diff --git a/.gitignore b/.gitignore index 2a5e661c0..358d3b656 100644 --- a/.gitignore +++ b/.gitignore @@ -52,6 +52,9 @@ manager_pull_policy.yaml-e # junit files junit.*.xml +# asdf +.tool-versions + .DS_Store # Tilt files. diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..61bffb784 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,5 @@ +# Changelog + +## 1.6.0-0.1.0 (upcoming) + +* Add the PRs that have not yet been merged diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 000000000..1e5f3b3e1 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,19 @@ +@Library('libpipelines@master') _ + +hose { + EMAIL = 'clouds-integration@stratio.com' + BUILDTOOL = 'make' + VERSIONING_TYPE = 'stratioVersion-3-3' + UPSTREAM_VERSION = '1.6.0' + DEPLOYONPRS = true + DEVTIMEOUT = 30 + ANCHORE_POLICY = "production" + GRYPE_TEST = false + + BUILDTOOL_MEMORY_REQUEST = "1024Mi" + BUILDTOOL_MEMORY_LIMIT = "4096Mi" + + DEV = { config -> + doDocker(conf:config, dockerfile: 'Dockerfile', image:'cluster-api-provider-gcp') + } +} diff --git a/Makefile b/Makefile index ee3bec678..4cee19705 100644 --- a/Makefile +++ b/Makefile @@ -601,3 +601,6 @@ verify-gen: generate @if !(git diff --quiet HEAD); then \ echo "generated files are out of date, run make generate"; exit 1; \ fi + +change-version: + hack/custom/change-version.sh $(version) diff --git a/VERSION b/VERSION new file mode 100644 index 000000000..b694fe3f6 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.1.0-SNAPSHOT diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go index ee047aa52..b191d1f9a 100644 --- a/cloud/services/container/clusters/reconcile.go +++ b/cloud/services/container/clusters/reconcile.go @@ -268,6 +268,9 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error { if !s.scope.IsAutopilotCluster() { cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name) } + if s.scope.GCPManagedControlPlane.Spec.NetworkPolicy != nil { + cluster.NetworkPolicy = convertToSdkNetworkPolicy(s.scope.GCPManagedControlPlane.Spec.NetworkPolicy) + } createClusterRequest := &containerpb.CreateClusterRequest{ Cluster: cluster, @@ -376,6 +379,20 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori } } +// convertToSdkNetworkPolicy converts NetworkPolicy config to a value that is used by GCP SDK. +func convertToSdkNetworkPolicy(networkPolicy *infrav1exp.NetworkPolicy) *containerpb.NetworkPolicy { + sdkNetworkPolicy := containerpb.NetworkPolicy{ + Enabled: true, + } + switch networkPolicy.Provider { + case "calico": + sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_CALICO + default: + sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_PROVIDER_UNSPECIFIED + } + return &sdkNetworkPolicy +} + func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) { log.V(4).Info("Checking diff and preparing update.") @@ -400,7 +417,6 @@ func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster log.V(2).Info("Master version update required", "current", existingClusterMasterVersion, "desired", desiredMasterVersion) } } - // DesiredMasterAuthorizedNetworksConfig // When desiredMasterAuthorizedNetworksConfig is nil, it means that the user wants to disable the feature. desiredMasterAuthorizedNetworksConfig := convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig) diff --git a/cloud/services/container/nodepools/reconcile.go b/cloud/services/container/nodepools/reconcile.go index 68ade86e0..a0d92f742 100644 --- a/cloud/services/container/nodepools/reconcile.go +++ b/cloud/services/container/nodepools/reconcile.go @@ -430,12 +430,6 @@ func (s *Service) checkDiffAndPrepareUpdateAutoscaling(existingNodePool *contain func (s *Service) checkDiffAndPrepareUpdateSize(existingNodePool *containerpb.NodePool) (bool, *containerpb.SetNodePoolSizeRequest) { needUpdate := false - desiredAutoscaling := infrav1exp.ConvertToSdkAutoscaling(s.scope.GCPManagedMachinePool.Spec.Scaling) - - if desiredAutoscaling.Enabled { - // Do not update node pool size if autoscaling is enabled. - return false, nil - } setNodePoolSizeRequest := containerpb.SetNodePoolSizeRequest{ Name: s.scope.NodePoolFullName(), diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml index 9707e5284..30b7be21d 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml @@ -126,6 +126,17 @@ spec: Public IP addresses. type: boolean type: object + networkPolicy: + description: NetworkPolicy represents configuration options for NetworkPolicy + feature of the GKE cluster. This feature is disabled if this field + is not specified. + properties: + provider: + description: The selected network policy provider. + enum: + - calico + type: string + type: object project: description: Project is the name of the project to deploy the cluster to. diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go index b0fb6540d..21216aca5 100644 --- a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go +++ b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go @@ -57,6 +57,10 @@ type GCPManagedControlPlaneSpec struct { // This feature is disabled if this field is not specified. // +optional MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `json:"master_authorized_networks_config,omitempty"` + // NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster. + // This feature is disabled if this field is not specified. + // +optional + NetworkPolicy *NetworkPolicy `json:"networkPolicy,omitempty"` } // GCPManagedControlPlaneStatus defines the observed state of GCPManagedControlPlane. @@ -142,6 +146,14 @@ type MasterAuthorizedNetworksConfigCidrBlock struct { CidrBlock string `json:"cidr_block,omitempty"` } +// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster. +type NetworkPolicy struct { + // The selected network policy provider. + // +kubebuilder:validation:Enum=calico + // +optional + Provider string `json:"provider,omitempty"` +} + // GetConditions returns the control planes conditions. func (r *GCPManagedControlPlane) GetConditions() clusterv1.Conditions { return r.Status.Conditions diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go b/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go index 402ebc3bd..947b23024 100644 --- a/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go +++ b/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go @@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio ) } + if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) { + allErrs = append(allErrs, + field.Invalid(field.NewPath("spec", "NetworkPolicy"), + r.Spec.NetworkPolicy, "field is immutable"), + ) + } + if len(allErrs) == 0 { return nil, nil } diff --git a/exp/api/v1beta1/gcpmanagedmachinepool_webhook.go b/exp/api/v1beta1/gcpmanagedmachinepool_webhook.go index 33b2e1821..7ea49325e 100644 --- a/exp/api/v1beta1/gcpmanagedmachinepool_webhook.go +++ b/exp/api/v1beta1/gcpmanagedmachinepool_webhook.go @@ -161,9 +161,7 @@ func (r *GCPManagedMachinePool) validateImmutable(old *GCPManagedMachinePool) fi appendErrorIfMutated(old.Spec.LocalSsdCount, r.Spec.LocalSsdCount, "localSsdCount", &allErrs) appendErrorIfMutated(old.Spec.Management, r.Spec.Management, "management", &allErrs) appendErrorIfMutated(old.Spec.MaxPodsPerNode, r.Spec.MaxPodsPerNode, "maxPodsPerNode", &allErrs) - appendErrorIfMutated(old.Spec.NodeNetwork.PodRangeName, r.Spec.NodeNetwork.PodRangeName, "podRangeName", &allErrs) - appendErrorIfMutated(old.Spec.NodeNetwork.CreatePodRange, r.Spec.NodeNetwork.CreatePodRange, "createPodRange", &allErrs) - appendErrorIfMutated(old.Spec.NodeNetwork.PodRangeCidrBlock, r.Spec.NodeNetwork.PodRangeCidrBlock, "podRangeCidrBlock", &allErrs) + appendErrorIfMutated(old.Spec.NodeNetwork, r.Spec.NodeNetwork, "nodeNetwork", &allErrs) appendErrorIfMutated(old.Spec.NodeSecurity, r.Spec.NodeSecurity, "nodeSecurity", &allErrs) return allErrs diff --git a/exp/api/v1beta1/zz_generated.deepcopy.go b/exp/api/v1beta1/zz_generated.deepcopy.go index 15e7d6543..4c12e7f73 100644 --- a/exp/api/v1beta1/zz_generated.deepcopy.go +++ b/exp/api/v1beta1/zz_generated.deepcopy.go @@ -228,6 +228,11 @@ func (in *GCPManagedControlPlaneSpec) DeepCopyInto(out *GCPManagedControlPlaneSp *out = new(MasterAuthorizedNetworksConfig) (*in).DeepCopyInto(*out) } + if in.NetworkPolicy != nil { + in, out := &in.NetworkPolicy, &out.NetworkPolicy + *out = new(NetworkPolicy) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPManagedControlPlaneSpec. @@ -515,6 +520,21 @@ func (in *MasterAuthorizedNetworksConfigCidrBlock) DeepCopy() *MasterAuthorizedN return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy. +func (in *NetworkPolicy) DeepCopy() *NetworkPolicy { + if in == nil { + return nil + } + out := new(NetworkPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NodeNetworkConfig) DeepCopyInto(out *NodeNetworkConfig) { *out = *in diff --git a/hack/change-version.sh b/hack/change-version.sh new file mode 100644 index 000000000..4d0478e08 --- /dev/null +++ b/hack/change-version.sh @@ -0,0 +1,14 @@ +#!/bin/bash -e + +BASEDIR=`dirname $0`/../.. + +cd $BASEDIR + +if [[ -z "$1" ]]; then + VERSION=$(cat $BASEDIR/VERSION) +else + VERSION=$1 +fi + +echo "Modifying cluster-api-provider-gcp version to: $1" +echo $VERSION > VERSION diff --git a/manifests/infrastructure-components.yaml b/manifests/infrastructure-components.yaml new file mode 100644 index 000000000..6dee263cc --- /dev/null +++ b/manifests/infrastructure-components.yaml @@ -0,0 +1,3400 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpclusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capg-webhook-service + namespace: capg-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPCluster + listKind: GCPClusterList + plural: gcpclusters + singular: gcpcluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this GCPCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Cluster infrastructure is ready for GCE instances + jsonPath: .status.ready + name: Ready + type: string + - description: GCP network the cluster is using + jsonPath: .spec.network.name + name: Network + type: string + - description: API Endpoint + jsonPath: .status.apiEndpoints[0] + name: Endpoint + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GCPCluster is the Schema for the gcpclusters API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPClusterSpec defines the desired state of GCPCluster. + properties: + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to GCP resources managed by the GCP provider, in addition to the + ones added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + credentialsRef: + description: |- + CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not + supplied then the credentials of the controller will be used. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + required: + - name + - namespace + type: object + failureDomains: + description: |- + FailureDomains is an optional field which is used to assign selected availability zones to a cluster + FailureDomains if empty, defaults to all the zones in the selected region and if specified would override + the default zones. + items: + type: string + type: array + loadBalancer: + description: LoadBalancer contains configuration for one or more LoadBalancers. + properties: + apiServerInstanceGroupTagOverride: + description: |- + APIServerInstanceGroupTagOverride overrides the default setting for the + tag used when creating the API Server Instance Group. + maxLength: 16 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + type: object + network: + description: NetworkSpec encapsulates all things related to GCP network. + properties: + autoCreateSubnetworks: + description: |- + AutoCreateSubnetworks: When set to true, the VPC network is created + in "auto" mode. When set to false, the VPC network is created in + "custom" mode. + + + An auto mode VPC network starts with one subnet per region. Each + subnet has a predetermined range as described in Auto mode VPC + network IP ranges. + + + Defaults to true. + type: boolean + loadBalancerBackendPort: + description: Allow for configuration of load balancer backend + (useful for changing apiserver port) + format: int32 + type: integer + name: + description: Name is the name of the network to be used. + type: string + subnets: + description: Subnets configuration. + items: + description: SubnetSpec configures an GCP Subnet. + properties: + cidrBlock: + description: |- + CidrBlock is the range of internal addresses that are owned by this + subnetwork. Provide this property when you create the subnetwork. For + example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and + non-overlapping within a network. Only IPv4 is supported. This field + can be set only at resource creation time. + type: string + description: + description: Description is an optional description associated + with the resource. + type: string + enableFlowLogs: + description: |- + EnableFlowLogs: Whether to enable flow logging for this subnetwork. + If this field is not explicitly set, it will not appear in get + listings. If not set the default behavior is to disable flow logging. + type: boolean + name: + description: Name defines a unique identifier to reference + this resource. + type: string + privateGoogleAccess: + description: |- + PrivateGoogleAccess defines whether VMs in this subnet can access + Google services without assigning external IP addresses + type: boolean + purpose: + default: PRIVATE_RFC_1918 + description: |- + Purpose: The purpose of the resource. + If unspecified, the purpose defaults to PRIVATE_RFC_1918. + The enableFlowLogs field isn't supported with the purpose field set to INTERNAL_HTTPS_LOAD_BALANCER. + + + Possible values: + "INTERNAL_HTTPS_LOAD_BALANCER" - Subnet reserved for Internal + HTTP(S) Load Balancing. + "PRIVATE" - Regular user created or automatically created subnet. + "PRIVATE_RFC_1918" - Regular user created or automatically created + subnet. + "PRIVATE_SERVICE_CONNECT" - Subnetworks created for Private Service + Connect in the producer network. + "REGIONAL_MANAGED_PROXY" - Subnetwork used for Regional + Internal/External HTTP(S) Load Balancing. + enum: + - INTERNAL_HTTPS_LOAD_BALANCER + - PRIVATE_RFC_1918 + - PRIVATE + - PRIVATE_SERVICE_CONNECT + - REGIONAL_MANAGED_PROXY + type: string + region: + description: Region is the name of the region where the + Subnetwork resides. + type: string + secondaryCidrBlocks: + additionalProperties: + type: string + description: |- + SecondaryCidrBlocks defines secondary CIDR ranges, + from which secondary IP ranges of a VM may be allocated + type: object + type: object + type: array + type: object + project: + description: Project is the name of the project to deploy the cluster + to. + type: string + region: + description: The GCP Region the cluster lives in. + type: string + resourceManagerTags: + description: |- + ResourceManagerTags is an optional set of tags to apply to GCP resources managed + by the GCP provider. GCP supports a maximum of 50 tags per resource. + items: + description: ResourceManagerTag is a tag to apply to GCP resources + managed by the GCP provider. + properties: + key: + description: |- + Key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot + be empty. Tag key must begin and end with an alphanumeric character, and must contain + only uppercase, lowercase alphanumeric characters, and the following special + characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + ParentID is the ID of the hierarchical resource where the tags are defined + e.g. at the Organization or the Project level. To find the Organization or Project ID ref + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, + numbers, and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + Value is the value part of the tag. A tag value can have a maximum of 63 characters and + cannot be empty. Tag value must begin and end with an alphanumeric character, and must + contain only uppercase, lowercase alphanumeric characters, and the following special + characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + type: array + required: + - project + - region + type: object + status: + description: GCPClusterStatus defines the observed state of GCPCluster. + properties: + failureDomains: + additionalProperties: + description: |- + FailureDomainSpec is the Schema for Cluster API failure domains. + It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains is a slice of FailureDomains. + type: object + network: + description: Network encapsulates GCP networking resources. + properties: + apiServerBackendService: + description: |- + APIServerBackendService is the full reference to the backend service + created for the API Server. + type: string + apiServerForwardingRule: + description: |- + APIServerForwardingRule is the full reference to the forwarding rule + created for the API Server. + type: string + apiServerHealthCheck: + description: |- + APIServerHealthCheck is the full reference to the health check + created for the API Server. + type: string + apiServerInstanceGroups: + additionalProperties: + type: string + description: |- + APIServerInstanceGroups is a map from zone to the full reference + to the instance groups created for the control plane nodes created in the same zone. + type: object + apiServerIpAddress: + description: |- + APIServerAddress is the IPV4 global address assigned to the load balancer + created for the API Server. + type: string + apiServerTargetProxy: + description: |- + APIServerTargetProxy is the full reference to the target proxy + created for the API Server. + type: string + firewallRules: + additionalProperties: + type: string + description: FirewallRules is a map from the name of the rule + to its full reference. + type: object + router: + description: |- + Router is the full reference to the router created within the network + it'll contain the cloud nat gateway + type: string + selfLink: + description: SelfLink is the link to the Network used for this + cluster. + type: string + type: object + ready: + description: Bastion Instance `json:"bastion,omitempty"` + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpclustertemplates.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capg-webhook-service + namespace: capg-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPClusterTemplate + listKind: GCPClusterTemplateList + plural: gcpclustertemplates + shortNames: + - gcpct + singular: gcpclustertemplate + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: GCPClusterTemplate is the Schema for the gcpclustertemplates + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPClusterTemplateSpec defines the desired state of GCPClusterTemplate. + properties: + template: + description: GCPClusterTemplateResource contains spec for GCPClusterSpec. + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels + type: object + type: object + spec: + description: GCPClusterSpec defines the desired state of GCPCluster. + properties: + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to GCP resources managed by the GCP provider, in addition to the + ones added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint + used to communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + credentialsRef: + description: |- + CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not + supplied then the credentials of the controller will be used. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + required: + - name + - namespace + type: object + failureDomains: + description: |- + FailureDomains is an optional field which is used to assign selected availability zones to a cluster + FailureDomains if empty, defaults to all the zones in the selected region and if specified would override + the default zones. + items: + type: string + type: array + loadBalancer: + description: LoadBalancer contains configuration for one or + more LoadBalancers. + properties: + apiServerInstanceGroupTagOverride: + description: |- + APIServerInstanceGroupTagOverride overrides the default setting for the + tag used when creating the API Server Instance Group. + maxLength: 16 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + type: object + network: + description: NetworkSpec encapsulates all things related to + GCP network. + properties: + autoCreateSubnetworks: + description: |- + AutoCreateSubnetworks: When set to true, the VPC network is created + in "auto" mode. When set to false, the VPC network is created in + "custom" mode. + + + An auto mode VPC network starts with one subnet per region. Each + subnet has a predetermined range as described in Auto mode VPC + network IP ranges. + + + Defaults to true. + type: boolean + loadBalancerBackendPort: + description: Allow for configuration of load balancer + backend (useful for changing apiserver port) + format: int32 + type: integer + name: + description: Name is the name of the network to be used. + type: string + subnets: + description: Subnets configuration. + items: + description: SubnetSpec configures an GCP Subnet. + properties: + cidrBlock: + description: |- + CidrBlock is the range of internal addresses that are owned by this + subnetwork. Provide this property when you create the subnetwork. For + example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and + non-overlapping within a network. Only IPv4 is supported. This field + can be set only at resource creation time. + type: string + description: + description: Description is an optional description + associated with the resource. + type: string + enableFlowLogs: + description: |- + EnableFlowLogs: Whether to enable flow logging for this subnetwork. + If this field is not explicitly set, it will not appear in get + listings. If not set the default behavior is to disable flow logging. + type: boolean + name: + description: Name defines a unique identifier to + reference this resource. + type: string + privateGoogleAccess: + description: |- + PrivateGoogleAccess defines whether VMs in this subnet can access + Google services without assigning external IP addresses + type: boolean + purpose: + default: PRIVATE_RFC_1918 + description: |- + Purpose: The purpose of the resource. + If unspecified, the purpose defaults to PRIVATE_RFC_1918. + The enableFlowLogs field isn't supported with the purpose field set to INTERNAL_HTTPS_LOAD_BALANCER. + + + Possible values: + "INTERNAL_HTTPS_LOAD_BALANCER" - Subnet reserved for Internal + HTTP(S) Load Balancing. + "PRIVATE" - Regular user created or automatically created subnet. + "PRIVATE_RFC_1918" - Regular user created or automatically created + subnet. + "PRIVATE_SERVICE_CONNECT" - Subnetworks created for Private Service + Connect in the producer network. + "REGIONAL_MANAGED_PROXY" - Subnetwork used for Regional + Internal/External HTTP(S) Load Balancing. + enum: + - INTERNAL_HTTPS_LOAD_BALANCER + - PRIVATE_RFC_1918 + - PRIVATE + - PRIVATE_SERVICE_CONNECT + - REGIONAL_MANAGED_PROXY + type: string + region: + description: Region is the name of the region where + the Subnetwork resides. + type: string + secondaryCidrBlocks: + additionalProperties: + type: string + description: |- + SecondaryCidrBlocks defines secondary CIDR ranges, + from which secondary IP ranges of a VM may be allocated + type: object + type: object + type: array + type: object + project: + description: Project is the name of the project to deploy + the cluster to. + type: string + region: + description: The GCP Region the cluster lives in. + type: string + resourceManagerTags: + description: |- + ResourceManagerTags is an optional set of tags to apply to GCP resources managed + by the GCP provider. GCP supports a maximum of 50 tags per resource. + items: + description: ResourceManagerTag is a tag to apply to GCP + resources managed by the GCP provider. + properties: + key: + description: |- + Key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot + be empty. Tag key must begin and end with an alphanumeric character, and must contain + only uppercase, lowercase alphanumeric characters, and the following special + characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + ParentID is the ID of the hierarchical resource where the tags are defined + e.g. at the Organization or the Project level. To find the Organization or Project ID ref + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, + numbers, and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + Value is the value part of the tag. A tag value can have a maximum of 63 characters and + cannot be empty. Tag value must begin and end with an alphanumeric character, and must + contain only uppercase, lowercase alphanumeric characters, and the following special + characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + type: array + required: + - project + - region + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpmachines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capg-webhook-service + namespace: capg-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPMachine + listKind: GCPMachineList + plural: gcpmachines + singular: gcpmachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this GCPMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: GCE instance state + jsonPath: .status.instanceState + name: State + type: string + - description: Machine ready status + jsonPath: .status.ready + name: Ready + type: string + - description: GCE instance ID + jsonPath: .spec.providerID + name: InstanceID + type: string + - description: Machine object which owns with this GCPMachine + jsonPath: .metadata.ownerReferences[?(@.kind=="Machine")].name + name: Machine + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GCPMachine is the Schema for the gcpmachines API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPMachineSpec defines the desired state of GCPMachine. + properties: + additionalDisks: + description: AdditionalDisks are optional non-boot attached disks. + items: + description: AttachedDiskSpec degined GCP machine disk. + properties: + deviceType: + description: |- + DeviceType is a device type of the attached disk. + Supported types of non-root attached volumes: + 1. "pd-standard" - Standard (HDD) persistent disk + 2. "pd-ssd" - SSD persistent disk + 3. "local-ssd" - Local SSD disk (https://cloud.google.com/compute/docs/disks/local-ssd). + Default is "pd-standard". + type: string + encryptionKey: + description: EncryptionKey defines the KMS key to be used to + encrypt the disk. + properties: + keyType: + description: |- + KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or + Supplied, aka Customer-Supplied EncryptionKey (CSEK). + enum: + - Managed + - Supplied + type: string + kmsKeyServiceAccount: + description: |- + KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key. + If absent, the Compute Engine default service account is used. For example: + "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com. + The maximum length is based on the Service Account ID (max 30), Project (max 30), and a valid gcloud email + suffix ("iam.gserviceaccount.com"). + maxLength: 85 + pattern: '[-_[A-Za-z0-9]+@[-_[A-Za-z0-9]+.iam.gserviceaccount.com' + type: string + managedKey: + description: ManagedKey references keys managed by the Cloud + Key Management Service. This should be set when KeyType + is Managed. + properties: + kmsKeyName: + description: |- + KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example: + "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key + maxLength: 160 + pattern: projects\/[-_[A-Za-z0-9]+\/locations\/[-_[A-Za-z0-9]+\/keyRings\/[-_[A-Za-z0-9]+\/cryptoKeys\/[-_[A-Za-z0-9]+ + type: string + type: object + suppliedKey: + description: SuppliedKey provides the key used to create + or manage a disk. This should be set when KeyType is Managed. + maxProperties: 1 + minProperties: 1 + properties: + rawKey: + description: |- + RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 + base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. + For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + format: byte + type: string + rsaEncryptedKey: + description: |- + RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. You can provide either the rawKey or the + rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before you can provide it to Compute Engine: + 1. The key is wrapped using a RSA public key certificate provided by Google. + 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. + Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + format: byte + type: string + type: object + required: + - keyType + type: object + size: + description: |- + Size is the size of the disk in GBs. + Defaults to 30GB. For "local-ssd" size is always 375GB. + format: int64 + type: integer + type: object + type: array + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to an instance, in addition to the ones added by default by the + GCP provider. If both the GCPCluster and the GCPMachine specify the same tag name with different values, the + GCPMachine's value takes precedence. + type: object + additionalMetadata: + description: |- + AdditionalMetadata is an optional set of metadata to add to an instance, in addition to the ones added by default by the + GCP provider. + items: + description: MetadataItem defines a single piece of metadata associated + with an instance. + properties: + key: + description: Key is the identifier for the metadata entry. + type: string + value: + description: Value is the value of the metadata entry. + type: string + required: + - key + type: object + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + additionalNetworkTags: + description: |- + AdditionalNetworkTags is a list of network tags that should be applied to the + instance. These tags are set in addition to any network tags defined + at the cluster level or in the actuator. + items: + type: string + type: array + confidentialCompute: + description: |- + ConfidentialCompute Defines whether the instance should have confidential compute enabled. + If enabled OnHostMaintenance is required to be set to "Terminate". + If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + enum: + - Enabled + - Disabled + type: string + image: + description: |- + Image is the full reference to a valid image to be used for this machine. + Takes precedence over ImageFamily. + type: string + imageFamily: + description: ImageFamily is the full reference to a valid image family + to be used for this machine. + type: string + instanceType: + description: 'InstanceType is the type of instance to create. Example: + n1.standard-2' + type: string + ipForwarding: + default: Enabled + description: |- + IPForwarding Allows this instance to send and receive packets with non-matching destination or source IPs. + This is required if you plan to use this instance to forward routes. Defaults to enabled. + enum: + - Enabled + - Disabled + type: string + onHostMaintenance: + description: |- + OnHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is "Migrate". + enum: + - Migrate + - Terminate + type: string + preemptible: + description: Preemptible defines if instance is preemptible + type: boolean + providerID: + description: ProviderID is the unique identifier as specified by the + cloud provider. + type: string + publicIP: + description: |- + PublicIP specifies whether the instance should get a public IP. + Set this to true if you don't have a NAT instances or Cloud Nat setup. + type: boolean + resourceManagerTags: + description: |- + ResourceManagerTags is an optional set of tags to apply to GCP resources managed + by the GCP provider. GCP supports a maximum of 50 tags per resource. + items: + description: ResourceManagerTag is a tag to apply to GCP resources + managed by the GCP provider. + properties: + key: + description: |- + Key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot + be empty. Tag key must begin and end with an alphanumeric character, and must contain + only uppercase, lowercase alphanumeric characters, and the following special + characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + ParentID is the ID of the hierarchical resource where the tags are defined + e.g. at the Organization or the Project level. To find the Organization or Project ID ref + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, + numbers, and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + Value is the value part of the tag. A tag value can have a maximum of 63 characters and + cannot be empty. Tag value must begin and end with an alphanumeric character, and must + contain only uppercase, lowercase alphanumeric characters, and the following special + characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + type: array + rootDeviceSize: + description: |- + RootDeviceSize is the size of the root volume in GB. + Defaults to 30. + format: int64 + type: integer + rootDeviceType: + description: |- + RootDeviceType is the type of the root volume. + Supported types of root volumes: + 1. "pd-standard" - Standard (HDD) persistent disk + 2. "pd-ssd" - SSD persistent disk + Default is "pd-standard". + type: string + rootDiskEncryptionKey: + description: RootDiskEncryptionKey defines the KMS key to be used + to encrypt the root disk. + properties: + keyType: + description: |- + KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or + Supplied, aka Customer-Supplied EncryptionKey (CSEK). + enum: + - Managed + - Supplied + type: string + kmsKeyServiceAccount: + description: |- + KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key. + If absent, the Compute Engine default service account is used. For example: + "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com. + The maximum length is based on the Service Account ID (max 30), Project (max 30), and a valid gcloud email + suffix ("iam.gserviceaccount.com"). + maxLength: 85 + pattern: '[-_[A-Za-z0-9]+@[-_[A-Za-z0-9]+.iam.gserviceaccount.com' + type: string + managedKey: + description: ManagedKey references keys managed by the Cloud Key + Management Service. This should be set when KeyType is Managed. + properties: + kmsKeyName: + description: |- + KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example: + "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key + maxLength: 160 + pattern: projects\/[-_[A-Za-z0-9]+\/locations\/[-_[A-Za-z0-9]+\/keyRings\/[-_[A-Za-z0-9]+\/cryptoKeys\/[-_[A-Za-z0-9]+ + type: string + type: object + suppliedKey: + description: SuppliedKey provides the key used to create or manage + a disk. This should be set when KeyType is Managed. + maxProperties: 1 + minProperties: 1 + properties: + rawKey: + description: |- + RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 + base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. + For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + format: byte + type: string + rsaEncryptedKey: + description: |- + RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. You can provide either the rawKey or the + rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before you can provide it to Compute Engine: + 1. The key is wrapped using a RSA public key certificate provided by Google. + 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. + Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + format: byte + type: string + type: object + required: + - keyType + type: object + serviceAccounts: + description: |- + ServiceAccount specifies the service account email and which scopes to assign to the machine. + Defaults to: email: "default", scope: []{compute.CloudPlatformScope} + properties: + email: + description: 'Email: Email address of the service account.' + type: string + scopes: + description: |- + Scopes: The list of scopes to be made available for this service + account. + items: + type: string + type: array + type: object + shieldedInstanceConfig: + description: ShieldedInstanceConfig is the Shielded VM configuration + for this machine + properties: + integrityMonitoring: + description: |- + IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. + Compares the most recent boot measurements to the integrity policy baseline and return + a pair of pass/fail results depending on whether they match or not. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. + enum: + - Enabled + - Disabled + type: string + secureBoot: + description: |- + SecureBoot Defines whether the instance should have secure boot enabled. + Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled. + enum: + - Enabled + - Disabled + type: string + virtualizedTrustedPlatformModule: + description: |- + VirtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. + The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. + enum: + - Enabled + - Disabled + type: string + type: object + subnet: + description: |- + Subnet is a reference to the subnetwork to use for this instance. If not specified, + the first subnetwork retrieved from the Cluster Region and Network is picked. + type: string + required: + - instanceType + type: object + status: + description: GCPMachineStatus defines the observed state of GCPMachine. + properties: + addresses: + description: Addresses contains the GCP instance associated addresses. + items: + description: NodeAddress contains information for the node's address. + properties: + address: + description: The node address. + type: string + type: + description: Node address type, one of Hostname, ExternalIP + or InternalIP. + type: string + required: + - address + - type + type: object + type: array + failureMessage: + description: |- + FailureMessage will be set in the event that there is a terminal problem + reconciling the Machine and will contain a more verbose string suitable + for logging and human consumption. + + + This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over + time (like service outages), but instead indicate that something is + fundamentally wrong with the Machine's spec or the configuration of + the controller, and that manual intervention is required. Examples + of terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the + responsible controller itself being critically misconfigured. + + + Any transient errors that occur during the reconciliation of Machines + can be added as events to the Machine object and/or logged in the + controller's output. + type: string + failureReason: + description: |- + FailureReason will be set in the event that there is a terminal problem + reconciling the Machine and will contain a succinct value suitable + for machine interpretation. + + + This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over + time (like service outages), but instead indicate that something is + fundamentally wrong with the Machine's spec or the configuration of + the controller, and that manual intervention is required. Examples + of terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the + responsible controller itself being critically misconfigured. + + + Any transient errors that occur during the reconciliation of Machines + can be added as events to the Machine object and/or logged in the + controller's output. + type: string + instanceState: + description: InstanceStatus is the status of the GCP instance for + this machine. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpmachinetemplates.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capg-webhook-service + namespace: capg-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPMachineTemplate + listKind: GCPMachineTemplateList + plural: gcpmachinetemplates + singular: gcpmachinetemplate + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: GCPMachineTemplate is the Schema for the gcpmachinetemplates + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPMachineTemplateSpec defines the desired state of GCPMachineTemplate. + properties: + template: + description: GCPMachineTemplateResource describes the data needed + to create am GCPMachine from a template. + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. May match selectors of replication controllers + and services. + More info: http://kubernetes.io/docs/user-guide/labels + type: object + type: object + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + additionalDisks: + description: AdditionalDisks are optional non-boot attached + disks. + items: + description: AttachedDiskSpec degined GCP machine disk. + properties: + deviceType: + description: |- + DeviceType is a device type of the attached disk. + Supported types of non-root attached volumes: + 1. "pd-standard" - Standard (HDD) persistent disk + 2. "pd-ssd" - SSD persistent disk + 3. "local-ssd" - Local SSD disk (https://cloud.google.com/compute/docs/disks/local-ssd). + Default is "pd-standard". + type: string + encryptionKey: + description: EncryptionKey defines the KMS key to be + used to encrypt the disk. + properties: + keyType: + description: |- + KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or + Supplied, aka Customer-Supplied EncryptionKey (CSEK). + enum: + - Managed + - Supplied + type: string + kmsKeyServiceAccount: + description: |- + KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key. + If absent, the Compute Engine default service account is used. For example: + "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com. + The maximum length is based on the Service Account ID (max 30), Project (max 30), and a valid gcloud email + suffix ("iam.gserviceaccount.com"). + maxLength: 85 + pattern: '[-_[A-Za-z0-9]+@[-_[A-Za-z0-9]+.iam.gserviceaccount.com' + type: string + managedKey: + description: ManagedKey references keys managed + by the Cloud Key Management Service. This should + be set when KeyType is Managed. + properties: + kmsKeyName: + description: |- + KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example: + "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key + maxLength: 160 + pattern: projects\/[-_[A-Za-z0-9]+\/locations\/[-_[A-Za-z0-9]+\/keyRings\/[-_[A-Za-z0-9]+\/cryptoKeys\/[-_[A-Za-z0-9]+ + type: string + type: object + suppliedKey: + description: SuppliedKey provides the key used to + create or manage a disk. This should be set when + KeyType is Managed. + maxProperties: 1 + minProperties: 1 + properties: + rawKey: + description: |- + RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 + base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. + For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + format: byte + type: string + rsaEncryptedKey: + description: |- + RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. You can provide either the rawKey or the + rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before you can provide it to Compute Engine: + 1. The key is wrapped using a RSA public key certificate provided by Google. + 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. + Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + format: byte + type: string + type: object + required: + - keyType + type: object + size: + description: |- + Size is the size of the disk in GBs. + Defaults to 30GB. For "local-ssd" size is always 375GB. + format: int64 + type: integer + type: object + type: array + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to an instance, in addition to the ones added by default by the + GCP provider. If both the GCPCluster and the GCPMachine specify the same tag name with different values, the + GCPMachine's value takes precedence. + type: object + additionalMetadata: + description: |- + AdditionalMetadata is an optional set of metadata to add to an instance, in addition to the ones added by default by the + GCP provider. + items: + description: MetadataItem defines a single piece of metadata + associated with an instance. + properties: + key: + description: Key is the identifier for the metadata + entry. + type: string + value: + description: Value is the value of the metadata entry. + type: string + required: + - key + type: object + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + additionalNetworkTags: + description: |- + AdditionalNetworkTags is a list of network tags that should be applied to the + instance. These tags are set in addition to any network tags defined + at the cluster level or in the actuator. + items: + type: string + type: array + confidentialCompute: + description: |- + ConfidentialCompute Defines whether the instance should have confidential compute enabled. + If enabled OnHostMaintenance is required to be set to "Terminate". + If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. + enum: + - Enabled + - Disabled + type: string + image: + description: |- + Image is the full reference to a valid image to be used for this machine. + Takes precedence over ImageFamily. + type: string + imageFamily: + description: ImageFamily is the full reference to a valid + image family to be used for this machine. + type: string + instanceType: + description: 'InstanceType is the type of instance to create. + Example: n1.standard-2' + type: string + ipForwarding: + default: Enabled + description: |- + IPForwarding Allows this instance to send and receive packets with non-matching destination or source IPs. + This is required if you plan to use this instance to forward routes. Defaults to enabled. + enum: + - Enabled + - Disabled + type: string + onHostMaintenance: + description: |- + OnHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is "Migrate". + enum: + - Migrate + - Terminate + type: string + preemptible: + description: Preemptible defines if instance is preemptible + type: boolean + providerID: + description: ProviderID is the unique identifier as specified + by the cloud provider. + type: string + publicIP: + description: |- + PublicIP specifies whether the instance should get a public IP. + Set this to true if you don't have a NAT instances or Cloud Nat setup. + type: boolean + resourceManagerTags: + description: |- + ResourceManagerTags is an optional set of tags to apply to GCP resources managed + by the GCP provider. GCP supports a maximum of 50 tags per resource. + items: + description: ResourceManagerTag is a tag to apply to GCP + resources managed by the GCP provider. + properties: + key: + description: |- + Key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot + be empty. Tag key must begin and end with an alphanumeric character, and must contain + only uppercase, lowercase alphanumeric characters, and the following special + characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + ParentID is the ID of the hierarchical resource where the tags are defined + e.g. at the Organization or the Project level. To find the Organization or Project ID ref + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, + numbers, and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + Value is the value part of the tag. A tag value can have a maximum of 63 characters and + cannot be empty. Tag value must begin and end with an alphanumeric character, and must + contain only uppercase, lowercase alphanumeric characters, and the following special + characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + type: array + rootDeviceSize: + description: |- + RootDeviceSize is the size of the root volume in GB. + Defaults to 30. + format: int64 + type: integer + rootDeviceType: + description: |- + RootDeviceType is the type of the root volume. + Supported types of root volumes: + 1. "pd-standard" - Standard (HDD) persistent disk + 2. "pd-ssd" - SSD persistent disk + Default is "pd-standard". + type: string + rootDiskEncryptionKey: + description: RootDiskEncryptionKey defines the KMS key to + be used to encrypt the root disk. + properties: + keyType: + description: |- + KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or + Supplied, aka Customer-Supplied EncryptionKey (CSEK). + enum: + - Managed + - Supplied + type: string + kmsKeyServiceAccount: + description: |- + KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key. + If absent, the Compute Engine default service account is used. For example: + "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com. + The maximum length is based on the Service Account ID (max 30), Project (max 30), and a valid gcloud email + suffix ("iam.gserviceaccount.com"). + maxLength: 85 + pattern: '[-_[A-Za-z0-9]+@[-_[A-Za-z0-9]+.iam.gserviceaccount.com' + type: string + managedKey: + description: ManagedKey references keys managed by the + Cloud Key Management Service. This should be set when + KeyType is Managed. + properties: + kmsKeyName: + description: |- + KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example: + "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key + maxLength: 160 + pattern: projects\/[-_[A-Za-z0-9]+\/locations\/[-_[A-Za-z0-9]+\/keyRings\/[-_[A-Za-z0-9]+\/cryptoKeys\/[-_[A-Za-z0-9]+ + type: string + type: object + suppliedKey: + description: SuppliedKey provides the key used to create + or manage a disk. This should be set when KeyType is + Managed. + maxProperties: 1 + minProperties: 1 + properties: + rawKey: + description: |- + RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 + base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. + For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + format: byte + type: string + rsaEncryptedKey: + description: |- + RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. You can provide either the rawKey or the + rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before you can provide it to Compute Engine: + 1. The key is wrapped using a RSA public key certificate provided by Google. + 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. + Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + format: byte + type: string + type: object + required: + - keyType + type: object + serviceAccounts: + description: |- + ServiceAccount specifies the service account email and which scopes to assign to the machine. + Defaults to: email: "default", scope: []{compute.CloudPlatformScope} + properties: + email: + description: 'Email: Email address of the service account.' + type: string + scopes: + description: |- + Scopes: The list of scopes to be made available for this service + account. + items: + type: string + type: array + type: object + shieldedInstanceConfig: + description: ShieldedInstanceConfig is the Shielded VM configuration + for this machine + properties: + integrityMonitoring: + description: |- + IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. + Compares the most recent boot measurements to the integrity policy baseline and return + a pair of pass/fail results depending on whether they match or not. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. + enum: + - Enabled + - Disabled + type: string + secureBoot: + description: |- + SecureBoot Defines whether the instance should have secure boot enabled. + Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled. + enum: + - Enabled + - Disabled + type: string + virtualizedTrustedPlatformModule: + description: |- + VirtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. + The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. + If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. + enum: + - Enabled + - Disabled + type: string + type: object + subnet: + description: |- + Subnet is a reference to the subnetwork to use for this instance. If not specified, + the first subnetwork retrieved from the Cluster Region and Network is picked. + type: string + required: + - instanceType + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpmanagedclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPManagedCluster + listKind: GCPManagedClusterList + plural: gcpmanagedclusters + shortNames: + - gcpmc + singular: gcpmanagedcluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this GCPCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Cluster infrastructure is ready for GCE instances + jsonPath: .status.ready + name: Ready + type: string + - description: GCP network the cluster is using + jsonPath: .spec.network.name + name: Network + type: string + - description: API Endpoint + jsonPath: .status.apiEndpoints[0] + name: Endpoint + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GCPManagedCluster is the Schema for the gcpmanagedclusters API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPManagedClusterSpec defines the desired state of GCPManagedCluster. + properties: + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to GCP resources managed by the GCP provider, in addition to the + ones added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + credentialsRef: + description: |- + CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not + supplied then the credentials of the controller will be used. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + required: + - name + - namespace + type: object + loadBalancer: + description: LoadBalancerSpec contains configuration for one or more + LoadBalancers. + properties: + apiServerInstanceGroupTagOverride: + description: |- + APIServerInstanceGroupTagOverride overrides the default setting for the + tag used when creating the API Server Instance Group. + maxLength: 16 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + type: object + network: + description: NetworkSpec encapsulates all things related to the GCP + network. + properties: + autoCreateSubnetworks: + description: |- + AutoCreateSubnetworks: When set to true, the VPC network is created + in "auto" mode. When set to false, the VPC network is created in + "custom" mode. + + + An auto mode VPC network starts with one subnet per region. Each + subnet has a predetermined range as described in Auto mode VPC + network IP ranges. + + + Defaults to true. + type: boolean + loadBalancerBackendPort: + description: Allow for configuration of load balancer backend + (useful for changing apiserver port) + format: int32 + type: integer + name: + description: Name is the name of the network to be used. + type: string + subnets: + description: Subnets configuration. + items: + description: SubnetSpec configures an GCP Subnet. + properties: + cidrBlock: + description: |- + CidrBlock is the range of internal addresses that are owned by this + subnetwork. Provide this property when you create the subnetwork. For + example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and + non-overlapping within a network. Only IPv4 is supported. This field + can be set only at resource creation time. + type: string + description: + description: Description is an optional description associated + with the resource. + type: string + enableFlowLogs: + description: |- + EnableFlowLogs: Whether to enable flow logging for this subnetwork. + If this field is not explicitly set, it will not appear in get + listings. If not set the default behavior is to disable flow logging. + type: boolean + name: + description: Name defines a unique identifier to reference + this resource. + type: string + privateGoogleAccess: + description: |- + PrivateGoogleAccess defines whether VMs in this subnet can access + Google services without assigning external IP addresses + type: boolean + purpose: + default: PRIVATE_RFC_1918 + description: |- + Purpose: The purpose of the resource. + If unspecified, the purpose defaults to PRIVATE_RFC_1918. + The enableFlowLogs field isn't supported with the purpose field set to INTERNAL_HTTPS_LOAD_BALANCER. + + + Possible values: + "INTERNAL_HTTPS_LOAD_BALANCER" - Subnet reserved for Internal + HTTP(S) Load Balancing. + "PRIVATE" - Regular user created or automatically created subnet. + "PRIVATE_RFC_1918" - Regular user created or automatically created + subnet. + "PRIVATE_SERVICE_CONNECT" - Subnetworks created for Private Service + Connect in the producer network. + "REGIONAL_MANAGED_PROXY" - Subnetwork used for Regional + Internal/External HTTP(S) Load Balancing. + enum: + - INTERNAL_HTTPS_LOAD_BALANCER + - PRIVATE_RFC_1918 + - PRIVATE + - PRIVATE_SERVICE_CONNECT + - REGIONAL_MANAGED_PROXY + type: string + region: + description: Region is the name of the region where the + Subnetwork resides. + type: string + secondaryCidrBlocks: + additionalProperties: + type: string + description: |- + SecondaryCidrBlocks defines secondary CIDR ranges, + from which secondary IP ranges of a VM may be allocated + type: object + type: object + type: array + type: object + project: + description: Project is the name of the project to deploy the cluster + to. + type: string + region: + description: The GCP Region the cluster lives in. + type: string + resourceManagerTags: + description: |- + ResourceManagerTags is an optional set of tags to apply to GCP resources managed + by the GCP provider. GCP supports a maximum of 50 tags per resource. + items: + description: ResourceManagerTag is a tag to apply to GCP resources + managed by the GCP provider. + properties: + key: + description: |- + Key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot + be empty. Tag key must begin and end with an alphanumeric character, and must contain + only uppercase, lowercase alphanumeric characters, and the following special + characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + ParentID is the ID of the hierarchical resource where the tags are defined + e.g. at the Organization or the Project level. To find the Organization or Project ID ref + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, + numbers, and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + Value is the value part of the tag. A tag value can have a maximum of 63 characters and + cannot be empty. Tag value must begin and end with an alphanumeric character, and must + contain only uppercase, lowercase alphanumeric characters, and the following special + characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + type: array + required: + - project + - region + type: object + status: + description: GCPManagedClusterStatus defines the observed state of GCPManagedCluster. + properties: + conditions: + description: Conditions specifies the conditions for the managed control + plane + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + A human readable message indicating details about the transition. + This field may be empty. + type: string + reason: + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. + type: string + severity: + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: |- + FailureDomainSpec is the Schema for Cluster API failure domains. + It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains is a slice of FailureDomains. + type: object + network: + description: Network encapsulates GCP networking resources. + properties: + apiServerBackendService: + description: |- + APIServerBackendService is the full reference to the backend service + created for the API Server. + type: string + apiServerForwardingRule: + description: |- + APIServerForwardingRule is the full reference to the forwarding rule + created for the API Server. + type: string + apiServerHealthCheck: + description: |- + APIServerHealthCheck is the full reference to the health check + created for the API Server. + type: string + apiServerInstanceGroups: + additionalProperties: + type: string + description: |- + APIServerInstanceGroups is a map from zone to the full reference + to the instance groups created for the control plane nodes created in the same zone. + type: object + apiServerIpAddress: + description: |- + APIServerAddress is the IPV4 global address assigned to the load balancer + created for the API Server. + type: string + apiServerTargetProxy: + description: |- + APIServerTargetProxy is the full reference to the target proxy + created for the API Server. + type: string + firewallRules: + additionalProperties: + type: string + description: FirewallRules is a map from the name of the rule + to its full reference. + type: object + router: + description: |- + Router is the full reference to the router created within the network + it'll contain the cloud nat gateway + type: string + selfLink: + description: SelfLink is the link to the Network used for this + cluster. + type: string + type: object + ready: + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpmanagedcontrolplanes.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPManagedControlPlane + listKind: GCPManagedControlPlaneList + plural: gcpmanagedcontrolplanes + shortNames: + - gcpmcp + singular: gcpmanagedcontrolplane + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this GCPManagedControlPlane belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Control plane is ready + jsonPath: .status.ready + name: Ready + type: string + - description: The current Kubernetes version + jsonPath: .status.currentVersion + name: CurrentVersion + type: string + - description: API Endpoint + jsonPath: .spec.endpoint + name: Endpoint + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GCPManagedControlPlane is the Schema for the gcpmanagedcontrolplanes + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane. + properties: + clusterName: + description: |- + ClusterName allows you to specify the name of the GKE cluster. + If you don't specify a name then a default name will be created + based on the namespace and name of the managed control plane. + type: string + controlPlaneVersion: + description: |- + ControlPlaneVersion represents the control plane version of the GKE cluster. + If not specified, the default version currently supported by GKE will be + used. + type: string + enableAutopilot: + description: EnableAutopilot indicates whether to enable autopilot + for this GKE cluster. + type: boolean + endpoint: + description: Endpoint represents the endpoint used to communicate + with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + location: + description: |- + Location represents the location (region or zone) in which the GKE cluster + will be created. + type: string + master_authorized_networks_config: + description: |- + MasterAuthorizedNetworksConfig represents configuration options for master authorized networks feature of the GKE cluster. + This feature is disabled if this field is not specified. + properties: + cidr_blocks: + description: |- + cidr_blocks define up to 50 external networks that could access + Kubernetes master through HTTPS. + items: + description: MasterAuthorizedNetworksConfigCidrBlock contains + an optional name and one CIDR block. + properties: + cidr_block: + description: cidr_block must be specified in CIDR notation. + pattern: ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:\/([0-9]|[1-2][0-9]|3[0-2]))?$|^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+\/[0-9]{1,3}$ + type: string + display_name: + description: display_name is an field for users to identify + CIDR blocks. + type: string + type: object + type: array + gcp_public_cidrs_access_enabled: + description: Whether master is accessible via Google Compute Engine + Public IP addresses. + type: boolean + type: object + networkPolicy: + description: NetworkPolicy represents configuration options for NetworkPolicy + feature of the GKE cluster. This feature is disabled if this field + is not specified. + properties: + provider: + description: The selected network policy provider. + enum: + - calico + type: string + type: object + project: + description: Project is the name of the project to deploy the cluster + to. + type: string + releaseChannel: + description: ReleaseChannel represents the release channel of the + GKE cluster. + enum: + - rapid + - regular + - stable + type: string + required: + - location + - project + type: object + status: + description: GCPManagedControlPlaneStatus defines the observed state of + GCPManagedControlPlane. + properties: + conditions: + description: Conditions specifies the conditions for the managed control + plane + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + A human readable message indicating details about the transition. + This field may be empty. + type: string + reason: + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. + type: string + severity: + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + currentVersion: + description: CurrentVersion shows the current version of the GKE control + plane. + type: string + initialized: + description: |- + Initialized is true when the control plane is available for initial contact. + This may occur before the control plane is fully ready. + type: boolean + ready: + default: false + description: |- + Ready denotes that the GCPManagedControlPlane API Server is ready to + receive requests. + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + cluster.x-k8s.io/v1beta1: v1beta1 + name: gcpmanagedmachinepools.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: GCPManagedMachinePool + listKind: GCPManagedMachinePoolList + plural: gcpmanagedmachinepools + shortNames: + - gcpmmp + singular: gcpmanagedmachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.ready + name: Ready + type: string + - jsonPath: .status.replicas + name: Replicas + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GCPManagedMachinePool is the Schema for the gcpmanagedmachinepools + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GCPManagedMachinePoolSpec defines the desired state of GCPManagedMachinePool. + properties: + additionalLabels: + additionalProperties: + type: string + description: |- + AdditionalLabels is an optional set of tags to add to GCP resources managed by the GCP provider, in addition to the + ones added by default. + type: object + diskSizeGB: + description: |- + DiskSizeGB is size of the disk attached to each node, + specified in GB. + format: int64 + minimum: 10 + type: integer + diskSizeGb: + description: |- + DiskSizeGb is the size of the disk attached to each node, specified in GB. + The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. + format: int32 + type: integer + diskType: + description: DiskType is type of the disk attached to each node. + enum: + - pd-standard + - pd-ssd + - pd-balanced + type: string + imageType: + description: ImageType is image type to use for this nodepool. + type: string + instanceType: + description: InstanceType is name of Compute Engine machine type. + type: string + kubernetesLabels: + additionalProperties: + type: string + description: KubernetesLabels specifies the labels to apply to the + nodes of the node pool. + type: object + kubernetesTaints: + description: KubernetesTaints specifies the taints to apply to the + nodes of the node pool. + items: + description: Taint represents a Kubernetes taint. + properties: + effect: + description: Effect specifies the effect for the taint. + enum: + - NoSchedule + - NoExecute + - PreferNoSchedule + type: string + key: + description: Key is the key of the taint + type: string + value: + description: Value is the value of the taint + type: string + required: + - effect + - key + - value + type: object + type: array + linuxNodeConfig: + description: LinuxNodeConfig specifies the settings for Linux agent + nodes. + properties: + cgroupMode: + description: CgroupMode specifies the cgroup mode for this node + pool. + format: int32 + type: integer + sysctls: + description: Sysctls specifies the sysctl settings for this node + pool. + items: + description: SysctlConfig specifies the sysctl settings for + Linux nodes. + properties: + parameter: + description: Parameter specifies sysctl parameter name. + type: string + value: + description: Value specifies sysctl parameter value. + type: string + type: object + type: array + type: object + localSsdCount: + description: LocalSsdCount is the number of local SSD disks to be + attached to the node. + format: int32 + type: integer + machineType: + description: |- + MachineType is the name of a Google Compute Engine [machine + type](https://cloud.google.com/compute/docs/machine-types). + If unspecified, the default machine type is `e2-medium`. + type: string + management: + description: Management specifies the node pool management options. + properties: + autoRepair: + description: |- + AutoRepair specifies whether the node auto-repair is enabled for the node + pool. If enabled, the nodes in this node pool will be monitored and, if + they fail health checks too many times, an automatic repair action will be + triggered. + type: boolean + autoUpgrade: + description: |- + AutoUpgrade specifies whether node auto-upgrade is enabled for the node + pool. If enabled, node auto-upgrade helps keep the nodes in your node pool + up to date with the latest release version of Kubernetes. + type: boolean + type: object + maxPodsPerNode: + description: |- + MaxPodsPerNode is constraint enforced on the max num of + pods per node. + format: int64 + maximum: 256 + minimum: 8 + type: integer + nodeLocations: + description: |- + NodeLocations is the list of zones in which the NodePool's + nodes should be located. + items: + type: string + type: array + nodeNetwork: + description: |- + NodeNetwork specifies the node network configuration + options. + properties: + createPodRange: + description: |- + CreatePodRange specifies whether to create a new range for + pod IPs in this node pool. + type: boolean + podRangeCidrBlock: + description: |- + PodRangeCidrBlock is the IP address range for pod IPs in + this node pool. + type: string + podRangeName: + description: PodRangeName is ID of the secondary range for pod + IPs. + type: string + tags: + description: |- + Tags is list of instance tags applied to all nodes. Tags + are used to identify valid sources or targets for network + firewalls. + items: + type: string + type: array + type: object + nodePoolName: + description: |- + NodePoolName specifies the name of the GKE node pool corresponding to this MachinePool. If you don't specify a name + then a default name will be created based on the namespace and name of the managed machine pool. + type: string + nodeSecurity: + description: NodeSecurity specifies the node security options. + properties: + enableIntegrityMonitoring: + description: |- + EnableIntegrityMonitoring defines whether the instance has + integrity monitoring enabled. + type: boolean + enableSecureBoot: + description: |- + EnableSecureBoot defines whether the instance has Secure + Boot enabled. + type: boolean + sandboxType: + description: SandboxType is type of the sandbox to use for the + node. + type: string + serviceAccount: + description: |- + ServiceAccount specifies the identity details for node + pool. + properties: + email: + description: |- + Email is the Google Cloud Platform Service Account to be + used by the node VMs. + type: string + scopes: + description: |- + Scopes is a set of Google API scopes to be made available + on all of the node VMs under the "default" service account. + items: + type: string + type: array + type: object + type: object + providerIDList: + description: |- + ProviderIDList are the provider IDs of instances in the + managed instance group corresponding to the nodegroup represented by this + machine pool + items: + type: string + type: array + scaling: + description: Scaling specifies scaling for the node pool + properties: + enableAutoscaling: + description: Is autoscaling enabled for this node pool. If unspecified, + the default value is true. + type: boolean + locationPolicy: + description: Location policy used when scaling up a nodepool. + enum: + - balanced + - any + type: string + maxCount: + description: MaxCount specifies the maximum number of nodes in + the node pool + format: int32 + type: integer + minCount: + description: MinCount specifies the minimum number of nodes in + the node pool + format: int32 + type: integer + type: object + type: object + status: + description: GCPManagedMachinePoolStatus defines the observed state of + GCPManagedMachinePool. + properties: + conditions: + description: Conditions specifies the cpnditions for the managed machine + pool + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + A human readable message indicating details about the transition. + This field may be empty. + type: string + reason: + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. + type: string + severity: + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + ready: + default: false + description: Ready denotes that the GCPManagedMachinePool has joined + the cluster + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-manager + namespace: capg-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-leader-election-role + namespace: capg-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmachines/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedclusters/finalizers + verbs: + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedcontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedcontrolplanes/finalizers + verbs: + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedcontrolplanes/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedmachinepools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedmachinepools/finalizers + verbs: + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - gcpmanagedmachinepools/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-leader-election-rolebinding + namespace: capg-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: capg-leader-election-role +subjects: +- kind: ServiceAccount + name: capg-manager + namespace: capg-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: capg-manager-role +subjects: +- kind: ServiceAccount + name: capg-manager + namespace: capg-system +--- +apiVersion: v1 +data: + credentials.json: ${GCP_B64ENCODED_CREDENTIALS} +kind: Secret +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-manager-bootstrap-credentials + namespace: capg-system +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-webhook-service + namespace: capg-system +spec: + ports: + - port: 443 + targetPort: webhook-server + selector: + cluster.x-k8s.io/provider: infrastructure-gcp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + control-plane: capg-controller-manager + name: capg-controller-manager + namespace: capg-system +spec: + replicas: 1 + selector: + matchLabels: + cluster.x-k8s.io/provider: infrastructure-gcp + control-plane: capg-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + control-plane: capg-controller-manager + spec: + containers: + - args: + - --leader-elect + - --feature-gates=GKE=${EXP_CAPG_GKE:=false} + - --diagnostics-address=${CAPG_DIAGNOSTICS_ADDRESS:=:8443} + - --insecure-diagnostics=${CAPG_INSECURE_DIAGNOSTICS:=false} + - --v=${CAPG_LOGLEVEL:=0} + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /home/.gcp/credentials.json + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/clusterapi-369611/cluster-api-gcp-controller-amd64:1.6.1-SNAPSHOT + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 10 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + - containerPort: 8443 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 10 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsUser: 65532 + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - mountPath: /home/.gcp + name: credentials + serviceAccountName: capg-manager + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: capg-webhook-service-cert + - name: credentials + secret: + secretName: capg-manager-bootstrap-credentials +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-serving-cert + namespace: capg-system +spec: + dnsNames: + - capg-webhook-service.capg-system.svc + - capg-webhook-service.capg-system.svc.cluster.local + issuerRef: + kind: Issuer + name: capg-selfsigned-issuer + secretName: capg-webhook-service-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-selfsigned-issuer + namespace: capg-system +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpcluster + failurePolicy: Fail + matchPolicy: Equivalent + name: default.gcpcluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpclusters + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpclustertemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.gcpclustertemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpclustertemplates + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmachine + failurePolicy: Fail + matchPolicy: Equivalent + name: default.gcpmachine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmachines + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.gcpmachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmachinetemplates + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedcluster + failurePolicy: Fail + name: mgcpmanagedcluster.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedclusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedcontrolplane + failurePolicy: Fail + name: mgcpmanagedcontrolplane.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedcontrolplanes + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedmachinepool + failurePolicy: Fail + name: mgcpmanagedmachinepool.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedmachinepools + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: capg-system/capg-serving-cert + labels: + cluster.x-k8s.io/provider: infrastructure-gcp + name: capg-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpcluster + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.gcpcluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpclusters + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpclustertemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.gcpclustertemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpclustertemplates + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmachine + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.gcpmachine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmachines + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.gcpmachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmachinetemplates + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedcluster + failurePolicy: Fail + name: vgcpmanagedcluster.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedclusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedcontrolplane + failurePolicy: Fail + name: vgcpmanagedcontrolplane.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedcontrolplanes + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: capg-webhook-service + namespace: capg-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta1-gcpmanagedmachinepool + failurePolicy: Fail + name: vgcpmanagedmachinepool.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - gcpmanagedmachinepools + sideEffects: None diff --git a/manifests/metadata.yaml b/manifests/metadata.yaml new file mode 100644 index 000000000..359f6781f --- /dev/null +++ b/manifests/metadata.yaml @@ -0,0 +1,34 @@ +# maps release series of major.minor to cluster-api contract version +# the contract version may change between minor or major versions, but *not* +# between patch versions. +# +# update this file only when a new major or minor version is released +apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3 +releaseSeries: + - major: 0 + minor: 3 + contract: v1alpha3 + - major: 0 + minor: 4 + contract: v1alpha4 + - major: 1 + minor: 0 + contract: v1beta1 + - major: 1 + minor: 1 + contract: v1beta1 + - major: 1 + minor: 2 + contract: v1beta1 + - major: 1 + minor: 3 + contract: v1beta1 + - major: 1 + minor: 4 + contract: v1beta1 + - major: 1 + minor: 5 + contract: v1beta1 + - major: 1 + minor: 6 + contract: v1beta1