diff --git a/.gitignore b/.gitignore index a0a89e83..ec736591 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -config/helm/input/ +config/helm/bases/cluster-api-components.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index f088964a..43224f94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,11 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Repository: Rework `hack` & `config`. ([#176](https://github.com/giantswarm/cluster-api-app/pull/176)) + ## [1.15.1] - 2024-01-15 ### Changed -- Make: Use `kubectl` integrated `kustomize` +- Make: Use `kubectl` integrated `kustomize`. ([#171](https://github.com/giantswarm/cluster-api-app/pull/171)) - Switch to image hosted on gsoci.azurecr.io ## [1.15.0] - 2023-12-20 diff --git a/Makefile.custom.mk b/Makefile.custom.mk index f930d576..0fbf9245 100644 --- a/Makefile.custom.mk +++ b/Makefile.custom.mk @@ -4,7 +4,7 @@ generate: rm helm/cluster-api/templates/*.yaml hack/fetch-manifest.sh kubectl kustomize config/helm --output helm/cluster-api/templates - rm helm/cluster-api/templates/v1_configmap_watchfilter-patch.yaml + rm helm/cluster-api/templates/v1_configmap_watch-filter.yaml hack/move-generated-crds.sh hack/generate-crd-version-patches.sh hack/wrap-with-conditional.sh diff --git a/README.md b/README.md index a742d226..c37cdcdf 100644 --- a/README.md +++ b/README.md @@ -1,48 +1,48 @@ [![CircleCI](https://circleci.com/gh/giantswarm/cluster-api-app.svg?style=shield)](https://circleci.com/gh/giantswarm/cluster-api-app) -# cluster-api chart +# cluster-api-app -This is a meta app that provides deployment packaging for Cluster API core, bootstrap and control-plane controllers. +This is a meta app that provides deployment packaging for Cluster API components. ## Prerequisites To get all the `make` targets running -* `kubectl` ([source](https://github.com/kubernetes/kubectl)) in version `>= v1.27.0` is required -* `yq` ([source](https://github.com/mikefarah/yq)) is required +* [`kubectl`](https://github.com/kubernetes/kubectl) in version `>= v1.27.0` is required +* [`yq`](https://github.com/mikefarah/yq) is required ## How it works -The `make generate` target transfers the upstream released `cluster-api-components.yaml` into a Giant Swarm specific Helm chart. Besides there are some other changes required to make all the Cluster API components fit into our stack. +The `make generate` target transfers the upstream Cluster API components into a Giant Swarm specific Helm chart. Besides there are some other changes required to make them fit into our stack. To make all the changes transparent and reproducible, `kubectl kustomize` is used to apply patches. -The following notable scripts & commands are triggered in `make generate`: +The following notable commands & scripts are triggered in `make generate`: -1. [`hack/fetch-manifest.sh`](hack/fetch-manifest.sh): Fetches the release manifest with the version specified in `helm/cluster-api/values.yaml`. -1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Applies all the changes defined in `kustomization.yaml`. -1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. All files within this directory are later used in `job/cluster-api-crd-install`. +1. [`hack/fetch-manifest.sh`](hack/fetch-manifest.sh): Fetches the Cluster API components for the version specified in `helm/cluster-api/values.yaml`. +1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Generates kustomized Helm templates from upstream Cluster API components. +1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. They are later used in the CRD install job. 1. [`hack/generate-crd-version-patches.sh`](hack/generate-crd-version-patches.sh): Extracts the upstream Cluster API CRDs into `kustomize` patches in `helm/cluster-api/files`. 1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh) * Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition: ```yaml - {{ if .Values.watchfilter }} + {{- if .Values.watchfilter }} objectSelector: matchLabels: cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - {{ end }} + {{- end }} ``` * Wraps all the `*_ciliumnetworkpolicy_*.yaml` manifests into the global `ciliumNetworkPolicy.enabled` condition: ```yaml {{- if .Values.ciliumNetworkPolicy.enabled }} [...] - {{ end }} + {{- end }} ``` -## Upgrading CAPI +## Upgrading Cluster API See the [`README.md`](https://github.com/giantswarm/cluster-api/blob/main/README.md) of our Cluster API fork for testing and releasing changes. -It is important to run `make generate` so that the templates, CRDs and patches are regenerated using the new version of CAPI. +It is important to run `make generate` so that the templates, CRDs and patches are regenerated using the new version of Cluster API. -**NOTE:** When new webhooks are added upstream, we need to manually add them to the relevant patches (`config/helm/certificate*.yaml`). +**NOTE:** When new webhooks are added upstream, we need to manually add them to the relevant patches. diff --git a/config/helm/ciliumnetworkpolicy_capi-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml similarity index 61% rename from config/helm/ciliumnetworkpolicy_capi-controller-manager.yaml rename to config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml index fef7b768..ad6cf0a7 100644 --- a/config/helm/ciliumnetworkpolicy_capi-controller-manager.yaml +++ b/config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml @@ -1,20 +1,21 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: + name: capi-controller-manager + namespace: capi-system labels: app.kubernetes.io/component: cluster-api cluster.x-k8s.io/provider: cluster-api control-plane: controller-manager - name: capi-controller-manager spec: endpointSelector: matchLabels: cluster.x-k8s.io/provider: cluster-api control-plane: controller-manager - ingress: # for webhooks - - fromEntities: - - cluster # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster" - - kube-apiserver + ingress: + - fromEntities: + - cluster + - kube-apiserver egress: - - toEntities: - - kube-apiserver + - toEntities: + - kube-apiserver diff --git a/config/helm/ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml similarity index 63% rename from config/helm/ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml rename to config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml index 88f07a75..6cd8fa4c 100644 --- a/config/helm/ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml +++ b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml @@ -1,20 +1,21 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: + name: capi-kubeadm-bootstrap-controller-manager + namespace: capi-kubeadm-bootstrap-system labels: app.kubernetes.io/component: bootstrap-kubeadm cluster.x-k8s.io/provider: bootstrap-kubeadm control-plane: controller-manager - name: capi-kubeadm-bootstrap-controller-manager spec: endpointSelector: matchLabels: cluster.x-k8s.io/provider: bootstrap-kubeadm control-plane: controller-manager - ingress: # for webhooks - - fromEntities: - - cluster # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster" - - kube-apiserver + ingress: + - fromEntities: + - cluster + - kube-apiserver egress: - - toEntities: - - kube-apiserver + - toEntities: + - kube-apiserver diff --git a/config/helm/ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml similarity index 64% rename from config/helm/ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml rename to config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml index cc0d4b11..90181fb4 100644 --- a/config/helm/ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml +++ b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml @@ -1,20 +1,21 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: + name: capi-kubeadm-control-plane-controller-manager + namespace: capi-kubeadm-control-plane-system labels: app.kubernetes.io/component: control-plane-kubeadm cluster.x-k8s.io/provider: control-plane-kubeadm control-plane: controller-manager - name: capi-kubeadm-control-plane-controller-manager spec: endpointSelector: matchLabels: cluster.x-k8s.io/provider: control-plane-kubeadm control-plane: controller-manager - ingress: # for webhooks - - fromEntities: - - cluster # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster" - - kube-apiserver + ingress: + - fromEntities: + - cluster + - kube-apiserver egress: - - toEntities: - - kube-apiserver + - toEntities: + - kube-apiserver diff --git a/config/helm/bases/configmaps/watch-filter.yaml b/config/helm/bases/configmaps/watch-filter.yaml new file mode 100644 index 00000000..fe300852 --- /dev/null +++ b/config/helm/bases/configmaps/watch-filter.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: watch-filter + namespace: watch-filter +data: + cluster.x-k8s.io/watch-filter: "{{ .Values.watchFilter }}" diff --git a/config/helm/networkpolicy_capi-controller-manager.yaml b/config/helm/bases/networkpolicies/capi-controller-manager.yaml similarity index 62% rename from config/helm/networkpolicy_capi-controller-manager.yaml rename to config/helm/bases/networkpolicies/capi-controller-manager.yaml index 06c7ceb6..278f8089 100644 --- a/config/helm/networkpolicy_capi-controller-manager.yaml +++ b/config/helm/bases/networkpolicies/capi-controller-manager.yaml @@ -1,25 +1,25 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: + name: capi-controller-manager + namespace: capi-system labels: app.kubernetes.io/component: cluster-api cluster.x-k8s.io/provider: cluster-api control-plane: controller-manager - name: capi-controller-manager spec: podSelector: matchLabels: cluster.x-k8s.io/provider: cluster-api control-plane: controller-manager - egress: - - ports: - # Access to workload clusters' Kubernetes API - - port: 443 - protocol: TCP - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 policyTypes: - - Egress + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 diff --git a/config/helm/networkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml b/config/helm/bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml similarity index 77% rename from config/helm/networkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml rename to config/helm/bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml index ee991851..0d9c394c 100644 --- a/config/helm/networkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml +++ b/config/helm/bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml @@ -1,24 +1,25 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: + name: capi-kubeadm-bootstrap-controller-manager + namespace: capi-kubeadm-bootstrap-system labels: app.kubernetes.io/component: bootstrap-kubeadm cluster.x-k8s.io/provider: bootstrap-kubeadm control-plane: controller-manager - name: capi-kubeadm-bootstrap-controller-manager spec: - egress: - - ports: - - port: 443 - protocol: TCP - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 podSelector: matchLabels: cluster.x-k8s.io/provider: bootstrap-kubeadm control-plane: controller-manager policyTypes: - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 diff --git a/config/helm/networkpolicy_capi-kubeadm-control-plane-controller-manager.yaml b/config/helm/bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml similarity index 69% rename from config/helm/networkpolicy_capi-kubeadm-control-plane-controller-manager.yaml rename to config/helm/bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml index 505a2a3a..19973d56 100644 --- a/config/helm/networkpolicy_capi-kubeadm-control-plane-controller-manager.yaml +++ b/config/helm/bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml @@ -1,24 +1,25 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: + name: capi-kubeadm-control-plane-controller-manager + namespace: capi-kubeadm-control-plane-system labels: app.kubernetes.io/component: control-plane-kubeadm cluster.x-k8s.io/provider: control-plane-kubeadm control-plane: controller-manager - name: capi-kubeadm-control-plane-controller-manager spec: podSelector: matchLabels: cluster.x-k8s.io/provider: control-plane-kubeadm control-plane: controller-manager - egress: - - ports: - - port: 443 - protocol: TCP - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 policyTypes: - - Egress + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 diff --git a/config/helm/common-labels.yaml b/config/helm/common-labels.yaml deleted file mode 100644 index f1d94515..00000000 --- a/config/helm/common-labels.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: builtin -kind: LabelTransformer -metadata: - name: common-labels -labels: - app.giantswarm.io/branch: '{{ .Values.project.branch }}' - app.giantswarm.io/commit: '{{ .Values.project.commit }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: cluster-api - app.kubernetes.io/name: cluster-api - app.kubernetes.io/instance: '{{ .Release.Name }}' -fieldSpecs: - - path: metadata/labels - create: true - - path: spec/template/metadata/labels - create: true - kind: Deployment diff --git a/config/helm/crd_bootstrap_cainjection.yaml b/config/helm/crd_bootstrap_cainjection.yaml deleted file mode 100644 index 2de8ffd9..00000000 --- a/config/helm/crd_bootstrap_cainjection.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all bootstrap CRDs - annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert' diff --git a/config/helm/crd_bootstrap_webhook.yaml b/config/helm/crd_bootstrap_webhook.yaml deleted file mode 100644 index df23d3bd..00000000 --- a/config/helm/crd_bootstrap_webhook.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all bootstrap CRDs -spec: - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - - v1beta1 - clientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: '{{ .Release.Namespace }}' - name: capi-kubeadm-bootstrap-webhook-service - path: /convert - port: 443 diff --git a/config/helm/crd_clusterctl_labels.yaml b/config/helm/crd_clusterctl_labels.yaml deleted file mode 100644 index 3b7c60f3..00000000 --- a/config/helm/crd_clusterctl_labels.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# The following patch adds clusterctl labels required to do the move operation -# correctly. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all CAPI CRDs - labels: - clusterctl.cluster.x-k8s.io/move: "" - clusterctl.cluster.x-k8s.io: "" diff --git a/config/helm/crd_controlplane_cainjection.yaml b/config/helm/crd_controlplane_cainjection.yaml deleted file mode 100644 index 657cd458..00000000 --- a/config/helm/crd_controlplane_cainjection.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all controlplane CRDs - annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert' diff --git a/config/helm/crd_controlplane_webhook.yaml b/config/helm/crd_controlplane_webhook.yaml deleted file mode 100644 index dbf1b88a..00000000 --- a/config/helm/crd_controlplane_webhook.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all controlplane CRDs -spec: - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - - v1beta1 - clientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: '{{ .Release.Namespace }}' - name: capi-kubeadm-control-plane-webhook-service - path: /convert - port: 443 diff --git a/config/helm/crd_core_cainjection.yaml b/config/helm/crd_core_cainjection.yaml deleted file mode 100644 index 22d794ed..00000000 --- a/config/helm/crd_core_cainjection.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all core CRDs - annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-serving-cert' diff --git a/config/helm/crd_core_webhook.yaml b/config/helm/crd_core_webhook.yaml deleted file mode 100644 index 9849491c..00000000 --- a/config/helm/crd_core_webhook.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "ignored" # not important, we are applying this patch to all CRDs -spec: - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - - v1beta1 - clientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: '{{ .Release.Namespace }}' - name: capi-webhook-service - path: /convert - port: 443 diff --git a/config/helm/deployment-args-controller-manager.yaml b/config/helm/deployment-args-controller-manager.yaml deleted file mode 100644 index 4a0402b4..00000000 --- a/config/helm/deployment-args-controller-manager.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-controller-manager - namespace: capi-system -spec: - template: - spec: - containers: - - name: manager - args: - - --metrics-bind-addr=0.0.0.0:8080 - - --feature-gates=MachinePool=true,ClusterResourceSet=true,ClusterTopology=true - - --watch-filter={{ .Values.watchFilter }} - - --v=0 diff --git a/config/helm/deployment-args-kubeadm-bootstrap-controller-manager.yaml b/config/helm/deployment-args-kubeadm-bootstrap-controller-manager.yaml deleted file mode 100644 index 31e4ffd2..00000000 --- a/config/helm/deployment-args-kubeadm-bootstrap-controller-manager.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-bootstrap-controller-manager - namespace: capi-kubeadm-bootstrap-system -spec: - template: - spec: - containers: - - name: manager - args: - - --metrics-bind-addr=0.0.0.0:8080 - - --feature-gates=MachinePool=true,KubeadmBootstrapFormatIgnition=true - - --watch-filter={{ .Values.watchFilter }} - - --v=0 diff --git a/config/helm/deployment-args-kubeadm-control-plane-controller-manager.yaml b/config/helm/deployment-args-kubeadm-control-plane-controller-manager.yaml deleted file mode 100644 index ff2e79db..00000000 --- a/config/helm/deployment-args-kubeadm-control-plane-controller-manager.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-control-plane-controller-manager - namespace: capi-kubeadm-control-plane-system -spec: - template: - spec: - containers: - - name: manager - args: - - --metrics-bind-addr=0.0.0.0:8080 - - --feature-gates=ClusterTopology=true,KubeadmBootstrapFormatIgnition=true - - --watch-filter={{ .Values.watchFilter }} - - --v=0 diff --git a/config/helm/deployment-labels-controller-manager.yaml b/config/helm/deployment-labels-controller-manager.yaml deleted file mode 100644 index f575274a..00000000 --- a/config/helm/deployment-labels-controller-manager.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-controller-manager - namespace: capi-system - labels: - app.kubernetes.io/component: cluster-api diff --git a/config/helm/deployment-labels-kubeadm-bootstrap-controller-manager.yaml b/config/helm/deployment-labels-kubeadm-bootstrap-controller-manager.yaml deleted file mode 100644 index 6f593bf7..00000000 --- a/config/helm/deployment-labels-kubeadm-bootstrap-controller-manager.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-bootstrap-controller-manager - namespace: capi-kubeadm-bootstrap-system - labels: - app.kubernetes.io/component: bootstrap-kubeadm diff --git a/config/helm/deployment-labels-kubeadm-control-plane-controller-manager.yaml b/config/helm/deployment-labels-kubeadm-control-plane-controller-manager.yaml deleted file mode 100644 index 14c11f65..00000000 --- a/config/helm/deployment-labels-kubeadm-control-plane-controller-manager.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-control-plane-controller-manager - namespace: capi-kubeadm-control-plane-system - labels: - app.kubernetes.io/component: control-plane-kubeadm diff --git a/config/helm/deployment-metrics-port-controller-manager.yaml b/config/helm/deployment-metrics-port-controller-manager.yaml deleted file mode 100644 index 111aee19..00000000 --- a/config/helm/deployment-metrics-port-controller-manager.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-controller-manager - namespace: capi-system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP diff --git a/config/helm/deployment-metrics-port-kubeadm-bootstrap-controller-manager.yaml b/config/helm/deployment-metrics-port-kubeadm-bootstrap-controller-manager.yaml deleted file mode 100644 index 31fd263f..00000000 --- a/config/helm/deployment-metrics-port-kubeadm-bootstrap-controller-manager.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-bootstrap-controller-manager - namespace: capi-kubeadm-bootstrap-system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP diff --git a/config/helm/deployment-metrics-port-kubeadm-control-plane-controller-manager.yaml b/config/helm/deployment-metrics-port-kubeadm-control-plane-controller-manager.yaml deleted file mode 100644 index 174fd9f8..00000000 --- a/config/helm/deployment-metrics-port-kubeadm-control-plane-controller-manager.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-kubeadm-control-plane-controller-manager - namespace: capi-kubeadm-control-plane-system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP diff --git a/config/helm/kustomization.yaml b/config/helm/kustomization.yaml index c1d8efae..6023c360 100644 --- a/config/helm/kustomization.yaml +++ b/config/helm/kustomization.yaml @@ -1,256 +1,140 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: "{{ .Release.Namespace }}" - resources: - - input/cluster-api-components.yaml - - watchfilter-patch-configmap.yaml - - ciliumnetworkpolicy_capi-controller-manager.yaml - - ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml - - ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml - - networkpolicy_capi-controller-manager.yaml - - networkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml - - networkpolicy_capi-kubeadm-control-plane-controller-manager.yaml +# Cluster API components +- bases/cluster-api-components.yaml +# Network policies +- bases/networkpolicies/capi-controller-manager.yaml +- bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml +- bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml +# Cilium network policies +- bases/ciliumnetworkpolicies/capi-controller-manager.yaml +- bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml +- bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml +# Watch filter configmap +- bases/configmaps/watch-filter.yaml -# we want to define our own images -images: - - name: registry.k8s.io/cluster-api/cluster-api-controller - newName: "{{.Values.images.domain}}/{{.Values.images.core.name}}" - newTag: "{{.Values.images.core.tag | default .Values.images.tag}}" +namespace: "{{ .Release.Namespace }}" - - name: registry.k8s.io/cluster-api/kubeadm-bootstrap-controller - newName: "{{.Values.images.domain}}/{{.Values.images.bootstrap.name}}" - newTag: "{{.Values.images.bootstrap.tag | default .Values.images.tag}}" +labels: +# Common labels +- pairs: + app.kubernetes.io/name: cluster-api + app.kubernetes.io/version: "{{ .Chart.AppVersion }}" + app.giantswarm.io/branch: "{{ .Values.project.branch }}" + app.giantswarm.io/commit: "{{ .Values.project.commit }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/managed-by: "{{ .Release.Service }}" + helm.sh/chart: cluster-api + includeTemplates: true - - name: registry.k8s.io/cluster-api/kubeadm-control-plane-controller - newName: "{{.Values.images.domain}}/{{.Values.images.controlplane.name}}" - newTag: "{{.Values.images.controlplane.tag | default .Values.images.tag}}" +images: +# Cluster API +- name: registry.k8s.io/cluster-api/cluster-api-controller + newName: "{{ .Values.images.domain }}/{{ .Values.images.core.name }}" + newTag: "{{ .Values.images.core.tag | default .Values.images.tag }}" +# kubeadm bootstrap +- name: registry.k8s.io/cluster-api/kubeadm-bootstrap-controller + newName: "{{ .Values.images.domain }}/{{ .Values.images.bootstrap.name }}" + newTag: "{{ .Values.images.bootstrap.tag | default .Values.images.tag }}" +# kubeadm control plane +- name: registry.k8s.io/cluster-api/kubeadm-control-plane-controller + newName: "{{ .Values.images.domain }}/{{ .Values.images.controlplane.name }}" + newTag: "{{ .Values.images.controlplane.tag | default .Values.images.tag }}" transformers: - # add all the mandatory labels to make an object managed by helm - - common-labels.yaml - # Add prometheus scrape labels - could be removed in the future as we're using `PodMonitors|ServiceMonitors` to define a scrape target - - monitoring-annotations.yaml - # set zzz- as prefix for MutatingWebhookConfiguration - # more detailed explanation: https://intranet.giantswarm.io/docs/product/architecture-specs-adrs/adr/017_webhook-ordering - - webhook-prefix.yaml +# Mutating webhooks +- patches/mutatingwebhooks/zzz-prefix.yaml replacements: - - source: - name: watchfilter-patch - namespace: watchfilter-patch-ns-not-exist - kind: ConfigMap - fieldPath: data.watch-filter +# CRDs +- source: + version: v1 + kind: ConfigMap + name: watch-filter + namespace: watch-filter + fieldPath: data + targets: + - select: + group: admissionregistration.k8s.io version: v1 - targets: - - select: - kind: MutatingWebhookConfiguration - fieldPaths: - - webhooks.*.objectSelector.matchLabels.[cluster.x-k8s.io/watch-filter] - options: - create: true - - select: - kind: ValidatingWebhookConfiguration - fieldPaths: - - webhooks.*.objectSelector.matchLabels.[cluster.x-k8s.io/watch-filter] - options: - create: true + kind: MutatingWebhookConfiguration + fieldPaths: + - webhooks.*.objectSelector.matchLabels + options: + create: true + - select: + group: admissionregistration.k8s.io + version: v1 + kind: ValidatingWebhookConfiguration + fieldPaths: + - webhooks.*.objectSelector.matchLabels + options: + create: true patches: - # add the `cert-manager.io/inject-ca-from` label to point to the target namespace where the CAPI controllers are running - - path: crd_core_cainjection.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=cluster-api - - path: crd_bootstrap_cainjection.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=bootstrap-kubeadm - - path: crd_controlplane_cainjection.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=control-plane-kubeadm - - # adds clusterctl labels required to do the move operation correctly. - - path: crd_clusterctl_labels.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=cluster-api - - path: crd_clusterctl_labels.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=bootstrap-kubeadm - - path: crd_clusterctl_labels.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=control-plane-kubeadm - - # point to the target namespace where the CAPI controllers are running in the CRD spec for the - - path: crd_core_webhook.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=cluster-api - - path: crd_bootstrap_webhook.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=bootstrap-kubeadm - - path: crd_controlplane_webhook.yaml - target: - kind: CustomResourceDefinition - labelSelector: cluster.x-k8s.io/provider=control-plane-kubeadm - - # as we have PSS and kyverno in place we drop the `seccompProfile` - - target: - kind: Deployment - name: capi-controller-manager|capi-kubeadm-bootstrap-controller-manager|capi-kubeadm-control-plane-controller-manager - patch: |- - - op: remove - path: /spec/template/spec/securityContext/seccompProfile - - # Upstream defaults to `Always` but since we use images that are not changing (`vX.Y.Z` or commit SHA), we prefer `IfNotPresent` - - target: - kind: Deployment - name: capi-controller-manager|capi-kubeadm-bootstrap-controller-manager|capi-kubeadm-control-plane-controller-manager - patch: |- - - op: replace - path: /spec/template/spec/containers/0/imagePullPolicy - value: IfNotPresent - - # We have our `Issuer` manifests already deployed to clusters - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: capi-selfsigned-issuer - namespace: capi-system - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: capi-kubeadm-bootstrap-selfsigned-issuer - namespace: capi-kubeadm-bootstrap-system - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: capi-kubeadm-control-plane-selfsigned-issuer - namespace: capi-kubeadm-control-plane-system - - # We are not using leader election in our current release, since we are - # only deploying a single webhook pod. - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: capi-leader-election-role - namespace: capi-system - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: capi-leader-election-rolebinding - namespace: capi-system - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: capi-kubeadm-bootstrap-leader-election-role - namespace: capi-kubeadm-bootstrap-system - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: capi-kubeadm-bootstrap-leader-election-rolebinding - namespace: capi-kubeadm-bootstrap-system - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: capi-kubeadm-control-plane-leader-election-role - namespace: capi-kubeadm-control-plane-system - - patch: |- - $patch: delete - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: capi-kubeadm-control-plane-leader-election-rolebinding - namespace: capi-kubeadm-control-plane-system - - # deployment args - # - # we make us of a few feature-gates, want to define the image by our own - # and also need the watch-filter argument (for vintage clusters) - - path: deployment-args-controller-manager.yaml - - path: deployment-args-kubeadm-bootstrap-controller-manager.yaml - - path: deployment-args-kubeadm-control-plane-controller-manager.yaml - - # app labels - # - # we try to follow https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ - # and add the label=app.kubernetes.io/component - - path: deployment-labels-controller-manager.yaml - - path: deployment-labels-kubeadm-bootstrap-controller-manager.yaml - - path: deployment-labels-kubeadm-control-plane-controller-manager.yaml - - # metrics port - # - # to make the scraping of kubebuilder generated metrics possible - # we expose the metrics port - - path: deployment-metrics-port-controller-manager.yaml - - path: deployment-metrics-port-kubeadm-bootstrap-controller-manager.yaml - - path: deployment-metrics-port-kubeadm-control-plane-controller-manager.yaml - - # delete namespace - # - # as we deploy everything in namspace/giantswarm we don't need the namespace objects from upstream CAPI - - path: delete-capi-system-ns.yaml - - path: delete-capi-kubeadm-control-plane-system-ns.yaml - - path: delete-capi-kubeadm-bootstrap-system-ns.yaml - - # watchfilter - # - # needed for vintage only as we make use of the watchfilter feature there. - - path: webhook-mutating-capi-kubeadm-bootstrap-mutating-webhook-configuration-watchfilter.yaml - - path: webhook-mutating-capi-kubeadm-control-plane-mutating-webhook-configuration-watchfilter.yaml - - path: webhook-mutating-capi-mutating-webhook-configuration-watchfilter.yaml - - path: webhook-validating-capi-kubeadm-bootstrap-validating-webhook-configuration-watchfilter.yaml - - path: webhook-validating-capi-kubeadm-control-plane-validating-webhook-configuration-watchfilter.yaml - - path: webhook-validating-capi-validating-webhook-configuration-watchfilter.yaml - - # webhook certificate configuration - # - # as everything got deployed in namespace/giantswarm we also have to update the cert-manager.io/inject-ca-from annotation to not - # use the upstream namespace - - path: webhook-mutating-certificate-kubeadm-bootstrap.yaml - - path: webhook-mutating-certificate-kubeadm-control-plane.yaml - - path: webhook-mutating-certificate.yaml - - path: webhook-validating-certificate-kubeadm-bootstrap.yaml - - path: webhook-validating-certificate-kubeadm-control-plane.yaml - - path: webhook-validating-certificate.yaml - - # metrics port - # - # to make the scraping of kubebuilder generated metrics via the service possible - # we add the metrics port to the service - - path: service-add-metrics-port-kubeadm-bootstrap.yaml - - path: service-add-metrics-port-kubeadm-control-plane.yaml - - path: service-add-metrics-port.yaml - - # certificates - # - # the target namespace has to be present in the certificate - # we use `ClusterIssuer/selfsigned-giantswarm` as certificate issuer - # - defined in cert-manager-app: https://github.com/giantswarm/cert-manager-app/blob/8adabf2af43ce3c6c19f94d0bba5e4064fc90a45/helm/cert-manager-app/charts/cert-manager-giantswarm-clusterissuer/templates/_helpers.tpl#L55-L62 - # - used in https://github.com/giantswarm/mc-bootstrap/blob/8bbd507d9d0feba1bac4406d71332ac8ff04c05d/scripts/deploy-cert-manager-app.sh#L95 - - path: certificate-kubeadm-bootstrap.yaml - - path: certificate-kubeadm-control-plane.yaml - - path: certificate.yaml +# CRDs +- path: patches/crds/core.yaml + target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + labelSelector: cluster.x-k8s.io/provider=cluster-api +- path: patches/crds/bootstrap.yaml + target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + labelSelector: cluster.x-k8s.io/provider=bootstrap-kubeadm +- path: patches/crds/controlplane.yaml + target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + labelSelector: cluster.x-k8s.io/provider=control-plane-kubeadm + +# Namespaces +- path: patches/namespaces/capi-system.yaml +- path: patches/namespaces/capi-kubeadm-bootstrap-system.yaml +- path: patches/namespaces/capi-kubeadm-control-plane-system.yaml + +# Roles +- path: patches/roles/capi-leader-election-role.yaml +- path: patches/roles/capi-kubeadm-bootstrap-leader-election-role.yaml +- path: patches/roles/capi-kubeadm-control-plane-leader-election-role.yaml + +# Role bindings +- path: patches/rolebindings/capi-leader-election-rolebinding.yaml +- path: patches/rolebindings/capi-kubeadm-bootstrap-leader-election-rolebinding.yaml +- path: patches/rolebindings/capi-kubeadm-control-plane-leader-election-rolebinding.yaml + +# Issuers +- path: patches/issuers/capi-selfsigned-issuer.yaml +- path: patches/issuers/capi-kubeadm-bootstrap-selfsigned-issuer.yaml +- path: patches/issuers/capi-kubeadm-control-plane-selfsigned-issuer.yaml + +# Certificates +- path: patches/certificates/capi-serving-cert.yaml +- path: patches/certificates/capi-kubeadm-bootstrap-serving-cert.yaml +- path: patches/certificates/capi-kubeadm-control-plane-serving-cert.yaml + +# Deployments +- path: patches/deployments/capi-controller-manager.yaml +- path: patches/deployments/capi-kubeadm-bootstrap-controller-manager.yaml +- path: patches/deployments/capi-kubeadm-control-plane-controller-manager.yaml + +# Services +- path: patches/services/capi-webhook-service.yaml +- path: patches/services/capi-kubeadm-bootstrap-webhook-service.yaml +- path: patches/services/capi-kubeadm-control-plane-webhook-service.yaml + +# Mutating webhooks +- path: patches/mutatingwebhooks/capi-mutating-webhook-configuration.yaml +- path: patches/mutatingwebhooks/capi-kubeadm-bootstrap-mutating-webhook-configuration.yaml +- path: patches/mutatingwebhooks/capi-kubeadm-control-plane-mutating-webhook-configuration.yaml + +# Validating webhooks +- path: patches/validatingwebhooks/capi-validating-webhook-configuration.yaml +- path: patches/validatingwebhooks/capi-kubeadm-bootstrap-validating-webhook-configuration.yaml +- path: patches/validatingwebhooks/capi-kubeadm-control-plane-validating-webhook-configuration.yaml diff --git a/config/helm/monitoring-annotations.yaml b/config/helm/monitoring-annotations.yaml deleted file mode 100644 index e61b5bad..00000000 --- a/config/helm/monitoring-annotations.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: builtin -kind: LabelTransformer -metadata: - name: monitoring-annotations -annotations: - prometheus.io/scrape: "true" - giantswarm.io/monitoring: "true" - giantswarm.io/monitoring-port: "8080" -fieldSpecs: - - path: metadata/labels - create: true - kind: Service diff --git a/config/helm/certificate-kubeadm-bootstrap.yaml b/config/helm/patches/certificates/capi-kubeadm-bootstrap-serving-cert.yaml similarity index 87% rename from config/helm/certificate-kubeadm-bootstrap.yaml rename to config/helm/patches/certificates/capi-kubeadm-bootstrap-serving-cert.yaml index f406b96e..c1595631 100644 --- a/config/helm/certificate-kubeadm-bootstrap.yaml +++ b/config/helm/patches/certificates/capi-kubeadm-bootstrap-serving-cert.yaml @@ -11,4 +11,3 @@ spec: group: cert-manager.io kind: ClusterIssuer name: selfsigned-giantswarm - secretName: capi-kubeadm-bootstrap-webhook-service-cert diff --git a/config/helm/certificate-kubeadm-control-plane.yaml b/config/helm/patches/certificates/capi-kubeadm-control-plane-serving-cert.yaml similarity index 87% rename from config/helm/certificate-kubeadm-control-plane.yaml rename to config/helm/patches/certificates/capi-kubeadm-control-plane-serving-cert.yaml index fe27d09f..67a24f79 100644 --- a/config/helm/certificate-kubeadm-control-plane.yaml +++ b/config/helm/patches/certificates/capi-kubeadm-control-plane-serving-cert.yaml @@ -11,4 +11,3 @@ spec: group: cert-manager.io kind: ClusterIssuer name: selfsigned-giantswarm - secretName: capi-kubeadm-control-plane-webhook-service-cert diff --git a/config/helm/certificate.yaml b/config/helm/patches/certificates/capi-serving-cert.yaml similarity index 89% rename from config/helm/certificate.yaml rename to config/helm/patches/certificates/capi-serving-cert.yaml index 891754b3..c97f0bae 100644 --- a/config/helm/certificate.yaml +++ b/config/helm/patches/certificates/capi-serving-cert.yaml @@ -11,4 +11,3 @@ spec: group: cert-manager.io kind: ClusterIssuer name: selfsigned-giantswarm - secretName: capi-webhook-service-cert diff --git a/config/helm/patches/crds/bootstrap.yaml b/config/helm/patches/crds/bootstrap.yaml new file mode 100644 index 00000000..ce7ee216 --- /dev/null +++ b/config/helm/patches/crds/bootstrap.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bootstrap + labels: + clusterctl.cluster.x-k8s.io: "" + clusterctl.cluster.x-k8s.io/move: "" + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert" +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + - v1beta1 + clientConfig: + caBundle: Cg== + service: + name: capi-kubeadm-bootstrap-webhook-service + namespace: "{{ .Release.Namespace }}" + port: 443 + path: /convert diff --git a/config/helm/patches/crds/controlplane.yaml b/config/helm/patches/crds/controlplane.yaml new file mode 100644 index 00000000..3184f2fa --- /dev/null +++ b/config/helm/patches/crds/controlplane.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: controlplane + labels: + clusterctl.cluster.x-k8s.io: "" + clusterctl.cluster.x-k8s.io/move: "" + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert" +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + - v1beta1 + clientConfig: + caBundle: Cg== + service: + name: capi-kubeadm-control-plane-webhook-service + namespace: "{{ .Release.Namespace }}" + port: 443 + path: /convert diff --git a/config/helm/patches/crds/core.yaml b/config/helm/patches/crds/core.yaml new file mode 100644 index 00000000..285965e9 --- /dev/null +++ b/config/helm/patches/crds/core.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: core + labels: + clusterctl.cluster.x-k8s.io: "" + clusterctl.cluster.x-k8s.io/move: "" + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-serving-cert" +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + - v1beta1 + clientConfig: + caBundle: Cg== + service: + name: capi-webhook-service + namespace: "{{ .Release.Namespace }}" + port: 443 + path: /convert diff --git a/config/helm/patches/deployments/capi-controller-manager.yaml b/config/helm/patches/deployments/capi-controller-manager.yaml new file mode 100644 index 00000000..28c63e63 --- /dev/null +++ b/config/helm/patches/deployments/capi-controller-manager.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: capi-controller-manager + namespace: capi-system + labels: + app.kubernetes.io/component: cluster-api +spec: + template: + spec: + securityContext: + seccompProfile: + $patch: delete + containers: + - name: manager + args: + - --metrics-bind-addr=0.0.0.0:8080 + - --feature-gates=MachinePool=true,ClusterResourceSet=true,ClusterTopology=true + - --watch-filter={{ .Values.watchFilter }} + - --v=0 + ports: + - name: metrics + protocol: TCP + containerPort: 8080 diff --git a/config/helm/patches/deployments/capi-kubeadm-bootstrap-controller-manager.yaml b/config/helm/patches/deployments/capi-kubeadm-bootstrap-controller-manager.yaml new file mode 100644 index 00000000..c26d2392 --- /dev/null +++ b/config/helm/patches/deployments/capi-kubeadm-bootstrap-controller-manager.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: capi-kubeadm-bootstrap-controller-manager + namespace: capi-kubeadm-bootstrap-system + labels: + app.kubernetes.io/component: bootstrap-kubeadm +spec: + template: + spec: + securityContext: + seccompProfile: + $patch: delete + containers: + - name: manager + args: + - --metrics-bind-addr=0.0.0.0:8080 + - --feature-gates=MachinePool=true,KubeadmBootstrapFormatIgnition=true + - --watch-filter={{ .Values.watchFilter }} + - --v=0 + ports: + - name: metrics + protocol: TCP + containerPort: 8080 diff --git a/config/helm/patches/deployments/capi-kubeadm-control-plane-controller-manager.yaml b/config/helm/patches/deployments/capi-kubeadm-control-plane-controller-manager.yaml new file mode 100644 index 00000000..3ffcaaae --- /dev/null +++ b/config/helm/patches/deployments/capi-kubeadm-control-plane-controller-manager.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: capi-kubeadm-control-plane-controller-manager + namespace: capi-kubeadm-control-plane-system + labels: + app.kubernetes.io/component: control-plane-kubeadm +spec: + template: + spec: + securityContext: + seccompProfile: + $patch: delete + containers: + - name: manager + args: + - --metrics-bind-addr=0.0.0.0:8080 + - --feature-gates=ClusterTopology=true,KubeadmBootstrapFormatIgnition=true + - --watch-filter={{ .Values.watchFilter }} + - --v=0 + ports: + - name: metrics + protocol: TCP + containerPort: 8080 diff --git a/config/helm/patches/issuers/capi-kubeadm-bootstrap-selfsigned-issuer.yaml b/config/helm/patches/issuers/capi-kubeadm-bootstrap-selfsigned-issuer.yaml new file mode 100644 index 00000000..de5fb305 --- /dev/null +++ b/config/helm/patches/issuers/capi-kubeadm-bootstrap-selfsigned-issuer.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: capi-kubeadm-bootstrap-selfsigned-issuer + namespace: capi-kubeadm-bootstrap-system diff --git a/config/helm/patches/issuers/capi-kubeadm-control-plane-selfsigned-issuer.yaml b/config/helm/patches/issuers/capi-kubeadm-control-plane-selfsigned-issuer.yaml new file mode 100644 index 00000000..bb7109aa --- /dev/null +++ b/config/helm/patches/issuers/capi-kubeadm-control-plane-selfsigned-issuer.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: capi-kubeadm-control-plane-selfsigned-issuer + namespace: capi-kubeadm-control-plane-system diff --git a/config/helm/patches/issuers/capi-selfsigned-issuer.yaml b/config/helm/patches/issuers/capi-selfsigned-issuer.yaml new file mode 100644 index 00000000..c168dbc5 --- /dev/null +++ b/config/helm/patches/issuers/capi-selfsigned-issuer.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: capi-selfsigned-issuer + namespace: capi-system diff --git a/config/helm/webhook-mutating-certificate-kubeadm-bootstrap.yaml b/config/helm/patches/mutatingwebhooks/capi-kubeadm-bootstrap-mutating-webhook-configuration.yaml similarity index 62% rename from config/helm/webhook-mutating-certificate-kubeadm-bootstrap.yaml rename to config/helm/patches/mutatingwebhooks/capi-kubeadm-bootstrap-mutating-webhook-configuration.yaml index 5c4f4dfd..970b77ea 100644 --- a/config/helm/webhook-mutating-certificate-kubeadm-bootstrap.yaml +++ b/config/helm/patches/mutatingwebhooks/capi-kubeadm-bootstrap-mutating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: MutatingWebhookConfiguration metadata: name: capi-kubeadm-bootstrap-mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert" diff --git a/config/helm/webhook-mutating-certificate-kubeadm-control-plane.yaml b/config/helm/patches/mutatingwebhooks/capi-kubeadm-control-plane-mutating-webhook-configuration.yaml similarity index 62% rename from config/helm/webhook-mutating-certificate-kubeadm-control-plane.yaml rename to config/helm/patches/mutatingwebhooks/capi-kubeadm-control-plane-mutating-webhook-configuration.yaml index 896f1d25..7ce6fa64 100644 --- a/config/helm/webhook-mutating-certificate-kubeadm-control-plane.yaml +++ b/config/helm/patches/mutatingwebhooks/capi-kubeadm-control-plane-mutating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: MutatingWebhookConfiguration metadata: name: capi-kubeadm-control-plane-mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert" diff --git a/config/helm/webhook-mutating-certificate.yaml b/config/helm/patches/mutatingwebhooks/capi-mutating-webhook-configuration.yaml similarity index 64% rename from config/helm/webhook-mutating-certificate.yaml rename to config/helm/patches/mutatingwebhooks/capi-mutating-webhook-configuration.yaml index cb25143b..31f2db6b 100644 --- a/config/helm/webhook-mutating-certificate.yaml +++ b/config/helm/patches/mutatingwebhooks/capi-mutating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: MutatingWebhookConfiguration metadata: name: capi-mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-serving-cert" diff --git a/config/helm/patches/mutatingwebhooks/zzz-prefix.yaml b/config/helm/patches/mutatingwebhooks/zzz-prefix.yaml new file mode 100644 index 00000000..8479c81b --- /dev/null +++ b/config/helm/patches/mutatingwebhooks/zzz-prefix.yaml @@ -0,0 +1,11 @@ +# https://intranet.giantswarm.io/docs/product/architecture-specs-adrs/adr/017_webhook-ordering +apiVersion: builtin +kind: PrefixSuffixTransformer +metadata: + name: zzz-prefix +prefix: zzz- +fieldSpecs: +- group: admissionregistration.k8s.io + version: v1 + kind: MutatingWebhookConfiguration + path: metadata/name diff --git a/config/helm/delete-capi-kubeadm-bootstrap-system-ns.yaml b/config/helm/patches/namespaces/capi-kubeadm-bootstrap-system.yaml similarity index 100% rename from config/helm/delete-capi-kubeadm-bootstrap-system-ns.yaml rename to config/helm/patches/namespaces/capi-kubeadm-bootstrap-system.yaml diff --git a/config/helm/delete-capi-kubeadm-control-plane-system-ns.yaml b/config/helm/patches/namespaces/capi-kubeadm-control-plane-system.yaml similarity index 100% rename from config/helm/delete-capi-kubeadm-control-plane-system-ns.yaml rename to config/helm/patches/namespaces/capi-kubeadm-control-plane-system.yaml diff --git a/config/helm/delete-capi-system-ns.yaml b/config/helm/patches/namespaces/capi-system.yaml similarity index 100% rename from config/helm/delete-capi-system-ns.yaml rename to config/helm/patches/namespaces/capi-system.yaml diff --git a/config/helm/patches/rolebindings/capi-kubeadm-bootstrap-leader-election-rolebinding.yaml b/config/helm/patches/rolebindings/capi-kubeadm-bootstrap-leader-election-rolebinding.yaml new file mode 100644 index 00000000..1f87f239 --- /dev/null +++ b/config/helm/patches/rolebindings/capi-kubeadm-bootstrap-leader-election-rolebinding.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: capi-kubeadm-bootstrap-leader-election-rolebinding + namespace: capi-kubeadm-bootstrap-system diff --git a/config/helm/patches/rolebindings/capi-kubeadm-control-plane-leader-election-rolebinding.yaml b/config/helm/patches/rolebindings/capi-kubeadm-control-plane-leader-election-rolebinding.yaml new file mode 100644 index 00000000..00e10220 --- /dev/null +++ b/config/helm/patches/rolebindings/capi-kubeadm-control-plane-leader-election-rolebinding.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: capi-kubeadm-control-plane-leader-election-rolebinding + namespace: capi-kubeadm-control-plane-system diff --git a/config/helm/patches/rolebindings/capi-leader-election-rolebinding.yaml b/config/helm/patches/rolebindings/capi-leader-election-rolebinding.yaml new file mode 100644 index 00000000..96b86e0d --- /dev/null +++ b/config/helm/patches/rolebindings/capi-leader-election-rolebinding.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: capi-leader-election-rolebinding + namespace: capi-system diff --git a/config/helm/patches/roles/capi-kubeadm-bootstrap-leader-election-role.yaml b/config/helm/patches/roles/capi-kubeadm-bootstrap-leader-election-role.yaml new file mode 100644 index 00000000..38db3ce3 --- /dev/null +++ b/config/helm/patches/roles/capi-kubeadm-bootstrap-leader-election-role.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: capi-kubeadm-bootstrap-leader-election-role + namespace: capi-kubeadm-bootstrap-system diff --git a/config/helm/patches/roles/capi-kubeadm-control-plane-leader-election-role.yaml b/config/helm/patches/roles/capi-kubeadm-control-plane-leader-election-role.yaml new file mode 100644 index 00000000..ef84e310 --- /dev/null +++ b/config/helm/patches/roles/capi-kubeadm-control-plane-leader-election-role.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: capi-kubeadm-control-plane-leader-election-role + namespace: capi-kubeadm-control-plane-system diff --git a/config/helm/patches/roles/capi-leader-election-role.yaml b/config/helm/patches/roles/capi-leader-election-role.yaml new file mode 100644 index 00000000..7c942df1 --- /dev/null +++ b/config/helm/patches/roles/capi-leader-election-role.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: capi-leader-election-role + namespace: capi-system diff --git a/config/helm/service-add-metrics-port-kubeadm-bootstrap.yaml b/config/helm/patches/services/capi-kubeadm-bootstrap-webhook-service.yaml similarity index 50% rename from config/helm/service-add-metrics-port-kubeadm-bootstrap.yaml rename to config/helm/patches/services/capi-kubeadm-bootstrap-webhook-service.yaml index 1ec02c6f..ad370874 100644 --- a/config/helm/service-add-metrics-port-kubeadm-bootstrap.yaml +++ b/config/helm/patches/services/capi-kubeadm-bootstrap-webhook-service.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: Service metadata: - namespace: capi-kubeadm-bootstrap-system name: capi-kubeadm-bootstrap-webhook-service + namespace: capi-kubeadm-bootstrap-system spec: ports: - - name: metrics - port: 8080 - targetPort: metrics - - name: webhook-server - port: 443 - targetPort: webhook-server + - name: webhook-server + port: 443 + targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics diff --git a/config/helm/service-add-metrics-port-kubeadm-control-plane.yaml b/config/helm/patches/services/capi-kubeadm-control-plane-webhook-service.yaml similarity index 52% rename from config/helm/service-add-metrics-port-kubeadm-control-plane.yaml rename to config/helm/patches/services/capi-kubeadm-control-plane-webhook-service.yaml index ff835d99..99460bbe 100644 --- a/config/helm/service-add-metrics-port-kubeadm-control-plane.yaml +++ b/config/helm/patches/services/capi-kubeadm-control-plane-webhook-service.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: Service metadata: - namespace: capi-kubeadm-control-plane-system name: capi-kubeadm-control-plane-webhook-service + namespace: capi-kubeadm-control-plane-system spec: ports: - - name: metrics - port: 8080 - targetPort: metrics - - name: webhook-server - port: 443 - targetPort: webhook-server + - name: webhook-server + port: 443 + targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics diff --git a/config/helm/patches/services/capi-webhook-service.yaml b/config/helm/patches/services/capi-webhook-service.yaml new file mode 100644 index 00000000..d863ffdb --- /dev/null +++ b/config/helm/patches/services/capi-webhook-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: capi-webhook-service + namespace: capi-system +spec: + ports: + - name: webhook-server + port: 443 + targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics diff --git a/config/helm/webhook-validating-certificate-kubeadm-bootstrap.yaml b/config/helm/patches/validatingwebhooks/capi-kubeadm-bootstrap-validating-webhook-configuration.yaml similarity index 63% rename from config/helm/webhook-validating-certificate-kubeadm-bootstrap.yaml rename to config/helm/patches/validatingwebhooks/capi-kubeadm-bootstrap-validating-webhook-configuration.yaml index 5e5bde0e..75481d1e 100644 --- a/config/helm/webhook-validating-certificate-kubeadm-bootstrap.yaml +++ b/config/helm/patches/validatingwebhooks/capi-kubeadm-bootstrap-validating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: ValidatingWebhookConfiguration metadata: name: capi-kubeadm-bootstrap-validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-bootstrap-serving-cert" diff --git a/config/helm/webhook-validating-certificate-kubeadm-control-plane.yaml b/config/helm/patches/validatingwebhooks/capi-kubeadm-control-plane-validating-webhook-configuration.yaml similarity index 62% rename from config/helm/webhook-validating-certificate-kubeadm-control-plane.yaml rename to config/helm/patches/validatingwebhooks/capi-kubeadm-control-plane-validating-webhook-configuration.yaml index da43471f..a7423a9b 100644 --- a/config/helm/webhook-validating-certificate-kubeadm-control-plane.yaml +++ b/config/helm/patches/validatingwebhooks/capi-kubeadm-control-plane-validating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: ValidatingWebhookConfiguration metadata: name: capi-kubeadm-control-plane-validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-kubeadm-control-plane-serving-cert" diff --git a/config/helm/webhook-validating-certificate.yaml b/config/helm/patches/validatingwebhooks/capi-validating-webhook-configuration.yaml similarity index 65% rename from config/helm/webhook-validating-certificate.yaml rename to config/helm/patches/validatingwebhooks/capi-validating-webhook-configuration.yaml index e5339660..e941a9b9 100644 --- a/config/helm/webhook-validating-certificate.yaml +++ b/config/helm/patches/validatingwebhooks/capi-validating-webhook-configuration.yaml @@ -3,4 +3,4 @@ kind: ValidatingWebhookConfiguration metadata: name: capi-validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-serving-cert' + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/capi-serving-cert" diff --git a/config/helm/service-add-metrics-port.yaml b/config/helm/service-add-metrics-port.yaml deleted file mode 100644 index c8991bb7..00000000 --- a/config/helm/service-add-metrics-port.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: capi-system - name: capi-webhook-service -spec: - ports: - - name: metrics - port: 8080 - targetPort: metrics - - name: webhook-server - port: 443 - targetPort: webhook-server diff --git a/config/helm/watchfilter-patch-configmap.yaml b/config/helm/watchfilter-patch-configmap.yaml deleted file mode 100644 index 854483b6..00000000 --- a/config/helm/watchfilter-patch-configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: watchfilter-patch - namespace: watchfilter-patch-ns-not-exist -data: - watch-filter: "{{ .Values.watchFilter }}" diff --git a/config/helm/webhook-mutating-capi-kubeadm-bootstrap-mutating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-mutating-capi-kubeadm-bootstrap-mutating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index cd0e3be3..00000000 --- a/config/helm/webhook-mutating-capi-kubeadm-bootstrap-mutating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: capi-kubeadm-bootstrap-mutating-webhook-configuration -webhooks: - - name: default.kubeadmconfig.bootstrap.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/config/helm/webhook-mutating-capi-kubeadm-control-plane-mutating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-mutating-capi-kubeadm-control-plane-mutating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index 6c1131ef..00000000 --- a/config/helm/webhook-mutating-capi-kubeadm-control-plane-mutating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: capi-kubeadm-control-plane-mutating-webhook-configuration -webhooks: - - name: default.kubeadmcontrolplane.controlplane.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/config/helm/webhook-mutating-capi-mutating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-mutating-capi-mutating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index 7ce55060..00000000 --- a/config/helm/webhook-mutating-capi-mutating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: capi-mutating-webhook-configuration -webhooks: - - name: default.machine.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.machinedeployment.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.machinehealthcheck.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.machineset.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.cluster.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.clusterclass.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.extensionconfig.runtime.addons.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.machinepool.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: default.clusterresourceset.addons.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/config/helm/webhook-prefix.yaml b/config/helm/webhook-prefix.yaml deleted file mode 100644 index b96198e5..00000000 --- a/config/helm/webhook-prefix.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: builtin -kind: PrefixSuffixTransformer -metadata: - name: webhook-prefix -prefix: "zzz-" -fieldSpecs: - - kind: MutatingWebhookConfiguration - path: metadata/name diff --git a/config/helm/webhook-validating-capi-kubeadm-bootstrap-validating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-validating-capi-kubeadm-bootstrap-validating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index 1c3f1024..00000000 --- a/config/helm/webhook-validating-capi-kubeadm-bootstrap-validating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: capi-kubeadm-bootstrap-validating-webhook-configuration -webhooks: - - name: validation.kubeadmconfig.bootstrap.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/config/helm/webhook-validating-capi-kubeadm-control-plane-validating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-validating-capi-kubeadm-control-plane-validating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index 1cd6efa7..00000000 --- a/config/helm/webhook-validating-capi-kubeadm-control-plane-validating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: capi-kubeadm-control-plane-validating-webhook-configuration -webhooks: - - name: validation.kubeadmcontrolplane.controlplane.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation-scale.kubeadmcontrolplane.controlplane.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/config/helm/webhook-validating-capi-validating-webhook-configuration-watchfilter.yaml b/config/helm/webhook-validating-capi-validating-webhook-configuration-watchfilter.yaml deleted file mode 100644 index a883ecb4..00000000 --- a/config/helm/webhook-validating-capi-validating-webhook-configuration-watchfilter.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# Generated by 'generate-kustomize-patches.sh'. Do not edit. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: capi-validating-webhook-configuration -webhooks: - - name: validation.machine.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.machinedeployment.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.machinehealthcheck.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.machineset.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.cluster.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.clusterclass.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.extensionconfig.runtime.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.machinepool.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.clusterresourceset.addons.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.clusterresourcesetbinding.addons.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.ipaddress.ipam.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - - name: validation.ipaddressclaim.ipam.cluster.x-k8s.io - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' diff --git a/hack/fetch-manifest.sh b/hack/fetch-manifest.sh index cc0f8c91..5fd270df 100755 --- a/hack/fetch-manifest.sh +++ b/hack/fetch-manifest.sh @@ -1,24 +1,16 @@ #!/usr/bin/env bash +# Exit on error. +set -o errexit -o nounset -o pipefail -# This script fetch upstream release `cluster-api-components.yaml` which is later used to apply -# all kustomize patches +# +# Fetches upstream Cluster API components for Kustomization. +# -set -o errexit -set -o nounset -set -o pipefail +# Get repository & version. +repository="$(realpath "$(dirname "${0}")/..")" +version="$(yq --exit-status ".images.tag" "${repository}/helm/cluster-api/values.yaml")" -# Directories -ROOT_DIR="./$(dirname "$0")/.." -ROOT_DIR="$(realpath "$ROOT_DIR")" -HELM_DIR="$ROOT_DIR/helm/cluster-api" -KUSTOMIZE_INPUT_DIR="$ROOT_DIR/config/helm/input" - -# Download upstream manifests -helm_values="$HELM_DIR/values.yaml" -org="giantswarm" -repo="cluster-api" -version="$(yq e -e '.images.tag' "$helm_values")" || { >&2 echo "Could not find image tag value"; exit 1; } -release_asset_filename="cluster-api-components.yaml" -url="https://github.com/$org/$repo/releases/download/$version/${release_asset_filename}" -mkdir -p "$KUSTOMIZE_INPUT_DIR" -curl -fsSL "$url" -o "$KUSTOMIZE_INPUT_DIR/${release_asset_filename}" || { >&2 echo "Failed to get release manifest from $url"; exit 1; } +# Fetch manifest. +curl --silent --show-error --fail --location \ + "https://github.com/giantswarm/cluster-api/releases/download/${version}/cluster-api-components.yaml" \ + --output "${repository}/config/helm/bases/cluster-api-components.yaml" diff --git a/helm/cluster-api/templates/apps_v1_deployment_capi-controller-manager.yaml b/helm/cluster-api/templates/apps_v1_deployment_capi-controller-manager.yaml index 94b4fa20..f4fe94bb 100644 --- a/helm/cluster-api/templates/apps_v1_deployment_capi-controller-manager.yaml +++ b/helm/cluster-api/templates/apps_v1_deployment_capi-controller-manager.yaml @@ -54,8 +54,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.uid - image: '{{.Values.images.domain}}/{{.Values.images.core.name}}:{{.Values.images.core.tag - | default .Values.images.tag}}' + image: '{{ .Values.images.domain }}/{{ .Values.images.core.name }}:{{ .Values.images.core.tag + | default .Values.images.tag }}' imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-bootstrap-controller-manager.yaml b/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-bootstrap-controller-manager.yaml index 7368636c..4b697bed 100644 --- a/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-bootstrap-controller-manager.yaml +++ b/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-bootstrap-controller-manager.yaml @@ -41,8 +41,8 @@ spec: - --v=0 command: - /manager - image: '{{.Values.images.domain}}/{{.Values.images.bootstrap.name}}:{{.Values.images.bootstrap.tag - | default .Values.images.tag}}' + image: '{{ .Values.images.domain }}/{{ .Values.images.bootstrap.name }}:{{ + .Values.images.bootstrap.tag | default .Values.images.tag }}' imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-control-plane-controller-manager.yaml b/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-control-plane-controller-manager.yaml index 8682622b..a433a218 100644 --- a/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-control-plane-controller-manager.yaml +++ b/helm/cluster-api/templates/apps_v1_deployment_capi-kubeadm-control-plane-controller-manager.yaml @@ -54,8 +54,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.uid - image: '{{.Values.images.domain}}/{{.Values.images.controlplane.name}}:{{.Values.images.controlplane.tag - | default .Values.images.tag}}' + image: '{{ .Values.images.domain }}/{{ .Values.images.controlplane.name }}:{{ + .Values.images.controlplane.tag | default .Values.images.tag }}' imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/helm/cluster-api/templates/v1_service_capi-kubeadm-bootstrap-webhook-service.yaml b/helm/cluster-api/templates/v1_service_capi-kubeadm-bootstrap-webhook-service.yaml index ad18a06e..6925293d 100644 --- a/helm/cluster-api/templates/v1_service_capi-kubeadm-bootstrap-webhook-service.yaml +++ b/helm/cluster-api/templates/v1_service_capi-kubeadm-bootstrap-webhook-service.yaml @@ -14,11 +14,11 @@ metadata: namespace: '{{ .Release.Namespace }}' spec: ports: - - name: metrics - port: 8080 - targetPort: metrics - name: webhook-server port: 443 targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics selector: cluster.x-k8s.io/provider: bootstrap-kubeadm diff --git a/helm/cluster-api/templates/v1_service_capi-kubeadm-control-plane-webhook-service.yaml b/helm/cluster-api/templates/v1_service_capi-kubeadm-control-plane-webhook-service.yaml index 181cf66b..e0f3f304 100644 --- a/helm/cluster-api/templates/v1_service_capi-kubeadm-control-plane-webhook-service.yaml +++ b/helm/cluster-api/templates/v1_service_capi-kubeadm-control-plane-webhook-service.yaml @@ -14,11 +14,11 @@ metadata: namespace: '{{ .Release.Namespace }}' spec: ports: - - name: metrics - port: 8080 - targetPort: metrics - name: webhook-server port: 443 targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics selector: cluster.x-k8s.io/provider: control-plane-kubeadm diff --git a/helm/cluster-api/templates/v1_service_capi-webhook-service.yaml b/helm/cluster-api/templates/v1_service_capi-webhook-service.yaml index 0b251b81..3a8fcae2 100644 --- a/helm/cluster-api/templates/v1_service_capi-webhook-service.yaml +++ b/helm/cluster-api/templates/v1_service_capi-webhook-service.yaml @@ -14,11 +14,11 @@ metadata: namespace: '{{ .Release.Namespace }}' spec: ports: - - name: metrics - port: 8080 - targetPort: metrics - name: webhook-server port: 443 targetPort: webhook-server + - name: metrics + port: 8080 + targetPort: metrics selector: cluster.x-k8s.io/provider: cluster-api