From bb6c189120b2e1b31fc938469113154d33c5e9a5 Mon Sep 17 00:00:00 2001 From: Craig Brookes Date: Thu, 7 Dec 2023 10:56:05 +0000 Subject: [PATCH] re-add policy-controller (#348) --- ...c.authorization.k8s.io_v1_clusterrole.yaml | 26 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 22 ++ ...adrant-operator.clusterserviceversion.yaml | 306 +++++++++++++- .../kuadrant.io_dnshealthcheckprobes.yaml | 107 +++++ bundle/manifests/kuadrant.io_dnspolicies.yaml | 374 ++++++++++++++++++ bundle/manifests/kuadrant.io_dnsrecords.yaml | 246 ++++++++++++ .../manifests/kuadrant.io_managedzones.yaml | 201 ++++++++++ bundle/manifests/kuadrant.io_tlspolicies.yaml | 316 +++++++++++++++ config/default/kustomization.yaml | 2 +- 9 files changed, 1598 insertions(+), 2 deletions(-) create mode 100644 bundle/manifests/kuadrant-operator-dnsrecord-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/kuadrant-operator-dnsrecord-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/kuadrant.io_dnshealthcheckprobes.yaml create mode 100644 bundle/manifests/kuadrant.io_dnspolicies.yaml create mode 100644 bundle/manifests/kuadrant.io_dnsrecords.yaml create mode 100644 bundle/manifests/kuadrant.io_managedzones.yaml create mode 100644 bundle/manifests/kuadrant.io_tlspolicies.yaml diff --git a/bundle/manifests/kuadrant-operator-dnsrecord-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/kuadrant-operator-dnsrecord-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..c878d38ae --- /dev/null +++ b/bundle/manifests/kuadrant-operator-dnsrecord-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: kuadrant + name: kuadrant-operator-dnsrecord-editor-role +rules: +- apiGroups: + - kuadrant.io + resources: + - dnsrecords + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - dnsrecords/status + verbs: + - get diff --git a/bundle/manifests/kuadrant-operator-dnsrecord-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/kuadrant-operator-dnsrecord-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..77622ac1f --- /dev/null +++ b/bundle/manifests/kuadrant-operator-dnsrecord-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: kuadrant + name: kuadrant-operator-dnsrecord-viewer-role +rules: +- apiGroups: + - kuadrant.io + resources: + - dnsrecords + verbs: + - get + - list + - watch +- apiGroups: + - kuadrant.io + resources: + - dnsrecords/status + verbs: + - get diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index 7e4a068a9..c0f3742ba 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -69,7 +69,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/kuadrant-operator:latest - createdAt: "2023-11-27T14:18:37Z" + createdAt: "2023-11-30T07:30:44Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/kuadrant-operator @@ -86,18 +86,33 @@ spec: kind: AuthPolicy name: authpolicies.kuadrant.io version: v1beta2 + - kind: DNSHealthCheckProbe + name: dnshealthcheckprobes.kuadrant.io + version: v1alpha1 + - kind: DNSPolicy + name: dnspolicies.kuadrant.io + version: v1alpha1 + - kind: DNSRecord + name: dnsrecords.kuadrant.io + version: v1alpha1 - description: Kuadrant configures installations of Kuadrant Service Protection components displayName: Kuadrant kind: Kuadrant name: kuadrants.kuadrant.io version: v1beta1 + - kind: ManagedZone + name: managedzones.kuadrant.io + version: v1alpha1 - description: RateLimitPolicy enables rate limiting for service workloads in a Gateway API network displayName: RateLimitPolicy kind: RateLimitPolicy name: ratelimitpolicies.kuadrant.io version: v1beta2 + - kind: TLSPolicy + name: tlspolicies.kuadrant.io + version: v1alpha1 description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system displayName: Kuadrant Operator icon: @@ -378,6 +393,206 @@ spec: - update - watch serviceAccountName: kuadrant-operator-controller-manager + - rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - issuers + verbs: + - get + - list + - watch + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes/finalizers + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - dnspolicies + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - dnspolicies/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - dnspolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - dnsrecords + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - dnsrecords/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - dnsrecords/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - managedzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - managedzones/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - managedzones/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - tlspolicies + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - tlspolicies/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - tlspolicies/status + verbs: + - get + - patch + - update + serviceAccountName: kuadrant-operator-policy-controller deployments: - label: app: kuadrant @@ -434,6 +649,62 @@ spec: runAsNonRoot: true serviceAccountName: kuadrant-operator-controller-manager terminationGracePeriodSeconds: 10 + - label: + app: kuadrant + control-plane: policy-controller + name: kuadrant-operator-policy-controller + spec: + replicas: 1 + selector: + matchLabels: + app: kuadrant + control-plane: policy-controller + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app: kuadrant + control-plane: policy-controller + spec: + containers: + - args: + - --leader-elect + - --ocm-hub=false + command: + - /policy_controller + image: quay.io/kuadrant/policy-controller:main + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: policy-controller + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: kuadrant-operator-policy-controller + terminationGracePeriodSeconds: 10 permissions: - rules: - apiGroups: @@ -468,6 +739,39 @@ spec: - create - patch serviceAccountName: kuadrant-operator-controller-manager + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: kuadrant-operator-policy-controller strategy: deployment installModes: - supported: false diff --git a/bundle/manifests/kuadrant.io_dnshealthcheckprobes.yaml b/bundle/manifests/kuadrant.io_dnshealthcheckprobes.yaml new file mode 100644 index 000000000..259123800 --- /dev/null +++ b/bundle/manifests/kuadrant.io_dnshealthcheckprobes.yaml @@ -0,0 +1,107 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + app: kuadrant + name: dnshealthcheckprobes.kuadrant.io +spec: + group: kuadrant.io + names: + kind: DNSHealthCheckProbe + listKind: DNSHealthCheckProbeList + plural: dnshealthcheckprobes + singular: dnshealthcheckprobe + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: DNSHealthCheckProbe healthy. + jsonPath: .status.healthy + name: Healthy + type: boolean + - description: Last checked at. + jsonPath: .status.lastCheckedAt + name: Last Checked + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: DNSHealthCheckProbe is the Schema for the dnshealthcheckprobes + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSHealthCheckProbeSpec defines the desired state of DNSHealthCheckProbe + properties: + additionalHeadersRef: + properties: + name: + type: string + required: + - name + type: object + address: + type: string + allowInsecureCertificate: + type: boolean + expectedResponses: + items: + type: integer + type: array + failureThreshold: + type: integer + host: + type: string + interval: + type: string + path: + type: string + port: + type: integer + protocol: + description: HealthProtocol represents the protocol to use when making + a health check request + type: string + type: object + status: + description: DNSHealthCheckProbeStatus defines the observed state of DNSHealthCheckProbe + properties: + consecutiveFailures: + type: integer + healthy: + type: boolean + lastCheckedAt: + format: date-time + type: string + reason: + type: string + status: + type: integer + required: + - healthy + - lastCheckedAt + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/kuadrant.io_dnspolicies.yaml b/bundle/manifests/kuadrant.io_dnspolicies.yaml new file mode 100644 index 000000000..f1aba01f8 --- /dev/null +++ b/bundle/manifests/kuadrant.io_dnspolicies.yaml @@ -0,0 +1,374 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + app: kuadrant + gateway.networking.k8s.io/policy: direct + name: dnspolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: DNSPolicy + listKind: DNSPolicyList + plural: dnspolicies + singular: dnspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: DNSPolicy ready. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DNSPolicy is the Schema for the dnspolicies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSPolicySpec defines the desired state of DNSPolicy + properties: + healthCheck: + description: HealthCheckSpec configures health checks in the DNS provider. + By default, this health check will be applied to each unique DNS + A Record for the listeners assigned to the target gateway + properties: + additionalHeadersRef: + properties: + name: + type: string + required: + - name + type: object + allowInsecureCertificates: + type: boolean + endpoint: + type: string + expectedResponses: + items: + type: integer + type: array + failureThreshold: + type: integer + interval: + type: string + port: + type: integer + protocol: + description: HealthProtocol represents the protocol to use when + making a health check request + type: string + type: object + loadBalancing: + properties: + geo: + properties: + defaultGeo: + description: "defaultGeo is the country/continent/region code + to use when no other can be determined for a dns target + cluster. \n The values accepted are determined by the target + dns provider, please refer to the appropriate docs below. + \n Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-geo.html" + type: string + type: object + weighted: + properties: + custom: + items: + properties: + selector: + description: 'Label selector used by MGC to match resource + storing custom weight attribute values e.g. kuadrant.io/lb-attribute-custom-weight: + AWS' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + weight: + minimum: 0 + type: integer + required: + - selector + type: object + type: array + defaultWeight: + default: 120 + description: "defaultWeight is the record weight to use when + no other can be determined for a dns target cluster. \n + The maximum value accepted is determined by the target dns + provider, please refer to the appropriate docs below. \n + Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html" + minimum: 0 + type: integer + type: object + type: object + routingStrategy: + default: loadbalanced + enum: + - simple + - loadbalanced + type: string + targetRef: + description: PolicyTargetReference identifies an API object to apply + a direct or inherited policy to. This should be used as part of + Policy resources that can target Gateway API resources. For more + information on how this policy attachment model works, and a sample + Policy resource, refer to the policy attachment documentation for + Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - routingStrategy + - targetRef + type: object + status: + description: DNSPolicyStatus defines the observed state of DNSPolicy + properties: + conditions: + description: "conditions are any conditions associated with the policy + \n If configuring the policy fails, the \"Failed\" condition will + be set with a reason and message describing the cause of the failure." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + healthCheck: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the + current state of this API Resource. --- This struct is intended + for direct use as an array at the field path .status.conditions. + \ For example, \n type FooStatus struct{ // Represents the + observations of a foo's current state. // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + // +patchStrategy=merge // +listType=map // +listMapKey=type + Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be + when the underlying condition changed. If that is not + known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if + .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values + and meanings for this field, and whether the values are + considered a guaranteed API. The value should be a CamelCase + string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + observedGeneration: + description: observedGeneration is the most recently observed generation + of the DNSPolicy. When the DNSPolicy is updated, the controller + updates the corresponding configuration. If an update fails, that + failure is recorded in the status condition + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/kuadrant.io_dnsrecords.yaml b/bundle/manifests/kuadrant.io_dnsrecords.yaml new file mode 100644 index 000000000..36a99dea2 --- /dev/null +++ b/bundle/manifests/kuadrant.io_dnsrecords.yaml @@ -0,0 +1,246 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + app: kuadrant + name: dnsrecords.kuadrant.io +spec: + group: kuadrant.io + names: + kind: DNSRecord + listKind: DNSRecordList + plural: dnsrecords + singular: dnsrecord + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: DNSRecord ready. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DNSRecord is the Schema for the dnsrecords API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSRecordSpec defines the desired state of DNSRecord + properties: + endpoints: + items: + description: Endpoint is a high-level way of a connection between + a service and an IP + properties: + dnsName: + description: The hostname of the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty holds the name and value + of a configuration which is specific to individual DNS providers + properties: + name: + type: string + value: + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT etc + type: string + setIdentifier: + description: Identifier to distinguish multiple records with + the same name and type (e.g. Route53 records with routing + policies other than 'simple') + type: string + targets: + description: The targets the DNS record points to + items: + type: string + type: array + type: object + minItems: 1 + type: array + managedZone: + description: ManagedZoneReference holds a reference to a ManagedZone + properties: + name: + description: '`name` is the name of the managed zone. Required' + type: string + required: + - name + type: object + type: object + status: + description: DNSRecordStatus defines the observed state of DNSRecord + properties: + conditions: + description: "conditions are any conditions associated with the record + in the managed zone. \n If publishing the record fails, the \"Failed\" + condition will be set with a reason and message describing the cause + of the failure." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + endpoints: + description: "endpoints are the last endpoints that were successfully + published by the provider \n Provides a simple mechanism to store + the current provider records in order to delete any that are no + longer present in DNSRecordSpec.Endpoints \n Note: This will not + be required if/when we switch to using external-dns since when running + with a \"sync\" policy it will clean up unused records automatically." + items: + description: Endpoint is a high-level way of a connection between + a service and an IP + properties: + dnsName: + description: The hostname of the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty holds the name and value + of a configuration which is specific to individual DNS providers + properties: + name: + type: string + value: + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT etc + type: string + setIdentifier: + description: Identifier to distinguish multiple records with + the same name and type (e.g. Route53 records with routing + policies other than 'simple') + type: string + targets: + description: The targets the DNS record points to + items: + type: string + type: array + type: object + type: array + observedGeneration: + description: observedGeneration is the most recently observed generation + of the DNSRecord. When the DNSRecord is updated, the controller + updates the corresponding record in each managed zone. If an update + for a particular zone fails, that failure is recorded in the status + condition for the zone so that the controller can determine that + it needs to retry the update for that specific zone. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/kuadrant.io_managedzones.yaml b/bundle/manifests/kuadrant.io_managedzones.yaml new file mode 100644 index 000000000..f5b183d7c --- /dev/null +++ b/bundle/manifests/kuadrant.io_managedzones.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + app: kuadrant + name: managedzones.kuadrant.io +spec: + group: kuadrant.io + names: + kind: ManagedZone + listKind: ManagedZoneList + plural: managedzones + singular: managedzone + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Domain of this Managed Zone + jsonPath: .spec.domainName + name: Domain Name + type: string + - description: The ID assigned by this provider for this zone . + jsonPath: .status.id + name: ID + type: string + - description: Number of records in the provider zone. + jsonPath: .status.recordCount + name: Record Count + type: string + - description: The NameServers assigned by the provider for this zone. + jsonPath: .status.nameServers + name: NameServers + type: string + - description: Managed Zone ready. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ManagedZone is the Schema for the managedzones API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ManagedZoneSpec defines the desired state of ManagedZone + properties: + description: + description: Description for this ManagedZone + type: string + dnsProviderSecretRef: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + domainName: + description: Domain name of this ManagedZone + pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + type: string + id: + description: ID is the provider assigned id of this zone (i.e. route53.HostedZone.ID). + type: string + parentManagedZone: + description: Reference to another managed zone that this managed zone + belongs to. + properties: + name: + description: '`name` is the name of the managed zone. Required' + type: string + required: + - name + type: object + required: + - description + - dnsProviderSecretRef + - domainName + type: object + status: + description: ManagedZoneStatus defines the observed state of a Zone + properties: + conditions: + description: List of status conditions to indicate the status of a + ManagedZone. Known condition types are `Ready`. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + id: + description: The ID assigned by this provider for this zone (i.e. + route53.HostedZone.ID) + type: string + nameServers: + description: The NameServers assigned by the provider for this zone + (i.e. route53.DelegationSet.NameServers) + items: + type: string + type: array + observedGeneration: + description: observedGeneration is the most recently observed generation + of the ManagedZone. + format: int64 + type: integer + recordCount: + description: The number of records in the provider zone + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/kuadrant.io_tlspolicies.yaml b/bundle/manifests/kuadrant.io_tlspolicies.yaml new file mode 100644 index 000000000..e142acd7f --- /dev/null +++ b/bundle/manifests/kuadrant.io_tlspolicies.yaml @@ -0,0 +1,316 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + app: kuadrant + gateway.networking.k8s.io/policy: direct + name: tlspolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: TLSPolicy + listKind: TLSPolicyList + plural: tlspolicies + singular: tlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: TLSPolicy ready. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TLSPolicy is the Schema for the tlspolicies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSPolicySpec defines the desired state of TLSPolicy + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + enum: + - RSA + - ECDSA + - Ed25519 + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + enum: + - PKCS1 + - PKCS8 + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: RevisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. + format: int32 + type: integer + targetRef: + description: PolicyTargetReference identifies an API object to apply + a direct or inherited policy to. This should be used as part of + Policy resources that can target Gateway API resources. For more + information on how this policy attachment model works, and a sample + Policy resource, refer to the policy attachment documentation for + Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + sgc"' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - targetRef + type: object + status: + description: TLSPolicyStatus defines the observed state of TLSPolicy + properties: + conditions: + description: "conditions are any conditions associated with the policy + \n If configuring the policy fails, the \"Failed\" condition will + be set with a reason and message describing the cause of the failure." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: observedGeneration is the most recently observed generation + of the TLSPolicy. When the TLSPolicy is updated, the controller + updates the corresponding configuration. If an update fails, that + failure is recorded in the status condition + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index a1133bb9f..6c23d3a29 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -49,4 +49,4 @@ resources: - ../crd - ../rbac - ../manager -#- ../policy-controller removed for now to avoid double policy controllers in a shared hub/spoke cluster +- ../policy-controller