diff --git a/.gitignore b/.gitignore index d97ffc5..b9c60ac 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,6 @@ bin *.swp *.swo *~ + +# Release manifests +/release/infrastructure-components.yaml diff --git a/Makefile b/Makefile index 89ffdd5..f124a02 100644 --- a/Makefile +++ b/Makefile @@ -35,7 +35,9 @@ uninstall: manifests # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: manifests cd config/manager && kustomize edit set image controller=${IMG} - kustomize build config/default | kubectl apply -f - + kustomize build config | kubectl apply -f - + # TODO: use aggregation label when available + kubectl apply -f release/kubeadm-control-plane-rbac.yaml # Generate manifests e.g. CRD, RBAC etc. manifests: controller-gen @@ -57,6 +59,10 @@ test: generate fmt vet manifests e2e: docker-build go test -v ./e2e/... -coverprofile cover.out +release_manifests: + cd config/manager && kustomize edit set image controller=${IMG} + kustomize build config > release/infrastructure-components.yaml + # Generate code generate: controller-gen $(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./..." diff --git a/README.md b/README.md index 140a438..e1ae145 100644 --- a/README.md +++ b/README.md @@ -46,147 +46,27 @@ kubectl apply -f hack/forward-ipencap.yaml ### Installation ```sh -# Install cert-manager -kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml -kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=600s - -# Install cluster api manager -kubectl apply -f https://github.com/kubernetes-sigs/cluster-api/releases/download/v0.3.0/cluster-api-components.yaml - -# Install kubernetes infrastructure provider -kubectl apply -f https://github.com/dippynark/cluster-api-provider-kubernetes/releases/download/v0.3.0/infrastructure-components.yaml +# Add the Kubernetes infrastructure provider +mkdir -p $HOME/.cluster-api +cat > $HOME/.cluster-api/clusterctl.yaml </dev/null`" ] ; do @@ -195,7 +75,7 @@ done kubectl get secret example-kubeconfig -o jsonpath='{.data.value}' | base64 --decode > example-kubeconfig # Switch to example cluster -# If the cluster api endpoint is not reachable from your machine you can exec into the +# If the cluster api endpoint is not reachable from your machine you can exec into a # controller Node (Pod) and run `export KUBECONFIG=/etc/kubernetes/admin.conf` instead export KUBECONFIG=example-kubeconfig diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 4c74122..12d89b4 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -27,6 +27,5 @@ configurations: - kustomizeconfig.yaml commonLabels: - cluster.x-k8s.io/provider: infrastructure-kubernetes cluster.x-k8s.io/v1alpha2: v1alpha2 cluster.x-k8s.io/v1alpha3: v1alpha3 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 7c99f9c..c5a8f0e 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,75 +1,8 @@ -# Adds namespace to all resources. namespace: capk-system -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: capk- - -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +resources: +- namespace.yaml bases: -- ../crd - ../rbac - ../manager -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml -- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - -patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, uncomment the following line and - # comment manager_auth_proxy_patch.yaml. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. -#- manager_prometheus_metrics_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml -- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -- mutatingwebhookcainjection_patch.yaml -#- validatingwebhookcainjection_patch.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/config/default/namespace.yaml b/config/default/namespace.yaml new file mode 100644 index 0000000..8b55c3c --- /dev/null +++ b/config/default/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system diff --git a/config/kustomization.yaml b/config/kustomization.yaml new file mode 100644 index 0000000..35bdbb5 --- /dev/null +++ b/config/kustomization.yaml @@ -0,0 +1,29 @@ +namePrefix: capk- + +commonLabels: + cluster.x-k8s.io/provider: infrastructure-kubernetes + +bases: +- crd +- webhook # Disable this if you're not using the webhook functionality. +- default + +patchesJson6902: +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: kubernetesclusters.infrastructure.lukeaddison.co.uk + path: patch_crd_webhook_namespace.yaml +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: kubernetesmachines.infrastructure.lukeaddison.co.uk + path: patch_crd_webhook_namespace.yaml +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: kubernetesmachinetemplates.infrastructure.lukeaddison.co.uk + path: patch_crd_webhook_namespace.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 185dacb..db14480 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,8 +1,13 @@ -resources: -- manager.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -images: -- name: controller - newName: dippynark/cluster-api-kubernetes-controller - newTag: dev +resources: +- manager.yaml +patchesStrategicMerge: +- manager_pull_policy.yaml + # Protect the /metrics endpoint by putting it behind auth. Only one of + # manager_auth_proxy_patch.yaml and manager_prometheus_metrics_patch.yaml should be enabled. +- manager_auth_proxy_patch.yaml + # If you want your controller-manager to expose the /metrics endpoint w/o any authn/z, uncomment + # the following line and comment manager_auth_proxy_patch.yaml. Only one of + # manager_auth_proxy_patch.yaml and manager_prometheus_metrics_patch.yaml should be enabled. +# - manager_prometheus_metrics_patch.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 9348956..0e490a9 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: system ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -32,5 +25,5 @@ spec: resources: requests: cpu: 100m - memory: 20Mi + memory: 100Mi terminationGracePeriodSeconds: 10 diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml similarity index 84% rename from config/default/manager_auth_proxy_patch.yaml rename to config/manager/manager_auth_proxy_patch.yaml index 61cb5e7..e3215ea 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/manager/manager_auth_proxy_patch.yaml @@ -7,6 +7,11 @@ metadata: namespace: system spec: template: + metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/scheme: https + prometheus.io/port: '8443' spec: containers: - name: kube-rbac-proxy diff --git a/config/manager/manager_prometheus_metrics_patch.yaml b/config/manager/manager_prometheus_metrics_patch.yaml new file mode 100644 index 0000000..3e48235 --- /dev/null +++ b/config/manager/manager_prometheus_metrics_patch.yaml @@ -0,0 +1,20 @@ +# This patch enables Prometheus scraping for the manager pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '8080' + spec: + containers: + # Expose the prometheus metrics on default port + - name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP diff --git a/config/manager/manager_pull_policy.yaml b/config/manager/manager_pull_policy.yaml new file mode 100644 index 0000000..74a0879 --- /dev/null +++ b/config/manager/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: Always diff --git a/config/patch_crd_webhook_namespace.yaml b/config/patch_crd_webhook_namespace.yaml new file mode 100644 index 0000000..110f3a4 --- /dev/null +++ b/config/patch_crd_webhook_namespace.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/spec/conversion/webhook/clientConfig/service/namespace" + value: capi-webhook-system diff --git a/config/rbac/capi.yaml b/config/rbac/capi.yaml new file mode 100644 index 0000000..c7dafda --- /dev/null +++ b/config/rbac/capi.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: capi + labels: + cluster.x-k8s.io/aggregate-to-manager: "true" +rules: +- apiGroups: + - infrastructure.lukeaddison.co.uk + resources: + - kubernetesclusters + - kubernetesmachines + - kubernetesmachinetemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 817f1fe..f6f88ef 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,3 +9,4 @@ resources: - auth_proxy_service.yaml - auth_proxy_role.yaml - auth_proxy_role_binding.yaml +- capi.yaml \ No newline at end of file diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 9cf2613..5f5351f 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -1,6 +1,43 @@ +namespace: capi-webhook-system + resources: - manifests.yaml - service.yaml +- ../certmanager +- ../manager + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- mutatingwebhookcainjection_patch.yaml +#- validatingwebhookcainjection_patch.yaml configurations: - kustomizeconfig.yaml + +vars: +- name: CERTIFICATE_NAMESPACE + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert +- name: SERVICE_NAMESPACE + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service diff --git a/config/default/manager_webhook_patch.yaml b/config/webhook/manager_webhook_patch.yaml similarity index 87% rename from config/default/manager_webhook_patch.yaml rename to config/webhook/manager_webhook_patch.yaml index 0866d4d..c107f13 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/webhook/manager_webhook_patch.yaml @@ -8,6 +8,9 @@ spec: spec: containers: - name: manager + args: + - --metrics-addr=127.0.0.1:8080 + - --enable-webhook ports: - containerPort: 9443 name: webhook-server diff --git a/config/default/mutatingwebhookcainjection_patch.yaml b/config/webhook/mutatingwebhookcainjection_patch.yaml similarity index 100% rename from config/default/mutatingwebhookcainjection_patch.yaml rename to config/webhook/mutatingwebhookcainjection_patch.yaml diff --git a/config/default/validatingwebhookcainjection_patch.yaml b/config/webhook/validatingwebhookcainjection_patch.yaml similarity index 100% rename from config/default/validatingwebhookcainjection_patch.yaml rename to config/webhook/validatingwebhookcainjection_patch.yaml diff --git a/controllers/kubernetesmachine_controller.go b/controllers/kubernetesmachine_controller.go index 18dc5eb..33aeaa3 100644 --- a/controllers/kubernetesmachine_controller.go +++ b/controllers/kubernetesmachine_controller.go @@ -658,7 +658,8 @@ func (r *KubernetesMachineReconciler) createControlPlaneMachinePod(ctx context.C // https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/#create-load-balancer-for-kube-apiserver if kindContainer.ReadinessProbe == nil { kindContainer.ReadinessProbe = &corev1.Probe{ - PeriodSeconds: 3, + PeriodSeconds: 2, + FailureThreshold: 2, Handler: corev1.Handler{ TCPSocket: &corev1.TCPSocketAction{ Port: intstr.FromInt(int(apiServerPort(cluster))), diff --git a/main.go b/main.go index 9f6c182..3a5166d 100644 --- a/main.go +++ b/main.go @@ -48,14 +48,24 @@ func init() { func main() { var metricsAddr string + var watchNamespace string var enableLeaderElection bool + var enableWebhook bool var debug bool flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&watchNamespace, "namespace", "", + "Namespace that the controller watches to reconcile cluster-api objects. If unspecified, the controller watches for cluster-api objects across all namespaces.") flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&debug, "debug", false, "Enable debug logging.") + flag.BoolVar(&enableWebhook, "enable-webhook", false, + "Disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.") flag.Parse() + if watchNamespace != "" { + setupLog.Info("Watching cluster-api objects only in namespace for reconciliation", "namespace", watchNamespace) + } + ctrl.SetLogger(zap.New(func(o *zap.Options) { o.Development = debug })) @@ -65,56 +75,61 @@ func main() { MetricsBindAddress: metricsAddr, LeaderElection: enableLeaderElection, Port: 9443, + Namespace: watchNamespace, }) if err != nil { setupLog.Error(err, "unable to start manager") os.Exit(1) } - if err = (&controllers.KubernetesClusterReconciler{ - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controller").WithName("KubernetesCluster"), - Scheme: mgr.GetScheme(), - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "KubernetesCluster") - os.Exit(1) - } - - // Create a Kubernetes core/v1 client. - config := mgr.GetConfig() - coreV1Client, err := coreV1Client.NewForConfig(config) - if err != nil { - setupLog.Error(err, "unable to initialise core client") - os.Exit(1) - } - - if err = (&controllers.KubernetesMachineReconciler{ - Client: mgr.GetClient(), - CoreV1Client: coreV1Client, - Config: config, - Log: ctrl.Log.WithName("controller").WithName("KubernetesMachine"), - Scheme: mgr.GetScheme(), - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "KubernetesMachine") - os.Exit(1) - } - - // Setup webhooks - if err = (&capkv1.KubernetesCluster{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesCluster") - os.Exit(1) - } - if err = (&capkv1.KubernetesMachine{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachine") - os.Exit(1) - } - if err = (&capkv1.KubernetesMachineTemplate{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachineTemplate") - os.Exit(1) - } - if err = (&capkv1alpha2.KubernetesMachine{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachine") - os.Exit(1) + if !enableWebhook { + + if err = (&controllers.KubernetesClusterReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controller").WithName("KubernetesCluster"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "KubernetesCluster") + os.Exit(1) + } + + // Create a Kubernetes core/v1 client. + config := mgr.GetConfig() + coreV1Client, err := coreV1Client.NewForConfig(config) + if err != nil { + setupLog.Error(err, "unable to initialise core client") + os.Exit(1) + } + + if err = (&controllers.KubernetesMachineReconciler{ + Client: mgr.GetClient(), + CoreV1Client: coreV1Client, + Config: config, + Log: ctrl.Log.WithName("controller").WithName("KubernetesMachine"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "KubernetesMachine") + os.Exit(1) + } + } else { + + // Setup webhooks + if err = (&capkv1.KubernetesCluster{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesCluster") + os.Exit(1) + } + if err = (&capkv1.KubernetesMachine{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachine") + os.Exit(1) + } + if err = (&capkv1.KubernetesMachineTemplate{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachineTemplate") + os.Exit(1) + } + if err = (&capkv1alpha2.KubernetesMachine{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesMachine") + os.Exit(1) + } } // +kubebuilder:scaffold:builder diff --git a/release/cluster-template.yaml b/release/cluster-template.yaml new file mode 100644 index 0000000..7ba41ac --- /dev/null +++ b/release/cluster-template.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3 +kind: KubernetesCluster +metadata: + name: "${CLUSTER_NAME}" +spec: + controlPlaneServiceType: "${KUBERNETES_CONTROL_PLANE_SERVICE_TYPE}" +--- +apiVersion: cluster.x-k8s.io/v1alpha3 +kind: Cluster +metadata: + name: "${CLUSTER_NAME}" +spec: + clusterNetwork: + pods: + cidrBlocks: ["192.168.0.0/16"] + infrastructureRef: + apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3 + kind: KubernetesCluster + name: "${CLUSTER_NAME}" + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1alpha3 + kind: KubeadmControlPlane + name: "${CLUSTER_NAME}" +--- +apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3 +kind: KubernetesMachineTemplate +metadata: + name: "${CLUSTER_NAME}" +spec: + template: + spec: {} +--- +apiVersion: controlplane.cluster.x-k8s.io/v1alpha3 +kind: KubeadmControlPlane +metadata: + name: "${CLUSTER_NAME}" +spec: + replicas: ${CONTROL_PLANE_MACHINE_COUNT} + version: "${KUBERNETES_VERSION}" + infrastructureTemplate: + apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3 + kind: KubernetesMachineTemplate + name: "${CLUSTER_NAME}" + kubeadmConfigSpec: + initConfiguration: + nodeRegistration: + kubeletExtraArgs: + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + cgroups-per-qos: "false" + enforce-node-allocatable: "" + clusterConfiguration: + controllerManager: + extraArgs: + enable-hostpath-provisioner: "true" + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + cgroups-per-qos: "false" + enforce-node-allocatable: "" +--- +apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3 +kind: KubeadmConfigTemplate +metadata: + name: "${CLUSTER_NAME}" +spec: + template: + spec: + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + cgroups-per-qos: "false" + enforce-node-allocatable: "" +--- +apiVersion: cluster.x-k8s.io/v1alpha3 +kind: MachineDeployment +metadata: + name: "${CLUSTER_NAME}" +spec: + clusterName: "${CLUSTER_NAME}" + replicas: ${WORKER_MACHINE_COUNT} + selector: + matchLabels: + template: + spec: + clusterName: "${CLUSTER_NAME}" + version: "${KUBERNETES_VERSION}" + bootstrap: + configRef: + apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3 + name: "${CLUSTER_NAME}" + kind: KubeadmConfigTemplate + infrastructureRef: + apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3 + name: "${CLUSTER_NAME}" + kind: KubernetesMachineTemplate diff --git a/config/samples/capi-kubernetes-rbac.yaml b/release/kubeadm-control-plane-rbac.yaml similarity index 71% rename from config/samples/capi-kubernetes-rbac.yaml rename to release/kubeadm-control-plane-rbac.yaml index 35feb17..3b7213a 100644 --- a/config/samples/capi-kubernetes-rbac.yaml +++ b/release/kubeadm-control-plane-rbac.yaml @@ -1,7 +1,8 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: capi-kubernetes + name: capk-capi-kubeadm-control-plane labels: cluster.x-k8s.io/aggregate-to-manager: "true" rules: @@ -20,14 +21,17 @@ rules: - update - watch --- +# TODO: use aggregation label when available apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: capi-kubeadm-control-plane-kubernetes + labels: + cluster.x-k8s.io/provider: infrastructure-kubernetes + name: capk-capi-kubeadm-control-plane roleRef: - kind: ClusterRole - name: capi-kubernetes apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: capk-capi-kubeadm-control-plane subjects: - kind: ServiceAccount name: default diff --git a/release/metadata.yaml b/release/metadata.yaml new file mode 100644 index 0000000..df342f1 --- /dev/null +++ b/release/metadata.yaml @@ -0,0 +1,9 @@ +apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3 +kind: Metadata +releaseSeries: +- major: 0 + minor: 3 + contract: v1alpha3 +- major: 0 + minor: 2 + contract: v1alpha2