-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Think big! We should be able to support federating clouds together, just as we federate identity, so make it so! Anything region specific needs to index a region at the API, and let the rest be abstracted including site specific endpoints, credentials and configurations. We can now start to consider other things than openstack if the need arises. More pertinently we can also start thinking about moving the provider to the site itself to prevent leaking credentials in the honeypot at the center! This _also_ means, we could perhaps think about not actually exposing the cloud API at all, and doing everything via the secure proxy... ugh, I'm exciting myself!!
- Loading branch information
Showing
20 changed files
with
1,430 additions
and
852 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,205 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.12.1 | ||
name: regions.unikorn-cloud.org | ||
spec: | ||
group: unikorn-cloud.org | ||
names: | ||
categories: | ||
- unikorn | ||
kind: Region | ||
listKind: RegionList | ||
plural: regions | ||
singular: region | ||
scope: Cluster | ||
versions: | ||
- additionalPrinterColumns: | ||
- jsonPath: .spec.provider | ||
name: provider | ||
type: string | ||
- jsonPath: .status.conditions[?(@.type=="Available")].reason | ||
name: status | ||
type: string | ||
- jsonPath: .metadata.creationTimestamp | ||
name: age | ||
type: date | ||
name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: Region defines a geographical region where clusters can be provisioned. | ||
A region defines the endpoints that can be used to derive information about | ||
the provider for that region. | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: RegionSpec defines metadata about the region. | ||
properties: | ||
openstack: | ||
description: Openstack is provider specific configuration for the | ||
region. | ||
properties: | ||
compute: | ||
description: Compute is configuration for the compute service. | ||
properties: | ||
flavorExtraSpecsExclude: | ||
description: FlavorExtraSpecsExclude discards any flavors | ||
with the listed extra specs keys. | ||
items: | ||
type: string | ||
type: array | ||
gpuDescriptors: | ||
description: GPUDescriptors defines a set of keys that can | ||
be probed to list GPU topology information. | ||
items: | ||
properties: | ||
expression: | ||
description: Expression describes how to extract the | ||
number of GPUs from the property if it exists. This | ||
must contain exactly one submatch that is a number | ||
e.g. "^(\d+)$". | ||
type: string | ||
property: | ||
description: Property is the property name to examine | ||
e.g. "resources.VGPU". | ||
type: string | ||
required: | ||
- expression | ||
- property | ||
type: object | ||
type: array | ||
serverGroupPolicy: | ||
description: ServerGroupPolicy defines the anti-affinity policy | ||
to use for scheduling cluster nodes. Defaults to "soft-anti-affinity". | ||
type: string | ||
type: object | ||
endpoint: | ||
description: Endpoint is the Keystone URL e.g. https://foo.bar:5000. | ||
type: string | ||
identity: | ||
description: Identity is configuration for the identity service. | ||
properties: | ||
clusterRoles: | ||
description: ClusterRoles are the roles required to be assigned | ||
to an application credential in order to provision, scale | ||
and deprovision a cluster, along with any required for CNI/CSI | ||
functionality. | ||
items: | ||
type: string | ||
type: array | ||
type: object | ||
image: | ||
description: Image is configuration for the image service. | ||
properties: | ||
propertiesInclude: | ||
description: PropertiesInclude defines the set of properties | ||
that must all exist for an image to be advertised by the | ||
provider. | ||
items: | ||
type: string | ||
type: array | ||
signingKey: | ||
description: SigningKey defines a PEM encoded public ECDSA | ||
signing key used to verify the image is trusted. If specified, | ||
an image must contain the "digest" property, the value of | ||
which must be a base64 encoded ECDSA signature of the SHA256 | ||
hash of the image ID. | ||
format: byte | ||
type: string | ||
type: object | ||
serviceAccountSecret: | ||
description: ServiceAccountSecretName points to the secret containing | ||
credentials required to perform the tasks the provider needs | ||
to perform. | ||
properties: | ||
name: | ||
description: Name is the name of the object. | ||
type: string | ||
namespace: | ||
description: Namespace is the namespace in which the object | ||
resides. | ||
type: string | ||
required: | ||
- name | ||
- namespace | ||
type: object | ||
required: | ||
- endpoint | ||
- serviceAccountSecret | ||
type: object | ||
provider: | ||
description: Type defines the provider type. | ||
enum: | ||
- openstack | ||
type: string | ||
required: | ||
- provider | ||
type: object | ||
status: | ||
description: RegionStatus defines the status of the region. | ||
properties: | ||
conditions: | ||
description: Current service state of a region. | ||
items: | ||
description: Condition is a generic condition type for use across | ||
all resource types. It's generic so that the underlying controller-manager | ||
functionality can be shared across all resources. | ||
properties: | ||
lastTransitionTime: | ||
description: Last time the condition transitioned from one status | ||
to another. | ||
format: date-time | ||
type: string | ||
message: | ||
description: Human-readable message indicating details about | ||
last transition. | ||
type: string | ||
reason: | ||
description: Unique, one-word, CamelCase reason for the condition's | ||
last transition. | ||
enum: | ||
- Provisioning | ||
- Provisioned | ||
- Cancelled | ||
- Errored | ||
- Deprovisioning | ||
- Deprovisioned | ||
type: string | ||
status: | ||
description: Status is the status of the condition. Can be True, | ||
False, Unknown. | ||
type: string | ||
type: | ||
description: Type is the type of the condition. | ||
enum: | ||
- Available | ||
type: string | ||
required: | ||
- lastTransitionTime | ||
- message | ||
- reason | ||
- status | ||
- type | ||
type: object | ||
type: array | ||
type: object | ||
required: | ||
- spec | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
{{- range $region := .Values.regions }} | ||
apiVersion: unikorn-cloud.org/v1alpha1 | ||
kind: Region | ||
metadata: | ||
name: {{ $region.name }} | ||
labels: | ||
{{- include "unikorn.labels" $ | nindent 4 }} | ||
spec: | ||
provider: {{ $region.provider }} | ||
{{- with $openstack := $region.openstack }} | ||
openstack: | ||
endpoint: {{ $openstack.endpoint }} | ||
serviceAccountSecret: | ||
namespace: {{ $openstack.serviceAccountSecret.namespace }} | ||
name: {{ $openstack.serviceAccountSecret.name }} | ||
{{- with $identity := $openstack.identity }} | ||
{{ printf "identity:" | nindent 4 }} | ||
{{- with $roles := $identity.clusterRoles }} | ||
{{ printf "clusterRoles:" | nindent 6 }} | ||
{{- range $role := $roles }} | ||
{{ printf "- %s" $role | nindent 6 }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
{{- with $compute := $openstack.compute }} | ||
{{ printf "compute:" | nindent 4 }} | ||
{{- with $policy := $compute.serverGroupPolicy }} | ||
{{ printf "serverGroupPolicy: %s" $policy | nindent 6 }} | ||
{{- end }} | ||
{{- with $specs := $compute.flavorExtraSpecsExclude }} | ||
{{ printf "flavorExtraSpecsExclude:" | nindent 6 }} | ||
{{- range $spec := $specs }} | ||
{{ printf "- %s" $spec | nindent 6 }} | ||
{{- end }} | ||
{{- end }} | ||
{{- with $descriptors := $compute.gpuDescriptors }} | ||
{{ printf "gpuDescriptors:" | nindent 6 }} | ||
{{- range $descriptor := $descriptors }} | ||
{{ printf "- property: %s" $descriptor.property | nindent 6 }} | ||
{{ printf "expresison: %s" $descriptor.property | nindent 8 }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
{{- with $image := $openstack.image}} | ||
{{ printf "image:" | nindent 4 }} | ||
{{- with $properties := $image.propertiesInclude }} | ||
{{ printf "propertiesInclude:" | nindent 6 }} | ||
{{- range $property := $properties }} | ||
{{ printf "- %s" $property | nindent 6 }} | ||
{{- end }} | ||
{{- end }} | ||
{{- with $signingKey := $image.signingKey }} | ||
{{ printf "signingKey: %s" $signingKey | nindent 6 }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.