "update", "patch"] diff --git a/deploy/klusterlet/helm-charts/latest/templates/cluster_role_binding.yaml b/deploy/klusterlet/helm-charts/latest/templates/cluster_role_binding.yaml new file mode 100644 index 000000000..0fe1add7e --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: klusterlet +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: klusterlet +subjects: +- kind: ServiceAccount + name: klusterlet + namespace: {{ .Release.Namespace }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/external_kubeconfig_secret.yaml b/deploy/klusterlet/helm-charts/latest/templates/external_kubeconfig_secret.yaml new file mode 100644 index 000000000..e908b967c --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/external_kubeconfig_secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.hostedModeKubeConfig }} +apiVersion: v1 +kind: Secret +metadata: + name: external-managed-kubeconfig + namespace: {{ .Values.agentNamespace }} +type: Opaque +data: + kubeconfig: {{ .Values.hostedModeKubeConfig }} +{{- end }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/klusterlet.yaml b/deploy/klusterlet/helm-charts/latest/templates/klusterlet.yaml new file mode 100644 index 000000000..922c868e9 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/klusterlet.yaml @@ -0,0 +1,34 @@ +{{- with .Values.klusterlet }} +{{- if .enable }} +apiVersion: operator.open-cluster-management.io/v1 +kind: Klusterlet +metadata: + name: {{ .name }} +spec: + deployOption: + mode: {{ .mode }} + {{- with .images }} + registrationImagePullSpec: "{{ .registration.repository }}:{{ .registration.tag }}" + workImagePullSpec: "{{ .work.repository }}:{{ .work.tag }}" + imagePullSpec: "{{ .agent.repository }}:{{ .agent.tag }}" + {{- end }} + clusterName: {{ .clusterName }} + namespace: {{ .namespace }} + {{- with .externalServerURLs }} + externalServerURLs: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .resourceRequirement }} + resourceRequirement: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .registrationConfiguration }} + registrationConfiguration: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .workConfiguration }} + workConfiguration: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/operator.yaml b/deploy/klusterlet/helm-charts/latest/templates/operator.yaml new file mode 100644 index 000000000..df99662b6 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/operator.yaml @@ -0,0 +1,76 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: klusterlet + namespace: {{ .Release.Namespace }} + labels: + app: klusterlet +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: klusterlet + template: + metadata: + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app: klusterlet + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: klusterlet + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: klusterlet + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "/registration-operator" + - "klusterlet" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + livenessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + scheme: HTTPS + port: 8443 + initialDelaySeconds: 2 + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - name: tmpdir + mountPath: /tmp + volumes: + - name: tmpdir + emptyDir: { } + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} diff --git a/deploy/klusterlet/helm-charts/latest/templates/priority_class.yaml b/deploy/klusterlet/helm-charts/latest/templates/priority_class.yaml new file mode 100644 index 000000000..196191449 --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/priority_class.yaml @@ -0,0 +1,10 @@ +{{- if .Values.priorityClassName }} +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: {{ .Values.priorityClassName }} +value: 1000000 +globalDefault: false +description: "This priority class should be used for klusterlet agents only." +preemptionPolicy: PreemptLowerPriority +{{- end }} \ No newline at end of file diff --git a/deploy/klusterlet/helm-charts/latest/templates/service_account.yaml b/deploy/klusterlet/helm-charts/latest/templates/service_account.yaml new file mode 100644 index 000000000..e87a4f03a --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/templates/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: klusterlet + namespace: {{ .Release.Namespace }} diff --git a/deploy/klusterlet/helm-charts/latest/values.yaml b/deploy/klusterlet/helm-charts/latest/values.yaml new file mode 100644 index 000000000..f1efb7c6b --- /dev/null +++ b/deploy/klusterlet/helm-charts/latest/values.yaml @@ -0,0 +1,101 @@ +# Default values for klustelet. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 3 + +image: + repository: quay.io/open-cluster-management/registration-operator + pullPolicy: IfNotPresent + tag: latest + + +imagePullSecrets: [] + +podSecurityContext: + runAsNonRoot: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + readOnlyRootFilesystem: true + +resources: + requests: + cpu: 2m + memory: 16Mi + limits: + memory: 2Gi + +nodeSelector: {} + +tolerations: [] + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 70 + podAffinityTerm: + topologyKey: failure-domain.beta.kubernetes.io/zone + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - klusterlet + - weight: 30 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - klusterlet + +priorityClassName: "" + +agentNamespace: "" +hostedModeKubeConfig: "" +bootstrapHubKubeConfig: "" + +klusterlet: + enable: false + name: klusterlet + mode: Singleton + clusterName: cluster1 + namespace: open-cluster-management-agent + images: + registration: + repository: quay.io/open-cluster-management/registration + tag: latest + work: + repository: quay.io/open-cluster-management/work + tag: latest + agent: + repository: quay.io/open-cluster-management/registration-operator + tag: latest + externalServerURLs: [] +# - url: "" +# caBundle: "" + resourceRequirement: {} +# type: Default +# resourceRequirements: +# requests: +# cpu: 2m +# memory: 16Mi +# limits: +# memory: 2Gi + registrationConfiguration: {} +# featureGates: +# - feature: "" +# mode: "" +# clientCertExpirationSeconds: 600 + workConfiguration: {} +# featureGates: +# - feature: "" +# mode: "" diff --git a/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml index 152dc840a..3837d13ff 100644 --- a/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml +++ b/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml @@ -31,7 +31,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2024-06-25T00:11:29Z" + createdAt: "2024-07-03T01:32:24Z" description: Manages the installation and upgrade of the Klusterlet. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -50,7 +50,7 @@ spec: name: klusterlets.operator.open-cluster-management.io version: v1 description: | - The Klusterlet proivdes the registation to the Hub clusters as a managed cluster. This operator supports the installation and upgrade of Klusterlet. + The Klusterlet provides the registration to the Hub clusters as a managed cluster. This operator supports the installation and upgrade of Klusterlet. ## Prerequisites You need a Hub cluster which has installed ClusterManager. @@ -311,6 +311,7 @@ spec: fieldRef: fieldPath: metadata.name image: quay.io/open-cluster-management/registration-operator:latest + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -326,6 +327,8 @@ spec: scheme: HTTPS initialDelaySeconds: 2 resources: + limits: + memory: 2Gi requests: cpu: 2m memory: 16Mi diff --git a/hack/copy-crds.sh b/hack/copy-crds.sh index 3a04297fc..38819aeae 100755 --- a/hack/copy-crds.sh +++ b/hack/copy-crds.sh @@ -20,4 +20,6 @@ do done cp $CLUSTER_MANAGER_CRD_FILE ./deploy/cluster-manager/config/crds/ +cp $CLUSTER_MANAGER_CRD_FILE ./deploy/cluster-manager/helm-charts/latest/crds/ cp $KLUSTERLET_CRD_FILE ./deploy/klusterlet/config/crds/ +cp $KLUSTERLET_CRD_FILE ./deploy/klusterlet/helm-charts/latest/crds/