diff --git a/charts/cluster-auth-manager/common/gateway_cluster_role.yaml b/charts/cluster-auth-manager/common/gateway_cluster_role.yaml index d0bb7096..4c146f90 100644 --- a/charts/cluster-auth-manager/common/gateway_cluster_role.yaml +++ b/charts/cluster-auth-manager/common/gateway_cluster_role.yaml @@ -4,10 +4,18 @@ kind: ClusterRole metadata: name: open-cluster-management:cluster-gateway:proxy rules: + - apiGroups: + - gateway.open-cluster-management.io + resources: + - clustergateways + verbs: ["get", "list", "watch"] - apiGroups: - gateway.open-cluster-management.io resources: - clustergateways/health + verbs: ["get"] + - apiGroups: + - gateway.open-cluster-management.io + resources: - clustergateways/proxy - verbs: - - "*" + verbs: ["*"] diff --git a/charts/cluster-gateway-manager/README.md b/charts/cluster-gateway-manager/README.md index a8fdcd13..86e28269 100644 --- a/charts/cluster-gateway-manager/README.md +++ b/charts/cluster-gateway-manager/README.md @@ -8,7 +8,7 @@ $ helm repo add appscode https://charts.appscode.com/stable $ helm repo update $ helm search repo appscode/cluster-gateway-manager --version=v2024.2.25 -$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 +$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management-cluster-gateway --create-namespace --version=v2024.2.25 ``` ## Introduction @@ -24,7 +24,7 @@ This chart deploys a cluster-gateway-manager on a [Kubernetes](http://kubernetes To install/upgrade the chart with the release name `cluster-gateway-manager`: ```bash -$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 +$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management-cluster-gateway --create-namespace --version=v2024.2.25 ``` The command deploys a cluster-gateway-manager on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. @@ -36,7 +36,7 @@ The command deploys a cluster-gateway-manager on the Kubernetes cluster in the d To uninstall the `cluster-gateway-manager`: ```bash -$ helm uninstall cluster-gateway-manager -n open-cluster-management +$ helm uninstall cluster-gateway-manager -n open-cluster-management-cluster-gateway ``` The command removes all the Kubernetes components associated with the chart and deletes the release. @@ -45,27 +45,37 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `cluster-gateway-manager` chart and their default values. -| Parameter | Description | Default | -|---------------------------------|----------------------------------------|--------------------------------------------------| -| image | Image of the cluster-gateway instances | oamdev/cluster-gateway-manager | -| tag | | | -| clusterGateway.image | | oamdev/cluster-gateway | -| clusterGateway.installNamespace | | vela-system | -| clusterGateway.secretNamespace | | open-cluster-management-credentials | -| replicas | Number of replicas | 1 | -| manualSecretManagement | | true | -| konnectivityEgress | | false | +| Parameter | Description | Default | +|--------------------------------------------------|----------------------------------------|-------------------------------------------------------------------| +| nameOverride | | "" | +| fullnameOverride | | "" | +| image | Image of the cluster-gateway instances | ghcr.io/kluster-manager/cluster-gateway-manager | +| tag | | latest | +| clusterGateway.image | | ghcr.io/kluster-manager/cluster-gateway | +| replicas | Number of replicas | 1 | +| manualSecretManagement | | false | +| clusterProxy.enabled | | true | +| clusterProxy.proxyServerHost | | "proxy-entrypoint.open-cluster-management-addon.svc" | +| clusterProxy.proxyServerPort | | 8090 | +| clusterProxy.credentials.namespace | | open-cluster-management-addon | +| clusterProxy.credentials.proxyClientCASecretName | | proxy-server-ca | +| clusterProxy.credentials.proxyClientSecretName | | proxy-client | +| kubeconfigSecretName | | "" | +| addonManagerNamespace | | open-cluster-management-cluster-gateway | +| placement.create | | true | +| placement.name | | global | +| kubectl.image | | ghcr.io/appscode/kubectl-nonroot:1.25 | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: ```bash -$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=oamdev/cluster-gateway-manager +$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management-cluster-gateway --create-namespace --version=v2024.2.25 --set image=ghcr.io/kluster-manager/cluster-gateway-manager ``` Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example: ```bash -$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management --create-namespace --version=v2024.2.25 --values values.yaml +$ helm upgrade -i cluster-gateway-manager appscode/cluster-gateway-manager -n open-cluster-management-cluster-gateway --create-namespace --version=v2024.2.25 --values values.yaml ``` diff --git a/charts/cluster-gateway-manager/common/addon/clustergatewayconfiguration.yaml b/charts/cluster-gateway-manager/common/addon/clustergatewayconfiguration.yaml new file mode 100644 index 00000000..0492486a --- /dev/null +++ b/charts/cluster-gateway-manager/common/addon/clustergatewayconfiguration.yaml @@ -0,0 +1,19 @@ +apiVersion: config.gateway.open-cluster-management.io/v1alpha1 +kind: ClusterGatewayConfiguration +metadata: + name: cluster-gateway +spec: + image: {{ .Values.clusterGateway.image }}:{{ .Values.tag | default .Chart.AppVersion }} + secretManagement: + {{ if .Values.manualSecretManagement }} + type: Manual + {{ else }} + type: ManagedServiceAccount + managedServiceAccount: + name: cluster-gateway + {{ end }} + egress: + {{- if .Values.clusterProxy.enabled }} + clusterProxy: + {{- omit .Values.clusterProxy "enabled" | toYaml | nindent 6 }} + {{- end }} diff --git a/charts/cluster-gateway-manager/common/addon/clustermanagementaddon.yaml b/charts/cluster-gateway-manager/common/addon/clustermanagementaddon.yaml new file mode 100644 index 00000000..970e68e5 --- /dev/null +++ b/charts/cluster-gateway-manager/common/addon/clustermanagementaddon.yaml @@ -0,0 +1,20 @@ +apiVersion: addon.open-cluster-management.io/v1alpha1 +kind: ClusterManagementAddOn +metadata: + name: cluster-gateway + annotations: + addon.open-cluster-management.io/lifecycle: "addon-manager" +spec: + addOnMeta: + displayName: {{ .Chart.Name }} + description: {{ .Chart.Description }} + installStrategy: + type: Placements + placements: + - name: {{ .Values.placement.name }} + namespace: {{ include "cluster-gateway-manager.namespace" . }} + supportedConfigs: + - group: config.gateway.open-cluster-management.io + resource: clustergatewayconfigurations + defaultConfig: + name: cluster-gateway diff --git a/charts/cluster-gateway-manager/common/addon/clustersetbinding.yaml b/charts/cluster-gateway-manager/common/addon/clustersetbinding.yaml new file mode 100644 index 00000000..e17c761b --- /dev/null +++ b/charts/cluster-gateway-manager/common/addon/clustersetbinding.yaml @@ -0,0 +1,11 @@ +{{- if .Values.placement.create }} + +apiVersion: cluster.open-cluster-management.io/v1beta2 +kind: ManagedClusterSetBinding +metadata: + name: global + namespace: {{ include "cluster-gateway-manager.namespace" . }} +spec: + clusterSet: global + +{{- end }} diff --git a/charts/cluster-gateway-manager/common/addon/placement.yaml b/charts/cluster-gateway-manager/common/addon/placement.yaml new file mode 100644 index 00000000..33a1a6bb --- /dev/null +++ b/charts/cluster-gateway-manager/common/addon/placement.yaml @@ -0,0 +1,12 @@ +{{- if .Values.placement.create }} + +apiVersion: cluster.open-cluster-management.io/v1beta1 +kind: Placement +metadata: + name: {{ .Values.placement.name }} + namespace: {{ include "cluster-gateway-manager.namespace" . }} +spec: + clusterSets: + - global + +{{- end }} diff --git a/charts/cluster-gateway-manager/crds/addon.open-cluster-management.io_clustermanagementaddons.yaml b/charts/cluster-gateway-manager/crds/addon.open-cluster-management.io_clustermanagementaddons.yaml new file mode 100644 index 00000000..465dd73b --- /dev/null +++ b/charts/cluster-gateway-manager/crds/addon.open-cluster-management.io_clustermanagementaddons.yaml @@ -0,0 +1,670 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustermanagementaddons.addon.open-cluster-management.io +spec: + group: addon.open-cluster-management.io + names: + kind: ClusterManagementAddOn + listKind: ClusterManagementAddOnList + plural: clustermanagementaddons + shortNames: + - cma + - cmas + singular: clustermanagementaddon + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.addOnMeta.displayName + name: DISPLAY NAME + type: string + - jsonPath: .spec.addOnConfiguration.crdName + name: CRD NAME + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterManagementAddOn represents the registration of an add-on + to the cluster manager. This resource allows you to discover which add-ons + are available for the cluster manager and provides metadata information + about the add-ons. The ClusterManagementAddOn name is used for the namespace-scoped + ManagedClusterAddOn resource. ClusterManagementAddOn is a cluster-scoped + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec represents a desired configuration for the agent on + the cluster management add-on. + properties: + addOnConfiguration: + description: 'Deprecated: Use supportedConfigs filed instead addOnConfiguration + is a reference to configuration information for the add-on. In scenario + where a multiple add-ons share the same add-on CRD, multiple ClusterManagementAddOn + resources need to be created and reference the same AddOnConfiguration.' + properties: + crName: + description: crName is the name of the CR used to configure instances + of the managed add-on. This field should be configured if add-on + CR have a consistent name across the all of the ManagedCluster + instaces. + type: string + crdName: + description: crdName is the name of the CRD used to configure + instances of the managed add-on. This field should be configured + if the add-on have a CRD that controls the configuration of + the add-on. + type: string + lastObservedGeneration: + description: lastObservedGeneration is the observed generation + of the custom resource for the configuration of the addon. + format: int64 + type: integer + type: object + addOnMeta: + description: addOnMeta is a reference to the metadata information + for the add-on. + properties: + description: + description: description represents the detailed description of + the add-on. + type: string + displayName: + description: displayName represents the name of add-on that will + be displayed. + type: string + type: object + installStrategy: + default: + type: Manual + description: InstallStrategy represents that related ManagedClusterAddOns + should be installed on certain clusters. + properties: + placements: + description: Placements is a list of placement references honored + when install strategy type is Placements. All clusters selected + by these placements will install the addon If one cluster belongs + to multiple placements, it will only apply the strategy defined + later in the order. That is to say, The latter strategy overrides + the previous one. + items: + properties: + configs: + description: Configs is the configuration of managedClusterAddon + during installation. User can override the configuration + by updating the managedClusterAddon directly. + items: + properties: + group: + default: "" + description: group of the add-on configuration. + type: string + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. + If this field is not set, the configuration is in + the cluster scope. + type: string + resource: + description: resource of the add-on configuration. + minLength: 1 + type: string + required: + - name + - resource + type: object + type: array + name: + description: Name is the name of the placement + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the placement + minLength: 1 + type: string + rolloutStrategy: + default: + type: All + description: The rollout strategy to apply addon configurations + change. The rollout strategy only watches the addon configurations + defined in ClusterManagementAddOn. + properties: + all: + description: All defines required fields for RolloutStrategy + type All + properties: + maxFailures: + anyOf: + - type: integer + - type: string + default: 0 + description: MaxFailures is a percentage or number + of clusters in the current rollout that can fail + before proceeding to the next rollout. Fail means + the cluster has a failed status or timeout status + (does not reach successful status after ProgressDeadline). + Once the MaxFailures is breached, the rollout + will stop. MaxFailures is only considered for + rollout types Progressive and ProgressivePerGroup. + For Progressive, this is considered over the total + number of clusters. For ProgressivePerGroup, this + is considered according to the size of the current + group. For both Progressive and ProgressivePerGroup, + the MaxFailures does not apply for MandatoryDecisionGroups, + which tolerate no failures. Default is that no + failures are tolerated. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + minSuccessTime: + default: "0" + description: MinSuccessTime is a "soak" time. In + other words, the minimum amount of time the workload + applier controller will wait from the start of + each rollout before proceeding (assuming a successful + state has been reached and MaxFailures wasn't + breached). MinSuccessTime is only considered for + rollout types Progressive and ProgressivePerGroup. + The default value is 0 meaning the workload applier + proceeds immediately after a successful state + is reached. MinSuccessTime must be defined in + [0-9h]|[0-9m]|[0-9s] format examples; 2h , 90m + , 360s + type: string + progressDeadline: + default: None + description: ProgressDeadline defines how long workload + applier controller will wait for the workload + to reach a successful state in the cluster. If + the workload does not reach a successful state + after ProgressDeadline, will stop waiting and + workload will be treated as "timeout" and be counted + into MaxFailures. Once the MaxFailures is breached, + the rollout will stop. ProgressDeadline default + value is "None", meaning the workload applier + will wait for a successful state indefinitely. + ProgressDeadline must be defined in [0-9h]|[0-9m]|[0-9s] + format examples; 2h , 90m , 360s + pattern: ^(([0-9])+[h|m|s])|None$ + type: string + type: object + progressive: + description: Progressive defines required fields for + RolloutStrategy type Progressive + properties: + mandatoryDecisionGroups: + description: List of the decision groups names or + indexes to apply the workload first and fail if + workload did not reach successful state. GroupName + or GroupIndex must match with the decisionGroups + defined in the placement's decisionStrategy + items: + description: MandatoryDecisionGroup set the decision + group name or group index. GroupName is considered + first to select the decisionGroups then GroupIndex. + properties: + groupIndex: + description: GroupIndex of the decision group + should match the placementDecisions label + value with label key cluster.open-cluster-management.io/decision-group-index + format: int32 + type: integer + groupName: + description: GroupName of the decision group + should match the placementDecisions label + value with label key cluster.open-cluster-management.io/decision-group-name + type: string + type: object + type: array + maxConcurrency: + anyOf: + - type: integer + - type: string + description: MaxConcurrency is the max number of + clusters to deploy workload concurrently. The + default value for MaxConcurrency is determined + from the clustersPerDecisionGroup defined in the + placement->DecisionStrategy. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + maxFailures: + anyOf: + - type: integer + - type: string + default: 0 + description: MaxFailures is a percentage or number + of clusters in the current rollout that can fail + before proceeding to the next rollout. Fail means + the cluster has a failed status or timeout status + (does not reach successful status after ProgressDeadline). + Once the MaxFailures is breached, the rollout + will stop. MaxFailures is only considered for + rollout types Progressive and ProgressivePerGroup. + For Progressive, this is considered over the total + number of clusters. For ProgressivePerGroup, this + is considered according to the size of the current + group. For both Progressive and ProgressivePerGroup, + the MaxFailures does not apply for MandatoryDecisionGroups, + which tolerate no failures. Default is that no + failures are tolerated. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + minSuccessTime: + default: "0" + description: MinSuccessTime is a "soak" time. In + other words, the minimum amount of time the workload + applier controller will wait from the start of + each rollout before proceeding (assuming a successful + state has been reached and MaxFailures wasn't + breached). MinSuccessTime is only considered for + rollout types Progressive and ProgressivePerGroup. + The default value is 0 meaning the workload applier + proceeds immediately after a successful state + is reached. MinSuccessTime must be defined in + [0-9h]|[0-9m]|[0-9s] format examples; 2h , 90m + , 360s + type: string + progressDeadline: + default: None + description: ProgressDeadline defines how long workload + applier controller will wait for the workload + to reach a successful state in the cluster. If + the workload does not reach a successful state + after ProgressDeadline, will stop waiting and + workload will be treated as "timeout" and be counted + into MaxFailures. Once the MaxFailures is breached, + the rollout will stop. ProgressDeadline default + value is "None", meaning the workload applier + will wait for a successful state indefinitely. + ProgressDeadline must be defined in [0-9h]|[0-9m]|[0-9s] + format examples; 2h , 90m , 360s + pattern: ^(([0-9])+[h|m|s])|None$ + type: string + type: object + progressivePerGroup: + description: ProgressivePerGroup defines required fields + for RolloutStrategy type ProgressivePerGroup + properties: + mandatoryDecisionGroups: + description: List of the decision groups names or + indexes to apply the workload first and fail if + workload did not reach successful state. GroupName + or GroupIndex must match with the decisionGroups + defined in the placement's decisionStrategy + items: + description: MandatoryDecisionGroup set the decision + group name or group index. GroupName is considered + first to select the decisionGroups then GroupIndex. + properties: + groupIndex: + description: GroupIndex of the decision group + should match the placementDecisions label + value with label key cluster.open-cluster-management.io/decision-group-index + format: int32 + type: integer + groupName: + description: GroupName of the decision group + should match the placementDecisions label + value with label key cluster.open-cluster-management.io/decision-group-name + type: string + type: object + type: array + maxFailures: + anyOf: + - type: integer + - type: string + default: 0 + description: MaxFailures is a percentage or number + of clusters in the current rollout that can fail + before proceeding to the next rollout. Fail means + the cluster has a failed status or timeout status + (does not reach successful status after ProgressDeadline). + Once the MaxFailures is breached, the rollout + will stop. MaxFailures is only considered for + rollout types Progressive and ProgressivePerGroup. + For Progressive, this is considered over the total + number of clusters. For ProgressivePerGroup, this + is considered according to the size of the current + group. For both Progressive and ProgressivePerGroup, + the MaxFailures does not apply for MandatoryDecisionGroups, + which tolerate no failures. Default is that no + failures are tolerated. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + minSuccessTime: + default: "0" + description: MinSuccessTime is a "soak" time. In + other words, the minimum amount of time the workload + applier controller will wait from the start of + each rollout before proceeding (assuming a successful + state has been reached and MaxFailures wasn't + breached). MinSuccessTime is only considered for + rollout types Progressive and ProgressivePerGroup. + The default value is 0 meaning the workload applier + proceeds immediately after a successful state + is reached. MinSuccessTime must be defined in + [0-9h]|[0-9m]|[0-9s] format examples; 2h , 90m + , 360s + type: string + progressDeadline: + default: None + description: ProgressDeadline defines how long workload + applier controller will wait for the workload + to reach a successful state in the cluster. If + the workload does not reach a successful state + after ProgressDeadline, will stop waiting and + workload will be treated as "timeout" and be counted + into MaxFailures. Once the MaxFailures is breached, + the rollout will stop. ProgressDeadline default + value is "None", meaning the workload applier + will wait for a successful state indefinitely. + ProgressDeadline must be defined in [0-9h]|[0-9m]|[0-9s] + format examples; 2h , 90m , 360s + pattern: ^(([0-9])+[h|m|s])|None$ + type: string + type: object + type: + default: All + enum: + - All + - Progressive + - ProgressivePerGroup + type: string + type: object + required: + - name + - namespace + type: object + type: array + x-kubernetes-list-map-keys: + - namespace + - name + x-kubernetes-list-type: map + type: + default: Manual + description: 'Type is the type of the install strategy, it can + be: - Manual: no automatic install - Placements: install to + clusters selected by placements.' + enum: + - Manual + - Placements + type: string + type: object + supportedConfigs: + description: supportedConfigs is a list of configuration types supported + by add-on. An empty list means the add-on does not require configurations. + The default is an empty list + items: + description: ConfigMeta represents a collection of metadata information + for add-on configuration. + properties: + defaultConfig: + description: defaultConfig represents the namespace and name + of the default add-on configuration. In scenario where all + add-ons have a same configuration. + properties: + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. If this + field is not set, the configuration is in the cluster + scope. + type: string + required: + - name + type: object + group: + default: "" + description: group of the add-on configuration. + type: string + resource: + description: resource of the add-on configuration. + minLength: 1 + type: string + required: + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + x-kubernetes-list-type: map + type: object + status: + description: status represents the current status of cluster management + add-on. + properties: + defaultconfigReferences: + description: defaultconfigReferences is a list of current add-on default + configuration references. + items: + description: DefaultConfigReference is a reference to the current + add-on configuration. This resource is used to record the configuration + resource for the current add-on. + properties: + desiredConfig: + description: desiredConfig record the desired config spec hash. + properties: + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. If this + field is not set, the configuration is in the cluster + scope. + type: string + specHash: + description: spec hash for an add-on configuration. + type: string + required: + - name + type: object + group: + default: "" + description: group of the add-on configuration. + type: string + resource: + description: resource of the add-on configuration. + minLength: 1 + type: string + required: + - resource + type: object + type: array + installProgressions: + description: installProgression is a list of current add-on configuration + references per placement. + items: + properties: + conditions: + description: conditions describe the state of the managed and + monitored components for the operator. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configReferences: + description: configReferences is a list of current add-on configuration + references. + items: + description: InstallConfigReference is a reference to the + current add-on configuration. This resource is used to record + the configuration resource for the current add-on. + properties: + desiredConfig: + description: desiredConfig record the desired config name + and spec hash. + properties: + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. + If this field is not set, the configuration is in + the cluster scope. + type: string + specHash: + description: spec hash for an add-on configuration. + type: string + required: + - name + type: object + group: + default: "" + description: group of the add-on configuration. + type: string + lastAppliedConfig: + description: lastAppliedConfig records the config spec + hash when the all the corresponding ManagedClusterAddOn + are applied successfully. + properties: + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. + If this field is not set, the configuration is in + the cluster scope. + type: string + specHash: + description: spec hash for an add-on configuration. + type: string + required: + - name + type: object + lastKnownGoodConfig: + description: lastKnownGoodConfig records the last known + good config spec hash. For fresh install or rollout + with type UpdateAll or RollingUpdate, the lastKnownGoodConfig + is the same as lastAppliedConfig. For rollout with type + RollingUpdateWithCanary, the lastKnownGoodConfig is + the last successfully applied config spec hash of the + canary placement. + properties: + name: + description: name of the add-on configuration. + minLength: 1 + type: string + namespace: + description: namespace of the add-on configuration. + If this field is not set, the configuration is in + the cluster scope. + type: string + specHash: + description: spec hash for an add-on configuration. + type: string + required: + - name + type: object + resource: + description: resource of the add-on configuration. + minLength: 1 + type: string + required: + - resource + type: object + type: array + name: + description: Name is the name of the placement + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the placement + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/cluster-gateway-manager/crds/clustergatewayconfigurations.yaml b/charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_managedclustersetbindings.yaml similarity index 60% rename from charts/cluster-gateway-manager/crds/clustergatewayconfigurations.yaml rename to charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_managedclustersetbindings.yaml index b678a8ac..6e75601a 100644 --- a/charts/cluster-gateway-manager/crds/clustergatewayconfigurations.yaml +++ b/charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_managedclustersetbindings.yaml @@ -1,24 +1,28 @@ - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - name: clustergatewayconfigurations.proxy.open-cluster-management.io + name: managedclustersetbindings.cluster.open-cluster-management.io spec: - group: proxy.open-cluster-management.io + group: cluster.open-cluster-management.io names: - kind: ClusterGatewayConfiguration - listKind: ClusterGatewayConfigurationList - plural: clustergatewayconfigurations - singular: clustergatewayconfiguration - scope: Cluster + kind: ManagedClusterSetBinding + listKind: ManagedClusterSetBindingList + plural: managedclustersetbindings + shortNames: + - mclsetbinding + - mclsetbindings + singular: managedclustersetbinding + scope: Namespaced versions: - - name: v1alpha1 + - name: v1beta2 schema: openAPIV3Schema: + description: ManagedClusterSetBinding projects a ManagedClusterSet into a + certain namespace. You can create a ManagedClusterSetBinding in a namespace + and bind it to a ManagedClusterSet if both have a RBAC rules to CREATE on + the virtual subresource of managedclustersets/bind. Workloads that you create + in the same namespace can only be distributed to ManagedClusters in ManagedClusterSets + that are bound in this namespace by higher-level controllers. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -33,81 +37,33 @@ spec: metadata: type: object spec: + description: Spec defines the attributes of ManagedClusterSetBinding. properties: - egress: - properties: - clusterProxy: - properties: - credentials: - properties: - namespace: - type: string - proxyClientCASecretName: - type: string - proxyClientSecretName: - type: string - required: - - namespace - - proxyClientCASecretName - - proxyClientSecretName - type: object - proxyServerHost: - type: string - proxyServerPort: - format: int32 - type: integer - required: - - credentials - - proxyServerHost - - proxyServerPort - type: object - type: - type: string - required: - - type - type: object - image: + clusterSet: + description: ClusterSet is the name of the ManagedClusterSet to bind. + It must match the instance name of the ManagedClusterSetBinding + and cannot change once created. User is allowed to set this field + if they have an RBAC rule to CREATE on the virtual subresource of + managedclustersets/bind. + minLength: 1 type: string - installNamespace: - type: string - secretManagement: - properties: - managedServiceAccount: - properties: - name: - default: cluster-gateway - type: string - type: object - type: - default: ManagedServiceAccount - enum: - - Manual - - ManagedServiceAccount - type: string - type: object - secretNamespace: - type: string - required: - - egress - - image - - installNamespace - - secretManagement - - secretNamespace type: object status: + description: Status represents the current status of the ManagedClusterSetBinding properties: conditions: + description: Conditions contains the different condition statuses + for this ManagedClusterSetBinding. items: description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition @@ -165,18 +121,9 @@ spec: - type type: object type: array - lastObservedGeneration: - format: int64 - type: integer type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_placements.yaml b/charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_placements.yaml new file mode 100644 index 00000000..dd4ac28c --- /dev/null +++ b/charts/cluster-gateway-manager/crds/cluster.open-cluster-management.io_placements.yaml @@ -0,0 +1,666 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: placements.cluster.open-cluster-management.io +spec: + group: cluster.open-cluster-management.io + names: + kind: Placement + listKind: PlacementList + plural: placements + singular: placement + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="PlacementSatisfied")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="PlacementSatisfied")].reason + name: Reason + type: string + - jsonPath: .status.numberOfSelectedClusters + name: SelectedClusters + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + description: "Placement defines a rule to select a set of ManagedClusters + from the ManagedClusterSets bound to the placement namespace. \n Here is + how the placement policy combines with other selection methods to determine + a matching list of ManagedClusters: 1. Kubernetes clusters are registered + with hub as cluster-scoped ManagedClusters; 2. ManagedClusters are organized + into cluster-scoped ManagedClusterSets; 3. ManagedClusterSets are bound + to workload namespaces; 4. Namespace-scoped Placements specify a slice of + ManagedClusterSets which select a working set of potential ManagedClusters; + 5. Then Placements subselect from that working set using label/claim selection. + \n A ManagedCluster will not be selected if no ManagedClusterSet is bound + to the placement namespace. A user is able to bind a ManagedClusterSet to + a namespace by creating a ManagedClusterSetBinding in that namespace if + they have an RBAC rule to CREATE on the virtual subresource of `managedclustersets/bind`. + \n A slice of PlacementDecisions with the label cluster.open-cluster-management.io/placement={placement + name} will be created to represent the ManagedClusters selected by this + placement. \n If a ManagedCluster is selected and added into the PlacementDecisions, + other components may apply workload on it; once it is removed from the PlacementDecisions, + the workload applied on this ManagedCluster should be evicted accordingly." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the attributes of Placement. + properties: + clusterSets: + description: ClusterSets represent the ManagedClusterSets from which + the ManagedClusters are selected. If the slice is empty, ManagedClusters + will be selected from the ManagedClusterSets bound to the placement + namespace, otherwise ManagedClusters will be selected from the intersection + of this slice and the ManagedClusterSets bound to the placement + namespace. + items: + type: string + type: array + decisionStrategy: + description: DecisionStrategy divide the created placement decision + to groups and define number of clusters per decision group. + properties: + groupStrategy: + description: GroupStrategy define strategies to divide selected + clusters to decision groups. + properties: + clustersPerDecisionGroup: + anyOf: + - type: integer + - type: string + default: 100% + description: "ClustersPerDecisionGroup is a specific number + or percentage of the total selected clusters. The specific + number will divide the placementDecisions to decisionGroups + each group has max number of clusters equal to that specific + number. The percentage will divide the placementDecisions + to decisionGroups each group has max number of clusters + based on the total num of selected clusters and percentage. + ex; for a total 100 clusters selected, ClustersPerDecisionGroup + equal to 20% will divide the placement decision to 5 groups + each group should have 20 clusters. Default is having all + clusters in a single group. \n The predefined decisionGroups + is expected to be a subset of the selected clusters and + the number of items in each group SHOULD be less than ClustersPerDecisionGroup. + Once the number of items exceeds the ClustersPerDecisionGroup, + the decisionGroups will also be be divided into multiple + decisionGroups with same GroupName but different GroupIndex." + pattern: ^((100|[1-9][0-9]{0,1})%|[1-9][0-9]*)$ + x-kubernetes-int-or-string: true + decisionGroups: + description: DecisionGroups represents a list of predefined + groups to put decision results. Decision groups will be + constructed based on the DecisionGroups field at first. + The clusters not included in the DecisionGroups will be + divided to other decision groups afterwards. Each decision + group should not have the number of clusters larger than + the ClustersPerDecisionGroup. + items: + description: DecisionGroup define a subset of clusters that + will be added to placementDecisions with groupName label. + properties: + groupClusterSelector: + description: LabelSelector to select clusters subset + by label. + properties: + claimSelector: + description: ClaimSelector represents a selector + of ManagedClusters by clusterClaims in status + properties: + matchExpressions: + description: matchExpressions is a list of cluster + claim selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + labelSelector: + description: LabelSelector represents a selector + of ManagedClusters by label + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + groupName: + description: Group name to be added as label value to + the created placement Decisions labels with label + key cluster.open-cluster-management.io/decision-group-name + pattern: ^[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$ + type: string + required: + - groupClusterSelector + - groupName + type: object + type: array + type: object + type: object + numberOfClusters: + description: NumberOfClusters represents the desired number of ManagedClusters + to be selected which meet the placement requirements. 1) If not + specified, all ManagedClusters which meet the placement requirements + (including ClusterSets, and Predicates) will be selected; 2) Otherwise + if the nubmer of ManagedClusters meet the placement requirements + is larger than NumberOfClusters, a random subset with desired number + of ManagedClusters will be selected; 3) If the nubmer of ManagedClusters + meet the placement requirements is equal to NumberOfClusters, all + of them will be selected; 4) If the nubmer of ManagedClusters meet + the placement requirements is less than NumberOfClusters, all of + them will be selected, and the status of condition `PlacementConditionSatisfied` + will be set to false; + format: int32 + type: integer + predicates: + description: Predicates represent a slice of predicates to select + ManagedClusters. The predicates are ORed. + items: + description: ClusterPredicate represents a predicate to select ManagedClusters. + properties: + requiredClusterSelector: + description: RequiredClusterSelector represents a selector of + ManagedClusters by label and claim. If specified, 1) Any ManagedCluster, + which does not match the selector, should not be selected + by this ClusterPredicate; 2) If a selected ManagedCluster + (of this ClusterPredicate) ceases to match the selector (e.g. + due to an update) of any ClusterPredicate, it will be eventually + removed from the placement decisions; 3) If a ManagedCluster + (not selected previously) starts to match the selector, it + will either be selected or at least has a chance to be selected + (when NumberOfClusters is specified); + properties: + claimSelector: + description: ClaimSelector represents a selector of ManagedClusters + by clusterClaims in status + properties: + matchExpressions: + description: matchExpressions is a list of cluster claim + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + labelSelector: + description: LabelSelector represents a selector of ManagedClusters + by label + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + type: array + prioritizerPolicy: + description: PrioritizerPolicy defines the policy of the prioritizers. + If this field is unset, then default prioritizer mode and configurations + are used. Referring to PrioritizerPolicy to see more description + about Mode and Configurations. + properties: + configurations: + items: + description: PrioritizerConfig represents the configuration + of prioritizer + properties: + scoreCoordinate: + description: ScoreCoordinate represents the configuration + of the prioritizer and score source. + properties: + addOn: + description: When type is "AddOn", AddOn defines the + resource name and score name. + properties: + resourceName: + description: ResourceName defines the resource name + of the AddOnPlacementScore. The placement prioritizer + selects AddOnPlacementScore CR by this name. + type: string + scoreName: + description: ScoreName defines the score name inside + AddOnPlacementScore. AddOnPlacementScore contains + a list of score name and score value, ScoreName + specify the score to be used by the prioritizer. + type: string + required: + - resourceName + - scoreName + type: object + builtIn: + description: 'BuiltIn defines the name of a BuiltIn + prioritizer. Below are the valid BuiltIn prioritizer + names. 1) Balance: balance the decisions among the + clusters. 2) Steady: ensure the existing decision + is stabilized. 3) ResourceAllocatableCPU & ResourceAllocatableMemory: + sort clusters based on the allocatable. 4) Spread: + spread the workload evenly to topologies.' + type: string + type: + default: BuiltIn + description: Type defines the type of the prioritizer + score. Type is either "BuiltIn", "AddOn" or "", where + "" is "BuiltIn" by default. When the type is "BuiltIn", + need to specify a BuiltIn prioritizer name in BuiltIn. + When the type is "AddOn", need to configure the score + source in AddOn. + enum: + - BuiltIn + - AddOn + type: string + required: + - type + type: object + weight: + default: 1 + description: Weight defines the weight of the prioritizer + score. The value must be ranged in [-10,10]. Each prioritizer + will calculate an integer score of a cluster in the range + of [-100, 100]. The final score of a cluster will be sum(weight + * prioritizer_score). A higher weight indicates that the + prioritizer weights more in the cluster selection, while + 0 weight indicates that the prioritizer is disabled. A + negative weight indicates wants to select the last ones. + format: int32 + maximum: 10 + minimum: -10 + type: integer + required: + - scoreCoordinate + type: object + type: array + mode: + default: Additive + description: Mode is either Exact, Additive, "" where "" is Additive + by default. In Additive mode, any prioritizer not explicitly + enumerated is enabled in its default Configurations, in which + Steady and Balance prioritizers have the weight of 1 while other + prioritizers have the weight of 0. Additive doesn't require + configuring all prioritizers. The default Configurations may + change in the future, and additional prioritization will happen. + In Exact mode, any prioritizer not explicitly enumerated is + weighted as zero. Exact requires knowing the full set of prioritizers + you want, but avoids behavior changes between releases. + type: string + type: object + spreadPolicy: + description: SpreadPolicy defines how placement decisions should be + distributed among a set of ManagedClusters. + properties: + spreadConstraints: + description: SpreadConstraints defines how the placement decision + should be distributed among a set of ManagedClusters. The importance + of the SpreadConstraintsTerms follows the natural order of their + index in the slice. The scheduler first consider SpreadConstraintsTerms + with smaller index then those with larger index to distribute + the placement decision. + items: + description: SpreadConstraintsTerm defines a terminology to + spread placement decisions. + properties: + maxSkew: + default: 1 + description: MaxSkew represents the degree to which the + workload may be unevenly distributed. Skew is the maximum + difference between the number of selected ManagedClusters + in a topology and the global minimum. The global minimum + is the minimum number of selected ManagedClusters for + the topologies within the same TopologyKey. The minimum + possible value of MaxSkew is 1, and the default value + is 1. + format: int32 + minimum: 1 + type: integer + topologyKey: + description: TopologyKey is either a label key or a cluster + claim name of ManagedClusters. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$ + type: string + topologyKeyType: + description: TopologyKeyType indicates the type of TopologyKey. + It could be Label or Claim. + enum: + - Label + - Claim + type: string + whenUnsatisfiable: + default: ScheduleAnyway + description: WhenUnsatisfiable represents the action of + the scheduler when MaxSkew cannot be satisfied. It could + be DoNotSchedule or ScheduleAnyway. The default value + is ScheduleAnyway. DoNotSchedule instructs the scheduler + not to schedule more ManagedClusters when MaxSkew is not + satisfied. ScheduleAnyway instructs the scheduler to keep + scheduling even if MaxSkew is not satisfied. + enum: + - DoNotSchedule + - ScheduleAnyway + type: string + required: + - topologyKey + - topologyKeyType + type: object + maxItems: 8 + type: array + type: object + tolerations: + description: Tolerations are applied to placements, and allow (but + do not require) the managed clusters with certain taints to be selected + by placements with matching tolerations. + items: + description: Toleration represents the toleration object that can + be attached to a placement. The placement this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSelect, PreferNoSelect and NoSelectIfNew. + enum: + - NoSelect + - PreferNoSelect + - NoSelectIfNew + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + operator: + default: Equal + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a placement + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoSelect/PreferNoSelect, + otherwise this field is ignored) tolerates the taint. The + default value is nil, which indicates it tolerates the taint + forever. The start time of counting the TolerationSeconds + should be the TimeAdded in Taint, not the cluster scheduled + time or TolerationSeconds added time. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + maxLength: 1024 + type: string + type: object + type: array + type: object + status: + description: Status represents the current status of the Placement + properties: + conditions: + description: Conditions contains the different condition status for + this Placement. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + decisionGroups: + description: List of decision groups determined by the placement and + DecisionStrategy. + items: + description: Present decision groups status based on the DecisionStrategy + definition. + properties: + clusterCount: + default: 0 + description: Total number of clusters in the decision group. + Clusters count is equal or less than the clusterPerDecisionGroups + defined in the decision strategy. + format: int32 + type: integer + decisionGroupIndex: + description: Present the decision group index. If there is no + decision strategy defined all placement decisions will be + in group index 0 + format: int32 + type: integer + decisionGroupName: + description: Decision group name that is defined in the DecisionStrategy's + DecisionGroup. + type: string + decisions: + description: List of placement decisions names associated with + the decision group + items: + type: string + type: array + type: object + type: array + numberOfSelectedClusters: + description: NumberOfSelectedClusters represents the number of selected + ManagedClusters + format: int32 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/cluster-gateway-manager/crds/config.gateway.open-cluster-management.io_clustergatewayconfigurations.yaml b/charts/cluster-gateway-manager/crds/config.gateway.open-cluster-management.io_clustergatewayconfigurations.yaml new file mode 100644 index 00000000..77781e2a --- /dev/null +++ b/charts/cluster-gateway-manager/crds/config.gateway.open-cluster-management.io_clustergatewayconfigurations.yaml @@ -0,0 +1,168 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clustergatewayconfigurations.config.gateway.open-cluster-management.io +spec: + group: config.gateway.open-cluster-management.io + names: + kind: ClusterGatewayConfiguration + listKind: ClusterGatewayConfigurationList + plural: clustergatewayconfigurations + singular: clustergatewayconfiguration + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + egress: + properties: + clusterProxy: + properties: + credentials: + properties: + namespace: + type: string + proxyClientCASecretName: + type: string + proxyClientSecretName: + type: string + required: + - namespace + - proxyClientCASecretName + - proxyClientSecretName + type: object + proxyServerHost: + type: string + proxyServerPort: + format: int32 + type: integer + required: + - credentials + - proxyServerHost + - proxyServerPort + type: object + type: object + image: + type: string + secretManagement: + properties: + managedServiceAccount: + properties: + name: + default: cluster-gateway + type: string + type: object + type: + default: ManagedServiceAccount + enum: + - Manual + - ManagedServiceAccount + type: string + type: object + required: + - egress + - image + - secretManagement + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastObservedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/cluster-gateway-manager/doc.yaml b/charts/cluster-gateway-manager/doc.yaml index 8fc4c16e..554e9139 100644 --- a/charts/cluster-gateway-manager/doc.yaml +++ b/charts/cluster-gateway-manager/doc.yaml @@ -15,4 +15,4 @@ prerequisites: - Kubernetes 1.21+ release: name: cluster-gateway-manager - namespace: open-cluster-management + namespace: open-cluster-management-cluster-gateway diff --git a/charts/cluster-gateway-manager/templates/_helpers.tpl b/charts/cluster-gateway-manager/templates/_helpers.tpl new file mode 100644 index 00000000..4a161607 --- /dev/null +++ b/charts/cluster-gateway-manager/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cluster-gateway-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cluster-gateway-manager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cluster-gateway-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cluster-gateway-manager.labels" -}} +helm.sh/chart: {{ include "cluster-gateway-manager.chart" . }} +{{ include "cluster-gateway-manager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cluster-gateway-manager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cluster-gateway-manager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cluster-gateway-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cluster-gateway-manager.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Addon manager namespace +*/}} +{{- define "cluster-gateway-manager.namespace" -}} +{{ ternary .Release.Namespace (required "A valid .Values.addonManagerNamespace is required!" .Values.addonManagerNamespace) (empty .Values.kubeconfigSecretName) }} +{{- end }} diff --git a/charts/cluster-gateway-manager/templates/addon-manager.yaml b/charts/cluster-gateway-manager/templates/addon-manager.yaml deleted file mode 100644 index 48f9118e..00000000 --- a/charts/cluster-gateway-manager/templates/addon-manager.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cluster-gateway-manager - namespace: {{ .Release.Namespace }} - labels: - app: cluster-gateway-manager -spec: - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: cluster-gateway-manager - template: - metadata: - labels: - app: cluster-gateway-manager - spec: - serviceAccount: cluster-gateway-manager - containers: - - name: cluster-gateway-manager - image: {{ .Values.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }} - imagePullPolicy: IfNotPresent - args: - - --leader-elect=true \ No newline at end of file diff --git a/charts/cluster-gateway-manager/templates/clustergatewayconfiguration.yaml b/charts/cluster-gateway-manager/templates/clustergatewayconfiguration.yaml deleted file mode 100644 index 6736d796..00000000 --- a/charts/cluster-gateway-manager/templates/clustergatewayconfiguration.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: proxy.open-cluster-management.io/v1alpha1 -kind: ClusterGatewayConfiguration -metadata: - name: cluster-gateway -spec: - image: {{ .Values.clusterGateway.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }} - installNamespace: {{ .Values.clusterGateway.installNamespace }} - secretNamespace: {{ .Values.clusterGateway.secretNamespace }} - secretManagement: - {{ if .Values.manualSecretManagement }} - type: Manual - {{ else }} - type: ManagedServiceAccount - managedServiceAccount: - name: cluster-gateway - {{ end }} - egress: - {{ if .Values.konnectivityEgress }} - type: ClusterProxy - clusterProxy: - proxyServerHost: "proxy-entrypoint.open-cluster-management-addon" - proxyServerPort: 8090 - credentials: - namespace: open-cluster-management-addon - proxyClientCASecretName: proxy-server-ca - proxyClientSecretName: proxy-client - {{ else }} - type: Direct - {{ end }} diff --git a/charts/cluster-gateway-manager/templates/clustermanagementaddon.yaml b/charts/cluster-gateway-manager/templates/clustermanagementaddon.yaml deleted file mode 100644 index f8357119..00000000 --- a/charts/cluster-gateway-manager/templates/clustermanagementaddon.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: addon.open-cluster-management.io/v1alpha1 -kind: ClusterManagementAddOn -metadata: - name: cluster-gateway -spec: - addOnMeta: - displayName: cluster-gateway - description: cluster-gateway - addOnConfiguration: - crdName: clustergatewayconfigurations.proxy.open-cluster-management.io - crName: cluster-gateway diff --git a/charts/cluster-gateway-manager/templates/clusterroles.yaml b/charts/cluster-gateway-manager/templates/clusterrole.yaml similarity index 93% rename from charts/cluster-gateway-manager/templates/clusterroles.yaml rename to charts/cluster-gateway-manager/templates/clusterrole.yaml index 55776083..59fb3dd4 100644 --- a/charts/cluster-gateway-manager/templates/clusterroles.yaml +++ b/charts/cluster-gateway-manager/templates/clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:addon-manager rules: - apiGroups: - cluster.open-cluster-management.io @@ -18,13 +18,13 @@ rules: verbs: - "*" - apiGroups: - - proxy.open-cluster-management.io + - config.gateway.open-cluster-management.io resources: - clustergatewayconfigurations verbs: - "*" - apiGroups: - - cluster.core.oam.dev + - gateway.open-cluster-management.io resources: - clustergateways/health - clustergateways/proxy @@ -125,4 +125,4 @@ rules: resources: - subjectaccessreviews verbs: - - "*" \ No newline at end of file + - "*" diff --git a/charts/cluster-gateway-manager/templates/clusterrolebindings.yaml b/charts/cluster-gateway-manager/templates/clusterrolebinding.yaml similarity index 63% rename from charts/cluster-gateway-manager/templates/clusterrolebindings.yaml rename to charts/cluster-gateway-manager/templates/clusterrolebinding.yaml index 59e84984..a75403d8 100644 --- a/charts/cluster-gateway-manager/templates/clusterrolebindings.yaml +++ b/charts/cluster-gateway-manager/templates/clusterrolebinding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:addon-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:addon-manager subjects: - kind: ServiceAccount name: cluster-gateway-manager diff --git a/charts/cluster-gateway-manager/templates/deployment.yaml b/charts/cluster-gateway-manager/templates/deployment.yaml new file mode 100644 index 00000000..70b243fe --- /dev/null +++ b/charts/cluster-gateway-manager/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-gateway-manager + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + open-cluster-management.io/addon: cluster-gateway + template: + metadata: + labels: + open-cluster-management.io/addon: cluster-gateway + spec: + serviceAccount: cluster-gateway-manager + automountServiceAccountToken: true + containers: + - name: manager + image: {{ .Values.image }}:{{ .Values.tag | default .Chart.AppVersion }} + imagePullPolicy: Always + args: + {{- if gt (int .Values.replicas) 1 }} + - --leader-elect=true + {{- end }} + {{- if .Values.kubeconfigSecretName }} + - --multicluster-kubeconfig=/var/run/secrets/ocm/auth/kubeconfig + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.kubeconfigSecretName }} + - name: NAMESPACE + value: {{ include "cluster-gateway-manager.namespace" . }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + readOnlyRootFilesystem: true + volumeMounts: + {{- if .Values.kubeconfigSecretName }} + - mountPath: /var/run/secrets/ocm/auth + name: ocm-auth + {{- end }} + volumes: + {{- if .Values.kubeconfigSecretName }} + - name: ocm-auth + secret: + defaultMode: 420 + secretName: {{ .Values.kubeconfigSecretName }} + {{- end }} diff --git a/charts/cluster-gateway-manager/templates/k8s/addon.yaml b/charts/cluster-gateway-manager/templates/k8s/addon.yaml new file mode 100644 index 00000000..e68d3952 --- /dev/null +++ b/charts/cluster-gateway-manager/templates/k8s/addon.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.kubeconfigSecretName }} + +{{- $restpl := $.Files.Get "common/addon/clustermanagementaddon.yaml" -}} +{{ tpl $restpl $ }} +--- +{{- $restpl := $.Files.Get "common/addon/clustersetbinding.yaml" -}} +{{ tpl $restpl $ }} +--- +{{- $restpl := $.Files.Get "common/addon/placement.yaml" -}} +{{ tpl $restpl $ }} +--- +{{- $restpl := $.Files.Get "common/addon/clustergatewayconfiguration.yaml" -}} +{{ tpl $restpl $ }} + +{{- end }} diff --git a/charts/cluster-gateway-manager/templates/ocm-mc/addon.yaml b/charts/cluster-gateway-manager/templates/ocm-mc/addon.yaml new file mode 100644 index 00000000..4c5f6c59 --- /dev/null +++ b/charts/cluster-gateway-manager/templates/ocm-mc/addon.yaml @@ -0,0 +1,52 @@ +{{- if .Values.kubeconfigSecretName }} + +apiVersion: batch/v1 +kind: Job +metadata: + name: cluster-gateway-configure-addon + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "2" + "helm.sh/hook": post-install,post-upgrade,post-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + ttlSecondsAfterFinished: 0 + backoffLimit: 3 + template: + spec: + automountServiceAccountToken: false + containers: + - name: kubectl + image: {{ .Values.kubectl.image }} + workingDir: /var/run/secrets/ocm + command: + - sh + - -c + - | + sleep 2; \ + kubectl --kubeconfig=auth/kubeconfig create ns {{ include "cluster-gateway-manager.namespace" $ }} || true; \ + kubectl --kubeconfig=auth/kubeconfig apply -f - <oamdev/cluster-gateway | -| tag | | | -| replicas | Number of replicas | 1 | -| secretNamespace | A secured namespace for reading cluster secrets | open-cluster-management-credentials | -| ocmIntegration.enabled | | false | -| ocmIntegration.clusterProxy.enabled | | false | -| ocmIntegration.clusterProxy.endpoint.host | | proxy-entrypoint.open-cluster-management-cluster-proxy | -| ocmIntegration.clusterProxy.endpoint.port | | 8090 | -| featureGate.healthiness | | false | -| featureGate.secretCache | | false | +| Parameter | Description | Default | +|----------------------------|----------------------------------------|---------------------------------------------------------------------| +| image | Image of the cluster-gateway instances | ghcr.io/kluster-manager/cluster-gateway | +| tag | | | +| replicas | Number of replicas | 1 | +| clusterProxy.enabled | | true | +| clusterProxy.endpoint.host | | proxy-entrypoint.open-cluster-management-cluster-proxy | +| clusterProxy.endpoint.port | | 8090 | +| featureGate.healthiness | | false | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: ```bash -$ helm upgrade -i cluster-gateway appscode/cluster-gateway -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=oamdev/cluster-gateway +$ helm upgrade -i cluster-gateway appscode/cluster-gateway -n open-cluster-management --create-namespace --version=v2024.2.25 --set image=ghcr.io/kluster-manager/cluster-gateway ``` Alternatively, a YAML file that specifies the values for the parameters can be provided while diff --git a/charts/cluster-gateway/templates/apiservice.yaml b/charts/cluster-gateway/templates/apiservice.yaml index 48e42b3b..3fbeaa54 100644 --- a/charts/cluster-gateway/templates/apiservice.yaml +++ b/charts/cluster-gateway/templates/apiservice.yaml @@ -1,17 +1,17 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1alpha1.cluster.core.oam.dev + name: v1alpha1.gateway.open-cluster-management.io labels: api: cluster-extension-apiserver apiserver: "true" spec: version: v1alpha1 - group: cluster.core.oam.dev + group: gateway.open-cluster-management.io groupPriorityMinimum: 2000 service: name: gateway-service - namespace: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} port: 9443 versionPriority: 10 insecureSkipTLSVerify: true \ No newline at end of file diff --git a/charts/cluster-gateway/templates/cluster-gateway-apiserver.yaml b/charts/cluster-gateway/templates/cluster-gateway-apiserver.yaml index b535a80a..a2cd3198 100644 --- a/charts/cluster-gateway/templates/cluster-gateway-apiserver.yaml +++ b/charts/cluster-gateway/templates/cluster-gateway-apiserver.yaml @@ -25,24 +25,20 @@ spec: secretName: proxy-server-ca containers: - name: gateway - image: {{ .Values.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }} + image: {{ .Values.image }}:{{ .Values.tag | default .Chart.AppVersion }} imagePullPolicy: IfNotPresent args: - --secure-port=9443 - - --secret-namespace={{ .Values.secretNamespace }} - {{ if .Values.ocmIntegration.enabled }} - - --ocm-integration=true - {{ if .Values.ocmIntegration.clusterProxy.enabled }} - - --proxy-host={{ .Values.ocmIntegration.clusterProxy.endpoint.host }} - - --proxy-port={{ .Values.ocmIntegration.clusterProxy.endpoint.port }} + {{ if .Values.clusterProxy.enabled }} + - --proxy-host={{ .Values.clusterProxy.endpoint.host }} + - --proxy-port={{ .Values.clusterProxy.endpoint.port }} - --proxy-ca-cert=/etc/ca/ca.crt - --proxy-cert=/etc/tls/tls.crt - --proxy-key=/etc/tls/tls.key {{ end }} - {{ end }} - - --feature-gates={{ if .Values.featureGate.healthiness }}HealthinessCheck=true,{{ end }}{{ if .Values.featureGate.secretCache }}SecretCache=true,{{ end }} + - --feature-gates={{ if .Values.featureGate.healthiness }}HealthinessCheck=true,{{ end }} # TODO: certificate rotation, otherwise the self-signed will expire in 1 year - {{ if .Values.ocmIntegration.clusterProxy.enabled }} + {{ if .Values.clusterProxy.enabled }} volumeMounts: - name: proxy-client mountPath: "/etc/tls/" diff --git a/charts/cluster-gateway/templates/clusterrolebindings.yaml b/charts/cluster-gateway/templates/clusterrolebindings.yaml index 9e4264d1..75172f91 100644 --- a/charts/cluster-gateway/templates/clusterrolebindings.yaml +++ b/charts/cluster-gateway/templates/clusterrolebindings.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:apiserver roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:apiserver subjects: - kind: ServiceAccount name: cluster-gateway diff --git a/charts/cluster-gateway/templates/clusterroles.yaml b/charts/cluster-gateway/templates/clusterroles.yaml index 898c48d9..a280316c 100644 --- a/charts/cluster-gateway/templates/clusterroles.yaml +++ b/charts/cluster-gateway/templates/clusterroles.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: open-cluster-management:cluster-gateway:managedcluster-reader + name: open-cluster-management:cluster-gateway:apiserver rules: - apiGroups: - cluster.open-cluster-management.io @@ -42,4 +42,27 @@ rules: resources: - subjectaccessreviews verbs: - - "*" \ No newline at end of file + - "*" + # read/update managed cluster addons + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - get + - list + - watch + - create + - update + - patch + # read managed service account credentials + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + resourceNames: + - cluster-gateway diff --git a/charts/cluster-gateway/templates/rolebindings.yaml b/charts/cluster-gateway/templates/rolebindings.yaml index 534c2301..21579835 100644 --- a/charts/cluster-gateway/templates/rolebindings.yaml +++ b/charts/cluster-gateway/templates/rolebindings.yaml @@ -1,7 +1,8 @@ +# to read the config for terminating authentication apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: system:extension-apiserver-authentication-reader:cluster-gateway + name: extension-apiserver-authentication-reader:cluster-gateway namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -10,4 +11,18 @@ roleRef: subjects: - kind: ServiceAccount name: cluster-gateway - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Release.Namespace }} +--- +# to delegate authentication and authorization +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: auth-delegator:cluster-gateway +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: cluster-gateway + namespace: {{ .Release.Namespace }} diff --git a/charts/cluster-gateway/templates/secret-namespace.yaml b/charts/cluster-gateway/templates/secret-namespace.yaml deleted file mode 100644 index 9d2f362d..00000000 --- a/charts/cluster-gateway/templates/secret-namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.secretNamespace }} \ No newline at end of file diff --git a/charts/cluster-gateway/templates/secret-rolebindings.yaml b/charts/cluster-gateway/templates/secret-rolebindings.yaml deleted file mode 100644 index ad3d6706..00000000 --- a/charts/cluster-gateway/templates/secret-rolebindings.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cluster-gateway-secret-reader - namespace: {{ .Values.secretNamespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cluster-gateway-secret-reader -subjects: - - kind: ServiceAccount - name: cluster-gateway - namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/cluster-gateway/templates/secret-roles.yaml b/charts/cluster-gateway/templates/secret-roles.yaml deleted file mode 100644 index 2db55f10..00000000 --- a/charts/cluster-gateway/templates/secret-roles.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cluster-gateway-secret-reader - namespace: {{ .Values.secretNamespace }} -rules: - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "*" diff --git a/charts/cluster-gateway/values.yaml b/charts/cluster-gateway/values.yaml index 4d1b13d1..145b8d96 100644 --- a/charts/cluster-gateway/values.yaml +++ b/charts/cluster-gateway/values.yaml @@ -1,21 +1,16 @@ # Image of the cluster-gateway instances -image: oamdev/cluster-gateway +image: ghcr.io/kluster-manager/cluster-gateway tag: # Number of replicas replicas: 1 -# A secured namespace for reading cluster secrets -secretNamespace: open-cluster-management-credentials -ocmIntegration: - enabled: false - clusterProxy: - enabled: false - endpoint: - host: proxy-entrypoint.open-cluster-management-cluster-proxy - port: 8090 +clusterProxy: + enabled: true + endpoint: + host: proxy-entrypoint.open-cluster-management-cluster-proxy + port: 8090 featureGate: healthiness: false - secretCache: false \ No newline at end of file diff --git a/hack/scripts/import-crds.sh b/hack/scripts/import-crds.sh index e26cf409..77338794 100755 --- a/hack/scripts/import-crds.sh +++ b/hack/scripts/import-crds.sh @@ -34,8 +34,10 @@ crd-importer \ --out=./charts/cluster-auth-manager/crds crd-importer \ - --input=https://github.com/kluster-manager/cluster-gateway/raw/master/hack/crd/bases/proxy.open-cluster-management.io_clustergatewayconfigurations.yaml \ + --input=https://github.com/kluster-manager/cluster-gateway/raw/master/hack/crd/bases/config.gateway.open-cluster-management.io_clustergatewayconfigurations.yaml \ --input=https://github.com/open-cluster-management-io/api/raw/${OPEN_CLUSTER_MANAGEMENT_IO_API_TAG}/addon/v1alpha1/0000_00_addon.open-cluster-management.io_clustermanagementaddons.crd.yaml \ + --input=https://github.com/open-cluster-management-io/api/raw/${OPEN_CLUSTER_MANAGEMENT_IO_API_TAG}/cluster/v1beta1/0000_02_clusters.open-cluster-management.io_placements.crd.yaml \ + --input=https://github.com/open-cluster-management-io/api/raw/${OPEN_CLUSTER_MANAGEMENT_IO_API_TAG}/cluster/v1beta2/0000_01_clusters.open-cluster-management.io_managedclustersetbindings.crd.yaml \ --out=./charts/cluster-gateway-manager/crds crd-importer \