From 4a1973487474b5cc539fbcb2d515430ac5db176f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 15:53:59 +0000 Subject: [PATCH] Update generated code --- ...bootstrap.cluster.x-k8s.io_eksconfigs.yaml | 2 +- ...p.cluster.x-k8s.io_eksconfigtemplates.yaml | 2 +- ...ster.x-k8s.io_awsmanagedcontrolplanes.yaml | 60 +--- ...ne.cluster.x-k8s.io_rosacontrolplanes.yaml | 43 +-- ...k8s.io_awsclustercontrolleridentities.yaml | 2 +- ...ter.x-k8s.io_awsclusterroleidentities.yaml | 2 +- ...tructure.cluster.x-k8s.io_awsclusters.yaml | 31 +- ...r.x-k8s.io_awsclusterstaticidentities.yaml | 2 +- ....cluster.x-k8s.io_awsclustertemplates.yaml | 24 +- ...e.cluster.x-k8s.io_awsfargateprofiles.yaml | 10 +- ...ture.cluster.x-k8s.io_awsmachinepools.yaml | 17 +- ...tructure.cluster.x-k8s.io_awsmachines.yaml | 24 +- ....cluster.x-k8s.io_awsmachinetemplates.yaml | 16 +- ...e.cluster.x-k8s.io_awsmanagedclusters.yaml | 2 +- ...uster.x-k8s.io_awsmanagedmachinepools.yaml | 17 +- ...ructure.cluster.x-k8s.io_rosaclusters.yaml | 2 +- ...ure.cluster.x-k8s.io_rosamachinepools.yaml | 8 +- config/rbac/role.yaml | 277 +----------------- hack/tools/go.mod | 3 +- 19 files changed, 55 insertions(+), 489 deletions(-) diff --git a/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigs.yaml b/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigs.yaml index 1d298881d8..df8a02af64 100644 --- a/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigs.yaml +++ b/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: eksconfigs.bootstrap.cluster.x-k8s.io spec: group: bootstrap.cluster.x-k8s.io diff --git a/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigtemplates.yaml b/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigtemplates.yaml index 0a63027e0a..7a3805796e 100644 --- a/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigtemplates.yaml +++ b/config/crd/bases/bootstrap.cluster.x-k8s.io_eksconfigtemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: eksconfigtemplates.bootstrap.cluster.x-k8s.io spec: group: bootstrap.cluster.x-k8s.io diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml index af854b225e..21be0fc920 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io spec: group: controlplane.cluster.x-k8s.io @@ -506,7 +506,6 @@ spec: ID defines a unique identifier to reference this resource. If you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`. - When the VPC is managed by CAPA, and you'd like the provider to create a subnet for you, the id can be set to any placeholder value that does not start with `subnet-`; upon creation, the subnet AWS identifier will be populated in the `ResourceID` field and @@ -539,7 +538,6 @@ spec: ParentZoneName is the zone name where the current subnet's zone is tied when the zone is a Local Zone. - The subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName to select the correct private route table to egress traffic to the internet. type: string @@ -562,30 +560,23 @@ spec: description: |- ZoneType defines the type of the zone where the subnet is created. - The valid values are availability-zone, local-zone, and wavelength-zone. - Subnet with zone type availability-zone (regular) is always selected to create cluster resources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc. - Subnet with zone type local-zone or wavelength-zone is not eligible to automatically create regular cluster resources. - The public subnet in availability-zone or local-zone is associated with regular public route table with default route entry to a Internet Gateway. - The public subnet in wavelength-zone is associated with a carrier public route table with default route entry to a Carrier Gateway. - The private subnet in the availability-zone is associated with a private route table with the default route entry to a NAT Gateway created in that zone. - The private subnet in the local-zone or wavelength-zone is associated with a private route table with the default route entry re-using the NAT Gateway in the Region (preferred from the parent zone, the zone type availability-zone in the region, or first table available). @@ -658,11 +649,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -677,12 +666,10 @@ spec: EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. - By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. - NOTE: This only applies when the VPC is managed by the Cluster API AWS controller. type: boolean id: @@ -828,7 +815,6 @@ spec: description: |- The name of the OIDC provider configuration. - IdentityProviderConfigName is a required field type: string issuerUrl: @@ -871,6 +857,10 @@ spec: email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing. type: string + required: + - clientId + - identityProviderConfigName + - issuerUrl type: object region: description: The AWS Region the cluster lives in. @@ -965,9 +955,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its @@ -1033,9 +1021,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -1168,10 +1154,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -1183,7 +1167,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -1194,20 +1177,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -1221,7 +1201,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled @@ -2549,7 +2528,6 @@ spec: ID defines a unique identifier to reference this resource. If you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`. - When the VPC is managed by CAPA, and you'd like the provider to create a subnet for you, the id can be set to any placeholder value that does not start with `subnet-`; upon creation, the subnet AWS identifier will be populated in the `ResourceID` field and @@ -2582,7 +2560,6 @@ spec: ParentZoneName is the zone name where the current subnet's zone is tied when the zone is a Local Zone. - The subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName to select the correct private route table to egress traffic to the internet. type: string @@ -2605,30 +2582,23 @@ spec: description: |- ZoneType defines the type of the zone where the subnet is created. - The valid values are availability-zone, local-zone, and wavelength-zone. - Subnet with zone type availability-zone (regular) is always selected to create cluster resources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc. - Subnet with zone type local-zone or wavelength-zone is not eligible to automatically create regular cluster resources. - The public subnet in availability-zone or local-zone is associated with regular public route table with default route entry to a Internet Gateway. - The public subnet in wavelength-zone is associated with a carrier public route table with default route entry to a Carrier Gateway. - The private subnet in the availability-zone is associated with a private route table with the default route entry to a NAT Gateway created in that zone. - The private subnet in the local-zone or wavelength-zone is associated with a private route table with the default route entry re-using the NAT Gateway in the Region (preferred from the parent zone, the zone type availability-zone in the region, or first table available). @@ -2701,11 +2671,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -2720,12 +2688,10 @@ spec: EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. - By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. - NOTE: This only applies when the VPC is managed by the Cluster API AWS controller. type: boolean id: @@ -2871,7 +2837,6 @@ spec: description: |- The name of the OIDC provider configuration. - IdentityProviderConfigName is a required field type: string issuerUrl: @@ -2914,6 +2879,10 @@ spec: email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing. type: string + required: + - clientId + - identityProviderConfigName + - issuerUrl type: object partition: description: Partition is the AWS security partition being used. Defaults @@ -3026,9 +2995,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its @@ -3094,9 +3061,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -3229,10 +3194,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -3244,7 +3207,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -3255,20 +3217,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -3282,7 +3241,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml index 22e808ed82..1a61a27914 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: rosacontrolplanes.controlplane.cluster.x-k8s.io spec: group: controlplane.cluster.x-k8s.io @@ -180,9 +180,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -194,7 +192,6 @@ spec: As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider. `rosa list machinepools -c ` can be used to view those machinepools. - This field will be removed in the future once the current limitation is resolved. properties: autoscaling: @@ -253,7 +250,6 @@ spec: ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster. Can only be set if "enableExternalAuthProviders" is set to "True". - At most one provider can be configured. items: description: ExternalAuthProvider is an external OIDC identity provider @@ -279,10 +275,8 @@ spec: Prefix is a string to prefix the value from the token in the result of the claim mapping. - By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". @@ -295,7 +289,6 @@ spec: Username is a name of the claim that should be used to construct usernames for the cluster identity. - Default value: "sub" properties: claim: @@ -311,14 +304,11 @@ spec: description: |- PrefixPolicy specifies how a prefix should apply. - By default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins. - Set to "NoPrefix" to disable prefixing. - Example: (1) `prefix` is set to "myoidc:" and `claim` is set to "username". If the JWT claim `username` contains value `userA`, the resulting @@ -574,8 +564,8 @@ spec: properties: controlPlaneOperatorARN: description: "ControlPlaneOperatorARN is an ARN value referencing - a role appropriate for the Control Plane Operator.\n\n\nThe - following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + a role appropriate for the Control Plane Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": @@ -584,8 +574,8 @@ spec: type: string imageRegistryARN: description: "ImageRegistryARN is an ARN value referencing a role - appropriate for the Image Registry Operator.\n\n\nThe following - is an example of a valid policy document:\n\n\n{\n\t\"Version\": + appropriate for the Image Registry Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}" @@ -597,11 +587,11 @@ spec: \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nIngressARN + }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN is an ARN value referencing a role appropriate for the Ingress - Operator.\n\n\nThe following is an example of a valid policy - document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + Operator.\n\nThe following is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" @@ -613,10 +603,8 @@ spec: KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - The following is an example of a valid policy document: - { "Version": "2012-10-17", "Statement": [ @@ -690,8 +678,8 @@ spec: type: string networkARN: description: "NetworkARN is an ARN value referencing a role appropriate - for the Network Operator.\n\n\nThe following is an example of - a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + for the Network Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n @@ -701,8 +689,8 @@ spec: type: string nodePoolManagementARN: description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\n\nThe following - is an example of a valid policy document:\n\n\n{\n \"Version\": + a role appropriate for the CAPI Controller.\n\nThe following + is an example of a valid policy document:\n\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \ \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n @@ -746,8 +734,8 @@ spec: type: string storageARN: description: "StorageARN is an ARN value referencing a role appropriate - for the Storage Operator.\n\n\nThe following is an example of - a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + for the Storage Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}" type: string @@ -885,7 +873,6 @@ spec: FailureMessage will be set in the event that there is a terminal problem reconciling the state and will be set to a descriptive error message. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustercontrolleridentities.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustercontrolleridentities.yaml index 9efe6cb2d0..f7ea173270 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustercontrolleridentities.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustercontrolleridentities.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterroleidentities.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterroleidentities.yaml index e35d995470..f18f32566b 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterroleidentities.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterroleidentities.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsclusterroleidentities.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml index 7d6cc0a025..3ccb164ec1 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsclusters.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -136,13 +136,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean healthCheckProtocol: @@ -1074,13 +1072,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean disableHostsRewrite: @@ -1446,7 +1442,6 @@ spec: ID defines a unique identifier to reference this resource. If you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`. - When the VPC is managed by CAPA, and you'd like the provider to create a subnet for you, the id can be set to any placeholder value that does not start with `subnet-`; upon creation, the subnet AWS identifier will be populated in the `ResourceID` field and @@ -1479,7 +1474,6 @@ spec: ParentZoneName is the zone name where the current subnet's zone is tied when the zone is a Local Zone. - The subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName to select the correct private route table to egress traffic to the internet. type: string @@ -1502,30 +1496,23 @@ spec: description: |- ZoneType defines the type of the zone where the subnet is created. - The valid values are availability-zone, local-zone, and wavelength-zone. - Subnet with zone type availability-zone (regular) is always selected to create cluster resources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc. - Subnet with zone type local-zone or wavelength-zone is not eligible to automatically create regular cluster resources. - The public subnet in availability-zone or local-zone is associated with regular public route table with default route entry to a Internet Gateway. - The public subnet in wavelength-zone is associated with a carrier public route table with default route entry to a Carrier Gateway. - The private subnet in the availability-zone is associated with a private route table with the default route entry to a NAT Gateway created in that zone. - The private subnet in the local-zone or wavelength-zone is associated with a private route table with the default route entry re-using the NAT Gateway in the Region (preferred from the parent zone, the zone type availability-zone in the region, or first table available). @@ -1598,11 +1585,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -1617,12 +1602,10 @@ spec: EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. - By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. - NOTE: This only applies when the VPC is managed by the Cluster API AWS controller. type: boolean id: @@ -1784,11 +1767,9 @@ spec: description: |- PresignedURLDuration defines the duration for which presigned URLs are valid. - This is used to generate presigned URLs for S3 Bucket objects, which are used by control-plane and worker nodes to fetch bootstrap data. - When enabled, the IAM instance profiles specified are not used. type: string required: @@ -1798,7 +1779,6 @@ spec: description: |- SecondaryControlPlaneLoadBalancer is an additional load balancer that can be used for the control plane. - An example use case is to have a separate internal load balancer for internal traffic, and a separate external load balancer for external traffic. properties: @@ -1899,13 +1879,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean disableHostsRewrite: @@ -2143,10 +2121,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -2158,7 +2134,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -2169,20 +2144,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -2196,7 +2168,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterstaticidentities.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterstaticidentities.yaml index 32c2441757..67314698ff 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterstaticidentities.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusterstaticidentities.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsclusterstaticidentities.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml index bd35c78474..feb6ec2ef2 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsclustertemplates.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -151,13 +151,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean healthCheckProtocol: @@ -666,13 +664,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean disableHostsRewrite: @@ -1043,7 +1039,6 @@ spec: ID defines a unique identifier to reference this resource. If you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`. - When the VPC is managed by CAPA, and you'd like the provider to create a subnet for you, the id can be set to any placeholder value that does not start with `subnet-`; upon creation, the subnet AWS identifier will be populated in the `ResourceID` field and @@ -1077,7 +1072,6 @@ spec: ParentZoneName is the zone name where the current subnet's zone is tied when the zone is a Local Zone. - The subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName to select the correct private route table to egress traffic to the internet. type: string @@ -1100,30 +1094,23 @@ spec: description: |- ZoneType defines the type of the zone where the subnet is created. - The valid values are availability-zone, local-zone, and wavelength-zone. - Subnet with zone type availability-zone (regular) is always selected to create cluster resources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc. - Subnet with zone type local-zone or wavelength-zone is not eligible to automatically create regular cluster resources. - The public subnet in availability-zone or local-zone is associated with regular public route table with default route entry to a Internet Gateway. - The public subnet in wavelength-zone is associated with a carrier public route table with default route entry to a Carrier Gateway. - The private subnet in the availability-zone is associated with a private route table with the default route entry to a NAT Gateway created in that zone. - The private subnet in the local-zone or wavelength-zone is associated with a private route table with the default route entry re-using the NAT Gateway in the Region (preferred from the parent zone, the zone type availability-zone in the region, or first table available). @@ -1196,11 +1183,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -1215,12 +1200,10 @@ spec: EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. - By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. - NOTE: This only applies when the VPC is managed by the Cluster API AWS controller. type: boolean id: @@ -1384,11 +1367,9 @@ spec: description: |- PresignedURLDuration defines the duration for which presigned URLs are valid. - This is used to generate presigned URLs for S3 Bucket objects, which are used by control-plane and worker nodes to fetch bootstrap data. - When enabled, the IAM instance profiles specified are not used. type: string required: @@ -1398,7 +1379,6 @@ spec: description: |- SecondaryControlPlaneLoadBalancer is an additional load balancer that can be used for the control plane. - An example use case is to have a separate internal load balancer for internal traffic, and a separate external load balancer for external traffic. properties: @@ -1500,13 +1480,11 @@ spec: description: |- CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing. - With cross-zone load balancing, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer node distributes requests evenly across the registered instances in its Availability Zone only. - Defaults to false. type: boolean disableHostsRewrite: diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml index f3699dfdfc..e2fcb92dd7 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsfargateprofiles.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -160,7 +160,6 @@ spec: reconciling the FargateProfile and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -170,7 +169,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of FargateProfiles can be added as events to the FargateProfile object and/or logged in the controller's output. @@ -181,7 +179,6 @@ spec: reconciling the FargateProfile and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -191,7 +188,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of FargateProfiles can be added as events to the FargateProfile object and/or logged in the controller's output. @@ -350,7 +346,6 @@ spec: reconciling the FargateProfile and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -360,7 +355,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of FargateProfiles can be added as events to the FargateProfile object and/or logged in the controller's output. @@ -371,7 +365,6 @@ spec: reconciling the FargateProfile and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -381,7 +374,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of FargateProfiles can be added as events to the FargateProfile object and/or logged in the controller's output. diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml index e70f544535..6314fe7c62 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmachinepools.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -435,7 +435,6 @@ spec: reconciling the Machine and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -445,7 +444,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -456,7 +454,6 @@ spec: reconciling the Machine and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -466,7 +463,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -671,10 +667,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -686,7 +680,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -697,20 +690,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -724,7 +714,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled @@ -1123,7 +1112,6 @@ spec: reconciling the Machine and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1133,7 +1121,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -1144,7 +1131,6 @@ spec: reconciling the Machine and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1154,7 +1140,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml index c02466fa59..70e7728369 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmachines.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -461,7 +461,6 @@ spec: reconciling the Machine and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -471,7 +470,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -482,7 +480,6 @@ spec: reconciling the Machine and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -492,7 +489,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -678,11 +674,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -722,7 +716,6 @@ spec: NoProxy is the list of domains to not proxy for Ignition. Specifies a list of strings to hosts that should be excluded from proxying. - Each value is represented by: - An IP address prefix (1.2.3.4) - An IP address prefix in CIDR notation (1.2.3.4/8) @@ -731,7 +724,6 @@ spec: - A domain name with a leading . matches subdomains only - A special DNS label (*), indicates that no proxying should be done - An IP address prefix and domain name can also include a literal port number (1.2.3.4:80). items: description: IgnitionNoProxy defines the list of domains @@ -747,15 +739,12 @@ spec: StorageType defines how to store the boostrap user data for Ignition. This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance. - When omitted, the storage option will default to ClusterObjectStore. - When set to "ClusterObjectStore", if the capability is available and a Cluster ObjectStore configuration is correctly provided in the Cluster object (under .spec.s3Bucket), an object store will be used to store bootstrap user data. - When set to "UnencryptedUserData", EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) and users with ec2:DescribeInstances permission or users running pods @@ -831,10 +820,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -846,7 +833,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -857,20 +843,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -884,7 +867,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled @@ -1173,7 +1155,6 @@ spec: reconciling the Machine and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1183,7 +1164,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. @@ -1194,7 +1174,6 @@ spec: reconciling the Machine and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1204,7 +1183,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output. diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml index 501a837555..a679a68bc8 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmachinetemplates.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -608,11 +608,9 @@ spec: PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, no more IPv4 address available in the pool. - When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the IPv4 limit, the address will be claimed from Amazon-pool (default). - When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. enum: - amazon-pool @@ -652,7 +650,6 @@ spec: NoProxy is the list of domains to not proxy for Ignition. Specifies a list of strings to hosts that should be excluded from proxying. - Each value is represented by: - An IP address prefix (1.2.3.4) - An IP address prefix in CIDR notation (1.2.3.4/8) @@ -661,7 +658,6 @@ spec: - A domain name with a leading . matches subdomains only - A special DNS label (*), indicates that no proxying should be done - An IP address prefix and domain name can also include a literal port number (1.2.3.4:80). items: description: IgnitionNoProxy defines the list of @@ -677,15 +673,12 @@ spec: StorageType defines how to store the boostrap user data for Ignition. This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance. - When omitted, the storage option will default to ClusterObjectStore. - When set to "ClusterObjectStore", if the capability is available and a Cluster ObjectStore configuration is correctly provided in the Cluster object (under .spec.s3Bucket), an object store will be used to store bootstrap user data. - When set to "UnencryptedUserData", EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) and users with ec2:DescribeInstances permission or users running pods @@ -761,10 +754,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -776,7 +767,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -787,20 +777,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -814,7 +801,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedclusters.yaml index aea8369f91..ee4da3b93c 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedclusters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmanagedclusters.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml index 008bfd9d2e..9ecac67715 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: awsmanagedmachinepools.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -434,7 +434,6 @@ spec: reconciling the MachinePool and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -444,7 +443,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output. @@ -455,7 +453,6 @@ spec: reconciling the MachinePool and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -465,7 +462,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output. @@ -667,10 +663,8 @@ spec: description: |- Enables or disables the HTTP metadata endpoint on your instances. - If you specify a value of disabled, you cannot access your instance metadata. - Default: enabled enum: - enabled @@ -682,7 +676,6 @@ spec: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. - Default: 1 format: int64 maximum: 64 @@ -693,20 +686,17 @@ spec: description: |- The state of token usage for your instance metadata requests. - If the state is optional, you can choose to retrieve instance metadata with or without a session token on your request. If you retrieve the IAM role credentials without a token, the version 1.0 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the version 2.0 role credentials are returned. - If the state is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns the version 2.0 credentials; the version 1.0 credentials are not available. - Default: optional enum: - optional @@ -720,7 +710,6 @@ spec: For more information, see Work with instance tags using the instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - Default: disabled enum: - enabled @@ -1051,7 +1040,6 @@ spec: reconciling the MachinePool and will contain a more verbose string suitable for logging and human consumption. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1061,7 +1049,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output. @@ -1072,7 +1059,6 @@ spec: reconciling the MachinePool and will contain a succinct value suitable for machine interpretation. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is @@ -1082,7 +1068,6 @@ spec: spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured. - Any transient errors that occur during the reconciliation of MachinePools can be added as events to the MachinePool object and/or logged in the controller's output. diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml index 2d0c295c0b..e01b2fd668 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: rosaclusters.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml index a5786fd8bf..919e21118c 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: rosamachinepools.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io @@ -102,7 +102,6 @@ spec: respected during upgrades. After this grace period, any workloads protected by Pod Disruption Budgets that have not been successfully drained from a node will be forcibly evicted. - Valid values are from 0 to 1 week(10080m|168h) . 0 or empty value means that the MachinePool can be drained without any time limitation. type: string @@ -178,11 +177,9 @@ spec: Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). Absolute number is calculated from percentage by rounding up. - MaxSurge can not be 0 if MaxUnavailable is 0, default is 1. Both MaxSurge & MaxUnavailable must use the same units (absolute value or percentage). - Example: when MaxSurge is set to 30%, new nodes can be provisioned immediately when the rolling update starts, such that the total number of old and new nodes do not exceed 130% of desired nodes. Once old nodes have been @@ -200,11 +197,9 @@ spec: Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). Absolute number is calculated from percentage by rounding down. - MaxUnavailable can not be 0 if MaxSurge is 0, default is 0. Both MaxUnavailable & MaxSurge must use the same units (absolute value or percentage). - Example: when MaxUnavailable is set to 30%, old nodes can be deleted down to 70% of desired nodes immediately when the rolling update starts. Once new nodes are ready, more old nodes be deleted, followed by provisioning new nodes, @@ -277,7 +272,6 @@ spec: FailureMessage will be set in the event that there is a terminal problem reconciling the state and will be set to a descriptive error message. - This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 3ff4afe303..9b51abf039 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -8,6 +8,7 @@ rules: - "" resources: - configmaps + - secrets verbs: - create - delete @@ -35,18 +36,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - authentication.k8s.io resources: @@ -82,32 +71,9 @@ rules: resources: - clusters - clusters/status - verbs: - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters - - machinepools - - machines - verbs: - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - machinedeployments - verbs: - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - machinepools + - machines + - machines/status verbs: - get - list @@ -122,15 +88,6 @@ rules: - list - patch - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - machines - - machines/status - verbs: - - get - - list - - watch - apiGroups: - controlplane.cluster.x-k8s.io resources: @@ -143,6 +100,7 @@ rules: - controlplane.cluster.x-k8s.io resources: - awsmanagedcontrolplanes + - rosacontrolplanes verbs: - delete - get @@ -153,64 +111,20 @@ rules: - apiGroups: - controlplane.cluster.x-k8s.io resources: - - awsmanagedcontrolplanes - awsmanagedcontrolplanes/status + - rosacontrolplanes/status verbs: - get - list - - watch -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - awsmanagedcontrolplanes/status - verbs: - - get - - patch - - update -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - rosacontrolplanes - verbs: - - delete - - get - - list - patch - update - watch -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - rosacontrolplanes - - rosacontrolplanes/status - verbs: - - get - - list - - watch - apiGroups: - controlplane.cluster.x-k8s.io resources: - rosacontrolplanes/finalizers verbs: - update -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - rosacontrolplanes/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - watch - apiGroups: - infrastructure.cluster.x-k8s.io resources: @@ -220,21 +134,12 @@ rules: - get - list - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsclustercontrolleridentities - - awsclusterroleidentities - - awsclusterstaticidentities - verbs: - - get - - list - - watch - apiGroups: - infrastructure.cluster.x-k8s.io resources: - awsclusterroleidentities - awsclusterstaticidentities + - awsmachinetemplates verbs: - get - list @@ -243,164 +148,13 @@ rules: - infrastructure.cluster.x-k8s.io resources: - awsclusters - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - awsfargateprofiles - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsfargateprofiles/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmachinepools - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - awsmachinepools - - awsmachinepools/status - verbs: - - get - - list - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmachinepools/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - awsmachines - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmachines - - awsmachines/status - verbs: - - get - - list - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmachines/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmachinetemplates - verbs: - - get - - list - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmanagedclusters - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - awsmanagedclusters - - awsmanagedclusters/status - verbs: - - get - - list - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmanagedclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmanagedmachinepools - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - awsmanagedmachinepools - - awsmanagedmachinepools/status - verbs: - - get - - list - - watch -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - awsmanagedmachinepools/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - rosaclusters + - rosamachinepools verbs: - delete - get @@ -411,7 +165,10 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - awsclusters/status + - awsfargateprofiles/status - rosaclusters/status + - rosamachinepools/status verbs: - get - patch @@ -419,9 +176,11 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - rosamachinepools + - awsmachinepools/status + - awsmachines/status + - awsmanagedclusters/status + - awsmanagedmachinepools/status verbs: - - delete - get - list - patch @@ -433,11 +192,3 @@ rules: - rosamachinepools/finalizers verbs: - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - rosamachinepools/status - verbs: - - get - - patch - - update diff --git a/hack/tools/go.mod b/hack/tools/go.mod index 945c1ee78f..332d9aeadb 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -1,6 +1,7 @@ module sigs.k8s.io/cluster-api-provider-aws/hack/tools -go 1.22.0 +go 1.22.7 + toolchain go1.22.9 require (