forked from openshift/hypershift
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hostedcluster_types.go
1488 lines (1269 loc) · 58.9 KB
/
hostedcluster_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
package v1alpha1
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
configv1 "github.com/openshift/api/config/v1"
)
func init() {
SchemeBuilder.Register(&HostedCluster{}, &HostedClusterList{})
}
const (
// AuditWebhookKubeconfigKey is the key name in the AuditWebhook secret that stores audit webhook kubeconfig
AuditWebhookKubeconfigKey = "webhook-kubeconfig"
DisablePKIReconciliationAnnotation = "hypershift.openshift.io/disable-pki-reconciliation"
IdentityProviderOverridesAnnotationPrefix = "idpoverrides.hypershift.openshift.io/"
OauthLoginURLOverrideAnnotation = "oauth.hypershift.openshift.io/login-url-override"
// KonnectivityServerImageAnnotation is a temporary annotation that allows the specification of the konnectivity server image.
// This will be removed when Konnectivity is added to the Openshift release payload
KonnectivityServerImageAnnotation = "hypershift.openshift.io/konnectivity-server-image"
// KonnectivityAgentImageAnnotation is a temporary annotation that allows the specification of the konnectivity agent image.
// This will be removed when Konnectivity is added to the Openshift release payload
KonnectivityAgentImageAnnotation = "hypershift.openshift.io/konnectivity-agent-image"
// ControlPlaneOperatorImageAnnotation is a annotation that allows the specification of the control plane operator image.
// This is used for development and e2e workflows
ControlPlaneOperatorImageAnnotation = "hypershift.openshift.io/control-plane-operator-image"
// RestartDateAnnotation is a annotation that can be used to trigger a rolling restart of all components managed by hypershift.
// it is important in some situations like CA rotation where components need to be fully restarted to pick up new CAs. It's also
// important in some recovery situations where a fresh start of the component helps fix symptoms a user might be experiencing.
RestartDateAnnotation = "hypershift.openshift.io/restart-date"
// ReleaseImageAnnotation is an annotation that can be used to see what release image a given deployment is tied to
ReleaseImageAnnotation = "hypershift.openshift.io/release-image"
// ClusterAPIManagerImage is an annotation that allows the specification of the cluster api manager image.
// This is a temporary workaround necessary for compliance reasons on the IBM Cloud side:
// no images can be pulled from registries outside of IBM Cloud's official regional registries
ClusterAPIManagerImage = "hypershift.openshift.io/capi-manager-image"
// ClusterAutoscalerImage is an annotation that allows the specification of the cluster autoscaler image.
// This is a temporary workaround necessary for compliance reasons on the IBM Cloud side:
// no images can be pulled from registries outside of IBM Cloud's official regional registries
ClusterAutoscalerImage = "hypershift.openshift.io/cluster-autoscaler-image"
// AWSKMSProviderImage is an annotation that allows the specification of the AWS kms provider image.
// Upstream code located at: https://github.com/kubernetes-sigs/aws-encryption-provider
AWSKMSProviderImage = "hypershift.openshift.io/aws-kms-provider-image"
// IBMCloudKMSProviderImage is an annotation that allows the specification of the IBM Cloud kms provider image.
IBMCloudKMSProviderImage = "hypershift.openshift.io/ibmcloud-kms-provider-image"
// PortierisImageAnnotation is an annotation that allows the specification of the portieries component
// (performs container image verification).
PortierisImageAnnotation = "hypershift.openshift.io/portieris-image"
// ClusterAPIProviderAWSImage overrides the CAPI AWS provider image to use for
// a HostedControlPlane.
ClusterAPIProviderAWSImage = "hypershift.openshift.io/capi-provider-aws-image"
// ClusterAPIKubeVirtProviderImage overrides the CAPI KubeVirt provider image to use for
// a HostedControlPlane.
ClusterAPIKubeVirtProviderImage = "hypershift.openshift.io/capi-provider-kubevirt-image"
// ClusterAPIAgentProviderImage overrides the CAPI Agent provider image to use for
// a HostedControlPlane.
ClusterAPIAgentProviderImage = "hypershift.openshift.io/capi-provider-agent-image"
// ClusterAPIAzureProviderImage overrides the CAPI Azure provider image to use for
// a HostedControlPlane.
ClusterAPIAzureProviderImage = "hypershift.openshift.io/capi-provider-azure-image"
// AESCBCKeySecretKey defines the Kubernetes secret key name that contains the aescbc encryption key
// in the AESCBC secret encryption strategy
AESCBCKeySecretKey = "key"
// IBMCloudIAMAPIKeySecretKey defines the Kubernetes secret key name that contains
// the customer IBMCloud apikey in the unmanaged authentication strategy for IBMCloud KMS secret encryption
IBMCloudIAMAPIKeySecretKey = "iam_apikey"
// AWSCredentialsFileSecretKey defines the Kubernetes secret key name that contains
// the customer AWS credentials in the unmanaged authentication strategy for AWS KMS secret encryption
AWSCredentialsFileSecretKey = "credentials"
// ControlPlaneComponent identifies a resource as belonging to a hosted control plane.
ControlPlaneComponent = "hypershift.openshift.io/control-plane-component"
// OperatorComponent identifies a component as belonging to the operator.
OperatorComponent = "hypershift.openshift.io/operator-component"
// MachineApproverImage is an annotation that allows the specification of the machine approver image.
// This is a temporary workaround necessary for compliance reasons on the IBM Cloud side:
// no images can be pulled from registries outside of IBM Cloud's official regional registries
MachineApproverImage = "hypershift.openshift.io/machine-approver-image"
// ExternalDNSHostnameAnnotation is the annotation external-dns uses to register DNS name for different HCP services.
ExternalDNSHostnameAnnotation = "external-dns.alpha.kubernetes.io/hostname"
// ServiceAccountSigningKeySecretKey is the name of the secret key that should contain the service account signing
// key if specified.
ServiceAccountSigningKeySecretKey = "key"
)
// HostedClusterSpec is the desired behavior of a HostedCluster.
type HostedClusterSpec struct {
// Release specifies the desired OCP release payload for the hosted cluster.
//
// Updating this field will trigger a rollout of the control plane. The
// behavior of the rollout will be driven by the ControllerAvailabilityPolicy
// and InfrastructureAvailabilityPolicy.
Release Release `json:"release"`
// ClusterID uniquely identifies this cluster. This is expected to be
// an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in
// hexadecimal values).
// As with a Kubernetes metadata.uid, this ID uniquely identifies this
// cluster in space and time.
// This value identifies the cluster in metrics pushed to telemetry and
// metrics produced by the control plane operators. If a value is not
// specified, an ID is generated. After initial creation, the value is
// immutable.
// +kubebuilder:validation:Pattern:="[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}"
// +optional
ClusterID string `json:"clusterID,omitempty"`
// InfraID is a globally unique identifier for the cluster. This identifier
// will be used to associate various cloud resources with the HostedCluster
// and its associated NodePools.
//
// +optional
// +immutable
InfraID string `json:"infraID,omitempty"`
// Platform specifies the underlying infrastructure provider for the cluster
// and is used to configure platform specific behavior.
//
// +immutable
Platform PlatformSpec `json:"platform"`
// ControllerAvailabilityPolicy specifies the availability policy applied to
// critical control plane components. The default value is SingleReplica.
//
// +optional
// +kubebuilder:default:="SingleReplica"
// +immutable
ControllerAvailabilityPolicy AvailabilityPolicy `json:"controllerAvailabilityPolicy,omitempty"`
// InfrastructureAvailabilityPolicy specifies the availability policy applied
// to infrastructure services which run on cluster nodes. The default value is
// SingleReplica.
//
// +optional
// +kubebuilder:default:="SingleReplica"
// +immutable
InfrastructureAvailabilityPolicy AvailabilityPolicy `json:"infrastructureAvailabilityPolicy,omitempty"`
// DNS specifies DNS configuration for the cluster.
//
// +immutable
DNS DNSSpec `json:"dns,omitempty"`
// Networking specifies network configuration for the cluster.
//
// +immutable
Networking ClusterNetworking `json:"networking"`
// Autoscaling specifies auto-scaling behavior that applies to all NodePools
// associated with the control plane.
//
// +optional
Autoscaling ClusterAutoscaling `json:"autoscaling,omitempty"`
// Etcd specifies configuration for the control plane etcd cluster. The
// default ManagementType is Managed. Once set, the ManagementType cannot be
// changed.
//
// +kubebuilder:validation:Optional
// +kubebuilder:default={managementType: "Managed"}
// +immutable
Etcd EtcdSpec `json:"etcd"`
// Services specifies how individual control plane services are published from
// the hosting cluster of the control plane.
//
// If a given service is not present in this list, it will be exposed publicly
// by default.
Services []ServicePublishingStrategyMapping `json:"services"`
// PullSecret references a pull secret to be injected into the container
// runtime of all cluster nodes. The secret must have a key named
// ".dockerconfigjson" whose value is the pull secret JSON.
//
// +immutable
PullSecret corev1.LocalObjectReference `json:"pullSecret"`
// SSHKey references an SSH key to be injected into all cluster node sshd
// servers. The secret must have a single key "id_rsa.pub" whose value is the
// public part of an SSH key.
//
// +immutable
SSHKey corev1.LocalObjectReference `json:"sshKey"`
// IssuerURL is an OIDC issuer URL which is used as the issuer in all
// ServiceAccount tokens generated by the control plane API server. The
// default value is kubernetes.default.svc, which only works for in-cluster
// validation.
//
// +kubebuilder:default:="https://kubernetes.default.svc"
// +immutable
// +optional
IssuerURL string `json:"issuerURL,omitempty"`
// ServiceAccountSigningKey is a reference to a secret containing the private key
// used by the service account token issuer. The secret is expected to contain
// a single key named "key". If not specified, a service account signing key will
// be generated automatically for the cluster. When specifying a service account
// signing key, a IssuerURL must also be specified.
//
// +immutable
// +kubebuilder:validation:Optional
// +optional
ServiceAccountSigningKey *corev1.LocalObjectReference `json:"serviceAccountSigningKey,omitempty"`
// Configuration specifies configuration for individual OCP components in the
// cluster, represented as embedded resources that correspond to the openshift
// configuration API.
//
// +kubebuilder:validation:Optional
// +optional
Configuration *ClusterConfiguration `json:"configuration,omitempty"`
// AuditWebhook contains metadata for configuring an audit webhook endpoint
// for a cluster to process cluster audit events. It references a secret that
// contains the webhook information for the audit webhook endpoint. It is a
// secret because if the endpoint has mTLS the kubeconfig will contain client
// keys. The kubeconfig needs to be stored in the secret with a secret key
// name that corresponds to the constant AuditWebhookKubeconfigKey.
//
// This field is currently only supported on the IBMCloud platform.
//
// +optional
// +immutable
AuditWebhook *corev1.LocalObjectReference `json:"auditWebhook,omitempty"`
// ImageContentSources specifies image mirrors that can be used by cluster
// nodes to pull content.
//
// +optional
// +immutable
ImageContentSources []ImageContentSource `json:"imageContentSources,omitempty"`
// AdditionalTrustBundle is a reference to a ConfigMap containing a
// PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes
//
// +optional
AdditionalTrustBundle *corev1.LocalObjectReference `json:"additionalTrustBundle,omitempty"`
// SecretEncryption specifies a Kubernetes secret encryption strategy for the
// control plane.
//
// +optional
SecretEncryption *SecretEncryptionSpec `json:"secretEncryption,omitempty"`
// FIPS indicates whether this cluster's nodes will be running in FIPS mode.
// If set to true, the control plane's ignition server will be configured to
// expect that nodes joining the cluster will be FIPS-enabled.
//
// +optional
// +immutable
FIPS bool `json:"fips"`
// PausedUntil is a field that can be used to pause reconciliation on a resource.
// Either a date can be provided in RFC3339 format or a boolean. If a date is
// provided: reconciliation is paused on the resource until that date. If the boolean true is
// provided: reconciliation is paused on the resource until the field is removed.
// +optional
PausedUntil *string `json:"pausedUntil,omitempty"`
// OLMCatalogPlacement specifies the placement of OLM catalog components. By default,
// this is set to management and OLM catalog components are deployed onto the management
// cluster. If set to guest, the OLM catalog components will be deployed onto the guest
// cluster.
//
// +kubebuilder:default=management
// +optional
// +immutable
OLMCatalogPlacement OLMCatalogPlacement `json:"olmCatalogPlacement,omitempty"`
}
// OLMCatalogPlacement is an enum specifying the placement of OLM catalog components.
// +kubebuilder:validation:Enum=management;guest
type OLMCatalogPlacement string
const (
// ManagementOLMCatalogPlacement indicates OLM catalog components will be placed in
// the management cluster.
ManagementOLMCatalogPlacement OLMCatalogPlacement = "management"
// GuestOLMCatalogPlacement indicates OLM catalog components will be placed in
// the guest cluster.
GuestOLMCatalogPlacement OLMCatalogPlacement = "guest"
)
// ImageContentSource specifies image mirrors that can be used by cluster nodes
// to pull content. For cluster workloads, if a container image registry host of
// the pullspec matches Source then one of the Mirrors are substituted as hosts
// in the pullspec and tried in order to fetch the image.
type ImageContentSource struct {
// Source is the repository that users refer to, e.g. in image pull
// specifications.
//
// +immutable
Source string `json:"source"`
// Mirrors are one or more repositories that may also contain the same images.
//
// +optional
// +immutable
Mirrors []string `json:"mirrors,omitempty"`
}
// ServicePublishingStrategyMapping specifies how individual control plane
// services are published from the hosting cluster of a control plane.
type ServicePublishingStrategyMapping struct {
// Service identifies the type of service being published.
//
// +kubebuilder:validation:Enum=APIServer;OAuthServer;OIDC;Konnectivity;Ignition;OVNSbDb
// +immutable
Service ServiceType `json:"service"`
// ServicePublishingStrategy specifies how to publish Service.
ServicePublishingStrategy `json:"servicePublishingStrategy"`
}
// ServicePublishingStrategy specfies how to publish a ServiceType.
type ServicePublishingStrategy struct {
// Type is the publishing strategy used for the service.
//
// +kubebuilder:validation:Enum=LoadBalancer;NodePort;Route;None;S3
// +immutable
Type PublishingStrategyType `json:"type"`
// NodePort configures exposing a service using a NodePort.
NodePort *NodePortPublishingStrategy `json:"nodePort,omitempty"`
// LoadBalancer configures exposing a service using a LoadBalancer.
LoadBalancer *LoadBalancerPublishingStrategy `json:"loadBalancer,omitempty"`
// Route configures exposing a service using a Route.
Route *RoutePublishingStrategy `json:"route,omitempty"`
}
// PublishingStrategyType defines publishing strategies for services.
type PublishingStrategyType string
var (
// LoadBalancer exposes a service with a LoadBalancer kube service.
LoadBalancer PublishingStrategyType = "LoadBalancer"
// NodePort exposes a service with a NodePort kube service.
NodePort PublishingStrategyType = "NodePort"
// Route exposes services with a Route + ClusterIP kube service.
Route PublishingStrategyType = "Route"
// S3 exoses a service through an S3 bucket
S3 PublishingStrategyType = "S3"
// None disables exposing the service
None PublishingStrategyType = "None"
)
// ServiceType defines what control plane services can be exposed from the
// management control plane.
type ServiceType string
var (
// APIServer is the control plane API server.
APIServer ServiceType = "APIServer"
// Konnectivity is the control plane Konnectivity networking service.
Konnectivity ServiceType = "Konnectivity"
// OAuthServer is the control plane OAuth service.
OAuthServer ServiceType = "OAuthServer"
// OIDC is the control plane OIDC service.
OIDC ServiceType = "OIDC"
// Ignition is the control plane ignition service for nodes.
Ignition ServiceType = "Ignition"
// OVNSbDb is the optional control plane ovn southbound database service used by OVNKubernetes CNI.
OVNSbDb ServiceType = "OVNSbDb"
)
// NodePortPublishingStrategy specifies a NodePort used to expose a service.
type NodePortPublishingStrategy struct {
// Address is the host/ip that the NodePort service is exposed over.
Address string `json:"address"`
// Port is the port of the NodePort service. If <=0, the port is dynamically
// assigned when the service is created.
Port int32 `json:"port,omitempty"`
}
// LoadBalancerPublishingStrategy specifies setting used to expose a service as a LoadBalancer.
type LoadBalancerPublishingStrategy struct {
// Hostname is the name of the DNS record that will be created pointing to the LoadBalancer.
// +optional
Hostname string `json:"hostname,omitempty"`
}
// RoutePublishingStrategy specifies options for exposing a service as a Route.
type RoutePublishingStrategy struct {
// Hostname is the name of the DNS record that will be created pointing to the Route.
// +optional
Hostname string `json:"hostname,omitempty"`
}
// DNSSpec specifies the DNS configuration in the cluster.
type DNSSpec struct {
// BaseDomain is the base domain of the cluster.
//
// +immutable
BaseDomain string `json:"baseDomain"`
// PublicZoneID is the Hosted Zone ID where all the DNS records that are
// publicly accessible to the internet exist.
//
// +optional
// +immutable
PublicZoneID string `json:"publicZoneID,omitempty"`
// PrivateZoneID is the Hosted Zone ID where all the DNS records that are only
// available internally to the cluster exist.
//
// +optional
// +immutable
PrivateZoneID string `json:"privateZoneID,omitempty"`
}
// ClusterNetworking specifies network configuration for a cluster.
type ClusterNetworking struct {
// ServiceCIDR is...
//
// TODO(dan): document it
//
// +immutable
ServiceCIDR string `json:"serviceCIDR"`
// PodCIDR is...
//
// TODO(dan): document it
//
// +immutable
PodCIDR string `json:"podCIDR"`
// MachineCIDR is...
//
// TODO(dan): document it
//
// +immutable
MachineCIDR string `json:"machineCIDR"`
// NetworkType specifies the SDN provider used for cluster networking.
//
// +kubebuilder:default:="OVNKubernetes"
// +immutable
NetworkType NetworkType `json:"networkType"`
// APIServer contains advanced network settings for the API server that affect
// how the APIServer is exposed inside a cluster node.
//
// +immutable
APIServer *APIServerNetworking `json:"apiServer,omitempty"`
}
//+kubebuilder:validation:Pattern:=`^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$`
type CIDRBlock string
// APIServerNetworking specifies how the APIServer is exposed inside a cluster
// node.
type APIServerNetworking struct {
// AdvertiseAddress is the address that nodes will use to talk to the API
// server. This is an address associated with the loopback adapter of each
// node. If not specified, 172.20.0.1 is used.
AdvertiseAddress *string `json:"advertiseAddress,omitempty"`
// Port is the port at which the APIServer is exposed inside a node. Other
// pods using host networking cannot listen on this port. If not specified,
// 6443 is used.
Port *int32 `json:"port,omitempty"`
// AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer
// If not specified, traffic is allowed from all addresses.
// This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges
AllowedCIDRBlocks []CIDRBlock `json:"allowedCIDRBlocks,omitempty"`
}
// NetworkType specifies the SDN provider used for cluster networking.
//
// +kubebuilder:validation:Enum=OpenShiftSDN;Calico;OVNKubernetes;Other
type NetworkType string
const (
// OpenShiftSDN specifies OpenshiftSDN as the SDN provider
OpenShiftSDN NetworkType = "OpenShiftSDN"
// Calico specifies Calico as the SDN provider
Calico NetworkType = "Calico"
// OVNKubernetes specifies OVN as the SDN provider
OVNKubernetes NetworkType = "OVNKubernetes"
// Other specifies an undefined SDN provider
Other NetworkType = "Other"
)
// PlatformType is a specific supported infrastructure provider.
//
// +kubebuilder:validation:Enum=AWS;None;IBMCloud;Agent;KubeVirt;Azure;PowerVS
type PlatformType string
const (
// AWSPlatform represents Amazon Web Services infrastructure.
AWSPlatform PlatformType = "AWS"
// NonePlatform represents user supplied (e.g. bare metal) infrastructure.
NonePlatform PlatformType = "None"
// IBMCloudPlatform represents IBM Cloud infrastructure.
IBMCloudPlatform PlatformType = "IBMCloud"
// AgentPlatform represents user supplied insfrastructure booted with agents.
AgentPlatform PlatformType = "Agent"
// KubevirtPlatform represents Kubevirt infrastructure.
KubevirtPlatform PlatformType = "KubeVirt"
// AzurePlatform represents Azure infrastructure.
AzurePlatform PlatformType = "Azure"
// PowerVSPlatform represents PowerVS infrastructure.
PowerVSPlatform PlatformType = "PowerVS"
)
// PlatformSpec specifies the underlying infrastructure provider for the cluster
// and is used to configure platform specific behavior.
type PlatformSpec struct {
// Type is the type of infrastructure provider for the cluster.
//
// +unionDiscriminator
// +immutable
Type PlatformType `json:"type"`
// AWS specifies configuration for clusters running on Amazon Web Services.
//
// +optional
// +immutable
AWS *AWSPlatformSpec `json:"aws,omitempty"`
// Agent specifies configuration for agent-based installations.
//
// +optional
// +immutable
Agent *AgentPlatformSpec `json:"agent,omitempty"`
// IBMCloud defines IBMCloud specific settings for components
IBMCloud *IBMCloudPlatformSpec `json:"ibmcloud,omitempty"`
// Azure defines azure specific settings
Azure *AzurePlatformSpec `json:"azure,omitempty"`
// PowerVS specifies configuration for clusters running on IBMCloud Power VS Service.
// This field is immutable. Once set, It can't be changed.
//
// +optional
// +immutable
PowerVS *PowerVSPlatformSpec `json:"powervs,omitempty"`
}
// AgentPlatformSpec specifies configuration for agent-based installations.
type AgentPlatformSpec struct {
// AgentNamespace is the namespace where to search for Agents for this cluster
AgentNamespace string `json:"agentNamespace"`
}
// IBMCloudPlatformSpec defines IBMCloud specific settings for components
type IBMCloudPlatformSpec struct {
// ProviderType is a specific supported infrastructure provider within IBM Cloud.
ProviderType configv1.IBMCloudProviderType `json:"providerType,omitempty"`
}
// PowerVSPlatformSpec defines IBMCloud PowerVS specific settings for components
type PowerVSPlatformSpec struct {
// AccountID is the IBMCloud account id.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
AccountID string `json:"accountID"`
// CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name
// This field is immutable. Once set, It can't be changed.
//
// +kubebuilder:validation:Pattern=`^crn:`
// +immutable
CISInstanceCRN string `json:"cisInstanceCRN"`
// ResourceGroup is the IBMCloud Resource Group in which the cluster resides.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
ResourceGroup string `json:"resourceGroup"`
// Region is the IBMCloud region in which the cluster resides. This configures the
// OCP control plane cloud integrations, and is used by NodePool to resolve
// the correct boot image for a given release.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
Region string `json:"region"`
// Zone is the availability zone where control plane cloud resources are
// created.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
Zone string `json:"zone"`
// Subnet is the subnet to use for control plane cloud resources.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
Subnet *PowerVSResourceReference `json:"subnet"`
// ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created.
// Power VS service is a container for all Power VS instances at a specific geographic region.
// serviceInstance can be created via IBM Cloud catalog or CLI.
// ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli.
//
// More detail about Power VS service instance.
// https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server
//
// This field is immutable. Once set, It can't be changed.
//
// +immutable
ServiceInstanceID string `json:"serviceInstanceID"`
// VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control
// plane.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
VPC *PowerVSVPC `json:"vpc"`
// KubeCloudControllerCreds is a reference to a secret containing cloud
// credentials with permissions matching the cloud controller policy.
// This field is immutable. Once set, It can't be changed.
//
// TODO(dan): document the "cloud controller policy"
//
// +immutable
KubeCloudControllerCreds corev1.LocalObjectReference `json:"kubeCloudControllerCreds"`
// NodePoolManagementCreds is a reference to a secret containing cloud
// credentials with permissions matching the node pool management policy.
// This field is immutable. Once set, It can't be changed.
//
// TODO(dan): document the "node pool management policy"
//
// +immutable
NodePoolManagementCreds corev1.LocalObjectReference `json:"nodePoolManagementCreds"`
// ControlPlaneOperatorCreds is a reference to a secret containing cloud
// credentials with permissions matching the control-plane-operator policy.
// This field is immutable. Once set, It can't be changed.
//
// TODO(dan): document the "control plane operator policy"
//
// +immutable
ControlPlaneOperatorCreds corev1.LocalObjectReference `json:"controlPlaneOperatorCreds"`
// IngressOperatorCloudCreds is a reference to a secret containing ibm cloud
// credentials for ingress operator to get authenticated with ibm cloud.
//
// +immutable
IngressOperatorCloudCreds corev1.LocalObjectReference `json:"ingressOperatorCloudCreds"`
}
// PowerVSVPC specifies IBM Cloud PowerVS LoadBalancer configuration for the control
// plane.
type PowerVSVPC struct {
// Name for VPC to used for all the service load balancer.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
Name string `json:"name"`
// Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic
// into the OCP cluster.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
Region string `json:"region"`
// Zone is the availability zone where load balancer cloud resources are
// created.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
// +optional
Zone string `json:"zone,omitempty"`
// Subnet is the subnet to use for load balancer.
// This field is immutable. Once set, It can't be changed.
//
// +immutable
// +optional
Subnet string `json:"subnet,omitempty"`
}
// PowerVSResourceReference is a reference to a specific IBMCloud PowerVS resource by ID, or Name.
// Only one of ID, or Name may be specified. Specifying more than one will result in
// a validation error.
type PowerVSResourceReference struct {
// ID of resource
// +optional
ID *string `json:"id,omitempty"`
// Name of resource
// +optional
Name *string `json:"name,omitempty"`
}
// AWSCloudProviderConfig specifies AWS networking configuration.
type AWSCloudProviderConfig struct {
// Subnet is the subnet to use for control plane cloud resources.
//
// +optional
Subnet *AWSResourceReference `json:"subnet,omitempty"`
// Zone is the availability zone where control plane cloud resources are
// created.
//
// +optional
Zone string `json:"zone,omitempty"`
// VPC is the VPC to use for control plane cloud resources.
VPC string `json:"vpc"`
}
// AWSEndpointAccessType specifies the publishing scope of cluster endpoints.
type AWSEndpointAccessType string
const (
// Public endpoint access allows public API server access and public node
// communication with the control plane.
Public AWSEndpointAccessType = "Public"
// PublicAndPrivate endpoint access allows public API server access and
// private node communication with the control plane.
PublicAndPrivate AWSEndpointAccessType = "PublicAndPrivate"
// Private endpoint access allows only private API server access and private
// node communication with the control plane.
Private AWSEndpointAccessType = "Private"
)
// AWSPlatformSpec specifies configuration for clusters running on Amazon Web Services.
type AWSPlatformSpec struct {
// Region is the AWS region in which the cluster resides. This configures the
// OCP control plane cloud integrations, and is used by NodePool to resolve
// the correct boot AMI for a given release.
//
// +immutable
Region string `json:"region"`
// CloudProviderConfig specifies AWS networking configuration for the control
// plane.
//
// TODO(dan): should this be named AWSNetworkConfig?
//
// +optional
// +immutable
CloudProviderConfig *AWSCloudProviderConfig `json:"cloudProviderConfig,omitempty"`
// ServiceEndpoints specifies optional custom endpoints which will override
// the default service endpoint of specific AWS Services.
//
// There must be only one ServiceEndpoint for a given service name.
//
// +optional
// +immutable
ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"`
// Roles must contain exactly 4 entries representing the locators for roles
// supporting the following OCP services:
//
// - openshift-ingress-operator/cloud-credentials
// - openshift-image-registry/installer-cloud-credentials
// - openshift-cluster-csi-drivers/ebs-cloud-credentials
// - cloud-network-config-controller/cloud-credentials
//
// Each role has unique permission requirements whose documentation is TBD.
//
// TODO(dan): revisit this field; it's really 3 required fields with specific content requirements
//
// +immutable
Roles []AWSRoleCredentials `json:"roles,omitempty"`
// KubeCloudControllerCreds is a reference to a secret containing cloud
// credentials with permissions matching the cloud controller policy. The
// secret should have exactly one key, `credentials`, whose value is an AWS
// credentials file.
//
// TODO(dan): document the "cloud controller policy"
//
// +immutable
KubeCloudControllerCreds corev1.LocalObjectReference `json:"kubeCloudControllerCreds"`
// NodePoolManagementCreds is a reference to a secret containing cloud
// credentials with permissions matching the node pool management policy. The
// secret should have exactly one key, `credentials`, whose value is an AWS
// credentials file.
//
// TODO(dan): document the "node pool management policy"
//
// +immutable
NodePoolManagementCreds corev1.LocalObjectReference `json:"nodePoolManagementCreds"`
// ControlPlaneOperatorCreds is a reference to a secret containing cloud
// credentials with permissions matching the control-plane-operator policy.
// The secret should have exactly one key, `credentials`, whose value is
// an AWS credentials file.
//
// TODO(dan): document the "control plane operator policy"
//
// +immutable
ControlPlaneOperatorCreds corev1.LocalObjectReference `json:"controlPlaneOperatorCreds"`
// ResourceTags is a list of additional tags to apply to AWS resources created
// for the cluster. See
// https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for
// information on tagging AWS resources. AWS supports a maximum of 50 tags per
// resource. OpenShift reserves 25 tags for its use, leaving 25 tags available
// for the user.
//
// +kubebuilder:validation:MaxItems=25
// +optional
ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"`
// EndpointAccess specifies the publishing scope of cluster endpoints. The
// default is Public.
//
// +kubebuilder:validation:Enum=Public;PublicAndPrivate;Private
// +kubebuilder:default=Public
// +optional
EndpointAccess AWSEndpointAccessType `json:"endpointAccess,omitempty"`
}
// AWSResourceTag is a tag to apply to AWS resources created for the cluster.
type AWSResourceTag struct {
// Key is the key of the tag.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=128
// +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$`
Key string `json:"key"`
// Value is the value of the tag.
//
// Some AWS service do not support empty values. Since tags are added to
// resources in many services, the length of the tag value must meet the
// requirements of all services.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=256
// +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$`
Value string `json:"value"`
}
type AWSRoleCredentials struct {
ARN string `json:"arn"`
Namespace string `json:"namespace"`
Name string `json:"name"`
}
// AWSServiceEndpoint stores the configuration for services to
// override existing defaults of AWS Services.
type AWSServiceEndpoint struct {
// Name is the name of the AWS service.
// This must be provided and cannot be empty.
Name string `json:"name"`
// URL is fully qualified URI with scheme https, that overrides the default generated
// endpoint for a client.
// This must be provided and cannot be empty.
//
// +kubebuilder:validation:Pattern=`^https://`
URL string `json:"url"`
}
type AzurePlatformSpec struct {
Credentials corev1.LocalObjectReference `json:"credentials"`
Location string `json:"location"`
ResourceGroupName string `json:"resourceGroup"`
VnetName string `json:"vnetName"`
VnetID string `json:"vnetID"`
SubnetName string `json:"subnetName"`
SubscriptionID string `json:"subscriptionID"`
MachineIdentityID string `json:"machineIdentityID"`
SecurityGroupName string `json:"securityGroupName"`
}
// Release represents the metadata for an OCP release payload image.
type Release struct {
// Image is the image pullspec of an OCP release payload image.
//
// +kubebuilder:validation:Pattern=^(\w+\S+)$
Image string `json:"image"`
}
// ClusterAutoscaling specifies auto-scaling behavior that applies to all
// NodePools associated with a control plane.
type ClusterAutoscaling struct {
// MaxNodesTotal is the maximum allowable number of nodes across all NodePools
// for a HostedCluster. The autoscaler will not grow the cluster beyond this
// number.
//
// +kubebuilder:validation:Minimum=0
MaxNodesTotal *int32 `json:"maxNodesTotal,omitempty"`
// MaxPodGracePeriod is the maximum seconds to wait for graceful pod
// termination before scaling down a NodePool. The default is 600 seconds.
//
// +kubebuilder:validation:Minimum=0
MaxPodGracePeriod *int32 `json:"maxPodGracePeriod,omitempty"`
// MaxNodeProvisionTime is the maximum time to wait for node provisioning
// before considering the provisioning to be unsuccessful, expressed as a Go
// duration string. The default is 15 minutes.
//
// +kubebuilder:validation:Pattern=^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
MaxNodeProvisionTime string `json:"maxNodeProvisionTime,omitempty"`
// PodPriorityThreshold enables users to schedule "best-effort" pods, which
// shouldn't trigger autoscaler actions, but only run when there are spare
// resources available. The default is -10.
//
// See the following for more details:
// https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption
//
// +optional
PodPriorityThreshold *int32 `json:"podPriorityThreshold,omitempty"`
}
// EtcdManagementType is a enum specifying the strategy for managing the cluster's etcd instance
// +kubebuilder:validation:Enum=Managed;Unmanaged
type EtcdManagementType string
const (
// Managed means HyperShift should provision and operator the etcd cluster
// automatically.
Managed EtcdManagementType = "Managed"
// Unmanaged means HyperShift will not provision or manage the etcd cluster,
// and the user is responsible for doing so.
Unmanaged EtcdManagementType = "Unmanaged"
)
// EtcdSpec specifies configuration for a control plane etcd cluster.
type EtcdSpec struct {
// ManagementType defines how the etcd cluster is managed.
//
// +unionDiscriminator
// +immutable
ManagementType EtcdManagementType `json:"managementType"`
// Managed specifies the behavior of an etcd cluster managed by HyperShift.
//
// +optional
// +immutable
Managed *ManagedEtcdSpec `json:"managed,omitempty"`
// Unmanaged specifies configuration which enables the control plane to
// integrate with an eternally managed etcd cluster.
//
// +optional
// +immutable
Unmanaged *UnmanagedEtcdSpec `json:"unmanaged,omitempty"`
}
// ManagedEtcdSpec specifies the behavior of an etcd cluster managed by
// HyperShift.
type ManagedEtcdSpec struct {
// Storage specifies how etcd data is persisted.
Storage ManagedEtcdStorageSpec `json:"storage"`
}
// ManagedEtcdStorageType is a storage type for an etcd cluster.
//
// +kubebuilder:validation:Enum=PersistentVolume
type ManagedEtcdStorageType string
const (
// PersistentVolumeEtcdStorage uses PersistentVolumes for etcd storage.
PersistentVolumeEtcdStorage ManagedEtcdStorageType = "PersistentVolume"
)
var (