diff --git a/.sops.yaml b/.sops.yaml index 746c8d29..4bb3962a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,4 @@ --- creation_rules: - - path_regex: cluster/.*\.sops\.ya?ml - encrypted_regex: "^(data|stringData)$" - key_groups: - - age: - - age1kky7jzc2x626xp4sfvpz7acytczqgdn7h2jxjqkjxzfd4kndcdxs8zr6ka + - age: >- + age1kky7jzc2x626xp4sfvpz7acytczqgdn7h2jxjqkjxzfd4kndcdxs8zr6ka diff --git a/components/cilium/component.cue b/components/cilium/component.cue new file mode 100644 index 00000000..0ebc490b --- /dev/null +++ b/components/cilium/component.cue @@ -0,0 +1,21 @@ +package holos + +holos: Component.BuildPlan + +Component: #Helm & { + Name: "cilium" + Namespace: "kube-system" + EnableHooks: true + Chart: { + name: "cilium" + version: "1.16.5" + repository: { + name: "cilium" + url: "https://helm.cilium.io" + } + } + + Values: #Values + + KustomizeConfig: Kustomization: namespace: Namespace +} diff --git a/components/cilium/values.cue b/components/cilium/values.cue new file mode 100644 index 00000000..51b337b7 --- /dev/null +++ b/components/cilium/values.cue @@ -0,0 +1,63 @@ +package holos + +#Values: { + rollOutCiliumPods: true + priorityClassName: "system-cluster-critical" + autoDirectNodeRoutes: false + bgp: { + enabled: false + announce: { + loadbalancerIP: true + podCIDR: false + } + } + bgpControlPlane: { + enabled: true + } + k8sNetworkPolicy: { + enabled: false + } + hubble: { + enabled: false + } + operator: { + enabled: true + rollOutPods: true + replicas: 1 + priorityClassName: "system-cluster-critical" + } + enableCriticalPriorityClass: false + + // Talos requirements + ipam: mode: "kubernetes" + kubeProxyReplacement: true + securityContext: capabilities: { + ciliumAgent: [ + "CHOWN", + "KILL", + "NET_ADMIN", + "NET_RAW", + "IPC_LOCK", + "SYS_ADMIN", + "SYS_RESOURCE", + "DAC_OVERRIDE", + "FOWNER", + "SETGID", + "SETUID", + ] + cleanCiliumState: [ + "NET_ADMIN", + "SYS_ADMIN", + "SYS_RESOURCE", + ] + } + cgroup: autoMount: enabled: false + cgroup: hostRoot: "/sys/fs/cgroup" + + k8sServiceHost: "127.0.0.1" // Kubeprism + k8sServicePort: "7445" + + l2announcements: enabled: true + externalIPs: enabled: true + devices: "eno+" +} diff --git a/components/coredns/component.cue b/components/coredns/component.cue new file mode 100644 index 00000000..8a171793 --- /dev/null +++ b/components/coredns/component.cue @@ -0,0 +1,20 @@ +package holos + +holos: Component.BuildPlan + +Component: #Helm & { + Name: "coredns" + Namespace: "kube-system" + Chart: { + name: "coredns" + version: "1.37.0" + repository: { + name: "coredns" + url: "https://coredns.github.io/helm" + } + } + + Values: #Values + + KustomizeConfig: Kustomization: namespace: Namespace +} diff --git a/components/coredns/values.cue b/components/coredns/values.cue new file mode 100644 index 00000000..eb9a9f88 --- /dev/null +++ b/components/coredns/values.cue @@ -0,0 +1,55 @@ +package holos + +#Values: { + replicaCount: 2 + resources: limits: cpu: null + service: { + clusterIP: "10.96.0.10" + } + serviceAccount: { + create: true + } + priorityClassName: "system-cluster-critical" + + servers: [{ + zones: [{zone: "."}] + port: 53 + plugins: [{ + name: "errors" + }, { + // Serves a /health endpoint on :8080, required for livenessProbe + name: "health" + configBlock: "lameduck 5s" + }, { + + // Serves a /ready endpoint on :8181, required for readinessProbe + name: "ready" + }, { + // Required to query kubernetes API for data + name: "kubernetes" + parameters: "cluster.local in-addr.arpa ip6.arpa" + configBlock: """ + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + """ + }, { + + // Serves a /metrics endpoint on :9153, required for serviceMonitor + name: "prometheus" + parameters: "0.0.0.0:9153" + }, { + name: "forward" + parameters: ". /etc/resolv.conf" + }, { + name: "cache" + parameters: 30 + }, { + name: "loop" + }, { + name: "reload" + }, { + name: "loadbalance" + }] + }] +} diff --git a/components/forgejo/values.cue b/components/forgejo/values.cue index dcfd64d4..cb2f2aaf 100644 --- a/components/forgejo/values.cue +++ b/components/forgejo/values.cue @@ -37,14 +37,14 @@ package holos http: { annotations: { "metallb.universe.tf/allow-shared-ip": "gitea-192.168.2.11" - "metallb.universe.tf/loadBalancerIPs": "192.168.2.11" + "lbipam.cilium.io/ips": "192.168.2.11" } type: "LoadBalancer" } ssh: { annotations: { "metallb.universe.tf/allow-shared-ip": "gitea-192.168.2.11" - "metallb.universe.tf/loadBalancerIPs": "192.168.2.11" + "lbipam.cilium.io/ips": "192.168.2.11" } type: "LoadBalancer" } diff --git a/components/grafana/values.cue b/components/grafana/values.cue index 889be426..08a9b38c 100644 --- a/components/grafana/values.cue +++ b/components/grafana/values.cue @@ -68,7 +68,7 @@ package holos } persistence: { enabled: true - size: "2Gi" + size: "1Gi" } plugins: [ "grafana-piechart-panel", diff --git a/components/jellyfin/pvc.cue b/components/jellyfin/pvc.cue new file mode 100644 index 00000000..4f868a2a --- /dev/null +++ b/components/jellyfin/pvc.cue @@ -0,0 +1,22 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "jellyfin-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } + cache: { + apiVersion: "v1" + metadata: name: "jellyfin-cache" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/jellyfin/values.cue b/components/jellyfin/values.cue index 3601a133..30fc166e 100644 --- a/components/jellyfin/values.cue +++ b/components/jellyfin/values.cue @@ -32,18 +32,17 @@ package holos } persistence: { config: { - accessMode: "ReadWriteOnce" - enabled: true - globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" + existingClaim: "jellyfin-data" + } + cache: { + enabled: true + existingClaim: "jellyfin-cache" + globalMounts: [{path: "/config/cache"}] } media: { - enabled: true + enabled: true + existingClaim: "media" globalMounts: [{path: "/media"}] - hostPath: "/media" - hostPathType: "Directory" - type: "hostPath" } transcode: { enabled: true @@ -51,7 +50,7 @@ package holos } } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.7" + annotations: "lbipam.cilium.io/ips": "192.168.2.7" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 8096 diff --git a/components/jellyseerr/pvc.cue b/components/jellyseerr/pvc.cue new file mode 100644 index 00000000..0dae4058 --- /dev/null +++ b/components/jellyseerr/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "jellyseerr" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/jellyseerr/values.cue b/components/jellyseerr/values.cue index 466ab7ed..6f7111ba 100644 --- a/components/jellyseerr/values.cue +++ b/components/jellyseerr/values.cue @@ -29,14 +29,11 @@ package holos }] } persistence: config: { - accessMode: "ReadWriteOnce" - enabled: true + existingClaim: "jellyseerr" globalMounts: [{path: "/app/config"}] - size: "1Gi" - type: "persistentVolumeClaim" } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.8" + annotations: "lbipam.cilium.io/ips": "192.168.2.8" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 5055 diff --git a/components/linkding/pvc.cue b/components/linkding/pvc.cue new file mode 100644 index 00000000..7bff0dc1 --- /dev/null +++ b/components/linkding/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "linkding-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/linkding/values.cue b/components/linkding/values.cue index c83cdca1..656c59c1 100644 --- a/components/linkding/values.cue +++ b/components/linkding/values.cue @@ -38,15 +38,12 @@ package holos }] } persistence: data: { - accessMode: "ReadWriteOnce" - enabled: true + enabled: true + existingClaim: "linkding-data" globalMounts: [{path: "/etc/linkding/data"}] - retain: true - size: "1Gi" - type: "persistentVolumeClaim" } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.9" + annotations: "lbipam.cilium.io/ips": "192.168.2.9" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 9090 diff --git a/components/media-pvc/component.cue b/components/media-pvc/component.cue new file mode 100644 index 00000000..ee1b0f63 --- /dev/null +++ b/components/media-pvc/component.cue @@ -0,0 +1,20 @@ +package holos + +holos: Component.BuildPlan + +Component: #Kustomize & { + Name: "media" + Namespace: "default" + + KustomizeConfig: Kustomization: namespace: Namespace + + Resources: PersistentVolumeClaim: (Name): { + apiVersion: "v1" + metadata: name: Name + spec: { + accessModes: ["ReadWriteMany"] + resources: requests: storage: "300Gi" + storageClassName: "ceph-filesystem" + } + } +} diff --git a/components/metrics-server/component.cue b/components/metrics-server/component.cue new file mode 100644 index 00000000..3ea780df --- /dev/null +++ b/components/metrics-server/component.cue @@ -0,0 +1,20 @@ +package holos + +holos: Component.BuildPlan + +Component: #Helm & { + Name: "metrics-server" + Namespace: "kube-system" + Chart: { + name: "metrics-server" + version: "3.12.2" + repository: { + name: "metrics-server" + url: "https://kubernetes-sigs.github.io/metrics-server/" + } + } + + Values: #Values + + KustomizeConfig: Kustomization: namespace: Namespace +} diff --git a/components/metrics-server/values.cue b/components/metrics-server/values.cue new file mode 100644 index 00000000..15f267c1 --- /dev/null +++ b/components/metrics-server/values.cue @@ -0,0 +1,19 @@ +package holos + +#Values: { + args: [ + "--v=1", + "--cert-dir=/tmp", + "--kubelet-insecure-tls", + "--requestheader-client-ca-file=/var/run/ssl/auth-proxy-ca/requestheader-client-ca-file", + ] + extraVolumes: [{ + name: "auth-proxy-ca-cert" + configMap: name: "extension-apiserver-authentication" + }] + extraVolumeMounts: [{ + mountPath: "/var/run/ssl/auth-proxy-ca" + name: "auth-proxy-ca-cert" + readOnly: true + }] +} diff --git a/components/mongodb/pvc.cue b/components/mongodb/pvc.cue new file mode 100644 index 00000000..54f7284f --- /dev/null +++ b/components/mongodb/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "mongo-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/mongodb/values.cue b/components/mongodb/values.cue index c108936d..28a953ba 100644 --- a/components/mongodb/values.cue +++ b/components/mongodb/values.cue @@ -17,12 +17,9 @@ package holos } persistence: { data: { - accessMode: "ReadWriteOnce" - enabled: true + enabled: true + existingClaim: "mongo-data" globalMounts: [{path: "/data/db"}] - retain: true - size: "8Gi" - type: "persistentVolumeClaim" } initdb: { enabled: true diff --git a/components/nginx-external/values.cue b/components/nginx-external/values.cue index 558920c6..0319cca2 100644 --- a/components/nginx-external/values.cue +++ b/components/nginx-external/values.cue @@ -54,7 +54,7 @@ package holos } service: annotations: { "external-dns.alpha.kubernetes.io/hostname": "external.brenix.com" - "metallb.universe.tf/loadBalancerIPs": "192.168.2.20" + "lbipam.cilium.io/ips": "192.168.2.20" } terminationGracePeriodSeconds: 120 topologySpreadConstraints: [{ diff --git a/components/nginx-internal/values.cue b/components/nginx-internal/values.cue index 8ff54c59..fc706578 100644 --- a/components/nginx-internal/values.cue +++ b/components/nginx-internal/values.cue @@ -52,7 +52,7 @@ package holos } service: annotations: { "external-dns.alpha.kubernetes.io/hostname": "internal.brenix.com" - "metallb.universe.tf/loadBalancerIPs": "192.168.2.21" + "lbipam.cilium.io/ips": "192.168.2.21" } terminationGracePeriodSeconds: 120 topologySpreadConstraints: [{ diff --git a/components/onepassword-connect/values.cue b/components/onepassword-connect/values.cue index 527fe49f..87d410f8 100644 --- a/components/onepassword-connect/values.cue +++ b/components/onepassword-connect/values.cue @@ -2,6 +2,6 @@ package holos #Values: connect: { credentialsName: "onepassword-connect-secret" - serviceAnnotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.12" + serviceAnnotations: "lbipam.cilium.io/ips": "192.168.2.12" serviceType: "LoadBalancer" } diff --git a/components/prowlarr/pvc.cue b/components/prowlarr/pvc.cue new file mode 100644 index 00000000..3b1c7c60 --- /dev/null +++ b/components/prowlarr/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "prowlarr" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/prowlarr/values.cue b/components/prowlarr/values.cue index 99d18497..e65fc493 100644 --- a/components/prowlarr/values.cue +++ b/components/prowlarr/values.cue @@ -29,14 +29,10 @@ package holos }] } persistence: config: { - accessMode: "ReadWriteOnce" - enabled: true - globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" + existingClaim: "prowlarr" } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.5" + annotations: "lbipam.cilium.io/ips": "192.168.2.5" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 9696 diff --git a/components/radarr/pvc.cue b/components/radarr/pvc.cue new file mode 100644 index 00000000..0d31f79c --- /dev/null +++ b/components/radarr/pvc.cue @@ -0,0 +1,22 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "radarr-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } + cache: { + apiVersion: "v1" + metadata: name: "radarr-cache" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/radarr/values.cue b/components/radarr/values.cue index 2b4c3e1f..01a5f9e2 100644 --- a/components/radarr/values.cue +++ b/components/radarr/values.cue @@ -47,29 +47,20 @@ package holos } persistence: { config: { - accessMode: "ReadWriteOnce" - enabled: true - globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" + existingClaim: "radarr-data" } - downloads: { - enabled: true - globalMounts: [{path: "/downloads"}] - hostPath: "/media/downloads" - hostPathType: "Directory" - type: "hostPath" + cache: { + existingClaim: "radarr-cache" + globalMounts: [{path: "/config/MediaCover"}] } media: { - enabled: true - globalMounts: [{path: "/media"}] - hostPath: "/media" - hostPathType: "Directory" - type: "hostPath" + enabled: true + existingClaim: "media" + globalMounts: [{path: "/media"}, {path: "/downloads", subPath: "downloads"}] } } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.3" + annotations: "lbipam.cilium.io/ips": "192.168.2.3" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 7878 diff --git a/components/rook-ceph-cluster/component.cue b/components/rook-ceph-cluster/component.cue new file mode 100644 index 00000000..8df67c87 --- /dev/null +++ b/components/rook-ceph-cluster/component.cue @@ -0,0 +1,21 @@ +package holos + +holos: Component.BuildPlan + +Component: #Helm & { + Name: "rook-ceph-cluster" + Namespace: "rook-ceph" + Chart: { + name: "rook-ceph-cluster" + release: "rook-ceph-cluster" + version: "1.15.7" + repository: { + name: "rook-ceph" + url: "https://charts.rook.io/release" + } + } + + Values: #Values + + KustomizeConfig: Kustomization: namespace: Namespace +} diff --git a/components/rook-ceph-cluster/values.cue b/components/rook-ceph-cluster/values.cue new file mode 100644 index 00000000..747b3dd0 --- /dev/null +++ b/components/rook-ceph-cluster/values.cue @@ -0,0 +1,150 @@ +package holos + +#Values: { + monitoring: { + enabled: true + createPrometheusRules: true + } + ingress: dashboard: { + ingressClassName: "internal-nginx" + host: { + name: "rook.brenix.com" + path: "/" + } + } + toolbox: enabled: false + configOverride: """ + [global] + bdev_enable_discard = true + bdev_async_discard = true + osd_class_update_on_start = false + + """ + cephClusterSpec: { + crashCollector: disable: true + dashboard: { + enabled: true + urlPrefix: "/" + ssl: false + prometheusEndpoint: "http://prometheus-operated.monitoring.svc.cluster.local:9090" + } + network: { + provider: "host" + connections: requireMsgr2: true + } + resources: { + mgr: { + requests: { + cpu: "100m" + memory: "512Mi" + } + limits: memory: "2Gi" + } + mon: { + requests: { + cpu: "50m" + memory: "512Mi" + } + limits: memory: "1Gi" + } + osd: { + requests: { + cpu: "500m" + memory: "2Gi" + } + limits: memory: "4Gi" + } + "mgr-sidecar": { + requests: { + cpu: "50m" + memory: "128Mi" + } + limits: memory: "256Mi" + } + } + // storage: { + // useAllNodes: false + // useAllDevices: false + // config: osdsPerDevice: "1" + // } + } + cephBlockPools: [{ + name: "ceph-blockpool" + spec: { + failureDomain: "host" + replicated: size: 3 + } + storageClass: { + enabled: true + name: "ceph-block" + isDefault: true + reclaimPolicy: "Delete" + allowVolumeExpansion: true + volumeBindingMode: "Immediate" + parameters: { + imageFormat: "2" + imageFeatures: "layering" + "csi.storage.k8s.io/provisioner-secret-name": "rook-csi-rbd-provisioner" + "csi.storage.k8s.io/provisioner-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/controller-expand-secret-name": "rook-csi-rbd-provisioner" + "csi.storage.k8s.io/controller-expand-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/node-stage-secret-name": "rook-csi-rbd-node" + "csi.storage.k8s.io/node-stage-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/fstype": "ext4" + } + } + }] + // cephBlockPoolsVolumeSnapshotClass: { + // enabled: true + // name: "csi-ceph-blockpool" + // isDefault: false + // deletionPolicy: "Delete" + // } + cephFileSystems: [{ + name: "ceph-filesystem" + spec: { + metadataPool: replicated: size: 3 + dataPools: [{ + failureDomain: "host" + replicated: size: 3 + name: "data0" + }] + metadataServer: { + activeCount: 1 + activeStandby: true + priorityClassName: "system-cluster-critical" + resources: { + requests: { + cpu: "100m" + memory: "1Gi" + } + limits: memory: "3Gi" + } + } + } + storageClass: { + enabled: true + isDefault: false + name: "ceph-filesystem" + reclaimPolicy: "Delete" + allowVolumeExpansion: true + volumeBindingMode: "Immediate" + parameters: { + "csi.storage.k8s.io/provisioner-secret-name": "rook-csi-cephfs-provisioner" + "csi.storage.k8s.io/provisioner-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/controller-expand-secret-name": "rook-csi-cephfs-provisioner" + "csi.storage.k8s.io/controller-expand-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/node-stage-secret-name": "rook-csi-cephfs-node" + "csi.storage.k8s.io/node-stage-secret-namespace": "rook-ceph" + "csi.storage.k8s.io/fstype": "ext4" + } + } + }] + // cephFileSystemVolumeSnapshotClass: { + // enabled: true + // name: "csi-ceph-filesystem" + // isDefault: false + // deletionPolicy: "Delete" + // } + cephObjectStores: [] +} diff --git a/components/rook-ceph-operator/component.cue b/components/rook-ceph-operator/component.cue new file mode 100644 index 00000000..55e058ed --- /dev/null +++ b/components/rook-ceph-operator/component.cue @@ -0,0 +1,21 @@ +package holos + +holos: Component.BuildPlan + +Component: #Helm & { + Name: "rook-ceph-operator" + Namespace: "rook-ceph" + Chart: { + name: "rook-ceph" + release: "rook-ceph-operator" + version: "1.15.7" + repository: { + name: "rook-ceph" + url: "https://charts.rook.io/release" + } + } + + Values: #Values + + KustomizeConfig: Kustomization: namespace: Namespace +} diff --git a/components/rook-ceph-operator/values.cue b/components/rook-ceph-operator/values.cue new file mode 100644 index 00000000..e64ea5d3 --- /dev/null +++ b/components/rook-ceph-operator/values.cue @@ -0,0 +1,11 @@ +package holos + +#Values: { + resources: limits: null + csi: { + enableVolumeGroupSnapshot: false // TODO: enable when v1beta1 CRDs are available + cephFSKernelMountOptions: "ms_mode=prefer-crc" + enableLiveness: true + } + enableDiscoveryDaemon: true +} diff --git a/components/sabnzbd/pvc.cue b/components/sabnzbd/pvc.cue new file mode 100644 index 00000000..70c7653f --- /dev/null +++ b/components/sabnzbd/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "sabnzbd" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/sabnzbd/values.cue b/components/sabnzbd/values.cue index fa00a61c..bce3b5ba 100644 --- a/components/sabnzbd/values.cue +++ b/components/sabnzbd/values.cue @@ -61,22 +61,16 @@ package holos } persistence: { config: { - accessMode: "ReadWriteOnce" - enabled: true - globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" + existingClaim: "sabnzbd" } downloads: { - enabled: true - globalMounts: [{path: "/downloads"}] - hostPath: "/media/downloads" - hostPathType: "Directory" - type: "hostPath" + enabled: true + existingClaim: "media" + globalMounts: [{path: "/downloads", subPath: "downloads"}] } } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.10" + annotations: "lbipam.cilium.io/ips": "192.168.2.10" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 8080 diff --git a/components/samba/values.cue b/components/samba/values.cue index f57cf925..270c3f83 100644 --- a/components/samba/values.cue +++ b/components/samba/values.cue @@ -63,26 +63,15 @@ package holos name: "samba-config" type: "configMap" } - downloads: { - enabled: true - globalMounts: [{path: "/downloads"}] - hostPath: "/media/downloads" - hostPathType: "Directory" - type: "hostPath" - } media: { - enabled: true - globalMounts: [{path: "/media"}] - hostPath: "/media" - hostPathType: "Directory" - type: "hostPath" + enabled: true + existingClaim: "media" + globalMounts: [{path: "/media"}, {path: "/downloads", subPath: "downloads"}] } temp: { enabled: true globalMounts: [{path: "/temp"}] - hostPath: "/tmp" - hostPathType: "Directory" - type: "hostPath" + type: "emptyDir" } } service: main: { diff --git a/components/sonarr/pvc.cue b/components/sonarr/pvc.cue new file mode 100644 index 00000000..8e8476ef --- /dev/null +++ b/components/sonarr/pvc.cue @@ -0,0 +1,22 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "sonarr-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } + cache: { + apiVersion: "v1" + metadata: name: "sonarr-cache" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/sonarr/values.cue b/components/sonarr/values.cue index e221d943..20157bf3 100644 --- a/components/sonarr/values.cue +++ b/components/sonarr/values.cue @@ -47,28 +47,20 @@ package holos } persistence: { config: { - accessMode: "ReadWriteOnce" - enabled: true - globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" + existingClaim: "sonarr-data" } - downloads: { - enabled: true - globalMounts: [{path: "/downloads"}] - hostPath: "/media/downloads" - type: "hostPath" + cache: { + existingClaim: "sonarr-cache" + globalMounts: [{path: "/config/MediaCover"}] } media: { - enabled: true - globalMounts: [{path: "/media"}] - hostPath: "/media" - hostPathType: "Directory" - type: "hostPath" + enabled: true + existingClaim: "media" + globalMounts: [{path: "/media"}, {path: "/downloads", subPath: "downloads"}] } } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.4" + annotations: "lbipam.cilium.io/ips": "192.168.2.4" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 8989 diff --git a/components/stirlingpdf/values.cue b/components/stirlingpdf/values.cue index 64c8efee..e649d133 100644 --- a/components/stirlingpdf/values.cue +++ b/components/stirlingpdf/values.cue @@ -28,7 +28,7 @@ package holos }] } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.14" + annotations: "lbipam.cilium.io/ips": "192.168.2.14" controller: "main" externalTrafficPolicy: "Local" ports: http: port: 8080 diff --git a/components/unifi/pvc.cue b/components/unifi/pvc.cue new file mode 100644 index 00000000..91ad78c5 --- /dev/null +++ b/components/unifi/pvc.cue @@ -0,0 +1,13 @@ +package holos + +Component: Resources: PersistentVolumeClaim: { + data: { + apiVersion: "v1" + metadata: name: "unifi-data" + spec: { + accessModes: ["ReadWriteOnce"] + resources: requests: storage: "1Gi" + storageClassName: "ceph-block" + } + } +} diff --git a/components/unifi/values.cue b/components/unifi/values.cue index 058cd334..577409fe 100644 --- a/components/unifi/values.cue +++ b/components/unifi/values.cue @@ -36,14 +36,12 @@ package holos }] } persistence: data: { - accessMode: "ReadWriteOnce" - enabled: true + enabled: true + existingClaim: "unifi-data" globalMounts: [{path: "/config"}] - size: "1Gi" - type: "persistentVolumeClaim" } service: main: { - annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.2" + annotations: "lbipam.cilium.io/ips": "192.168.2.2" controller: "main" externalTrafficPolicy: "Local" ports: { diff --git a/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue b/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue index 7a6a5ddd..2eb23fef 100644 --- a/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue +++ b/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue @@ -334,6 +334,11 @@ package core // Injected as the tag variable "holos_component_path". path: string @go(Path) + // Instances represents additional cue instance paths to unify with Path. + // Useful to unify data files into a component BuildPlan. Added in holos + // 0.101.7. + instances?: [...#Instance] @go(Instances,[]Instance) + // WriteTo represents the holos render component --write-to flag. If empty, // the default value for the --write-to flag is used. writeTo?: string @go(WriteTo) @@ -353,3 +358,28 @@ package core // `cli.holos.run/description` to customize the log message of each BuildPlan. annotations?: {[string]: string} @go(Annotations,map[string]string) } + +// Instance represents a data instance to unify with the configuration. +// +// Useful to unify json and yaml files with cue configuration files for +// integration with other tools. For example, executing holos render platform +// from a pull request workflow after [Kargo] executes the [yaml update] and +// [git wait for pr] promotion steps. +// +// [Kargo]: https://docs.kargo.io/ +// [yaml update]: https://docs.kargo.io/references/promotion-steps#yaml-update +// [git wait for pr]: https://docs.kargo.io/references/promotion-steps#git-wait-for-pr +#Instance: { + // Kind is a discriminator. + kind: string & "ExtractYAML" @go(Kind) + + // Ignored unless kind is ExtractYAML. + extractYAML?: #ExtractYAML @go(ExtractYAML) +} + +// ExtractYAML represents a cue data instance encoded as yaml or json. If Path +// refers to a directory all files in the directory are extracted +// non-recursively. Otherwise, path must refer to a file. +#ExtractYAML: { + path: string @go(Path) +} diff --git a/cue.mod/gen/kargo.akuity.io/freight/v1alpha1/types_gen.cue b/cue.mod/gen/kargo.akuity.io/freight/v1alpha1/types_gen.cue new file mode 100644 index 00000000..c4efe764 --- /dev/null +++ b/cue.mod/gen/kargo.akuity.io/freight/v1alpha1/types_gen.cue @@ -0,0 +1,154 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f /Users/jeff/Holos/kargo-demo/deploy/components/kargo/kargo.gen.yaml + +package v1alpha1 + +import "strings" + +// Freight represents a collection of versioned artifacts. +#Freight: { + // Alias is a human-friendly alias for a piece of Freight. This is + // an optional + // field. A defaulting webhook will sync this field with the value + // of the + // kargo.akuity.io/alias label. When the alias label is not + // present or differs + // from the value of this field, the defaulting webhook will set + // the label to + // the value of this field. If the alias label is present and this + // field is + // empty, the defaulting webhook will set the value of this field + // to the value + // of the alias label. If this field is empty and the alias label + // is not + // present, the defaulting webhook will choose an available alias + // and assign + // it to both the field and label. + alias?: string + + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kargo.akuity.io/v1alpha1" + + // Charts describes specific versions of specific Helm charts. + charts?: [...{ + // Name specifies the name of the chart. + name?: string + + // RepoURL specifies the URL of a Helm chart repository. Classic + // chart + // repositories (using HTTP/S) can contain differently named + // charts. When this + // field points to such a repository, the Name field will specify + // the name of + // the chart within the repository. In the case of a repository + // within an OCI + // registry, the URL implicitly points to a specific chart and the + // Name field + // will be empty. + repoURL?: string + + // Version specifies a particular version of the chart. + version?: string + }] + + // Commits describes specific Git repository commits. + commits?: [...{ + // Author is the author of the commit. + author?: string + + // Branch denotes the branch of the repository where this commit + // was found. + branch?: string + + // Committer is the person who committed the commit. + committer?: string + + // ID is the ID of a specific commit in the Git repository + // specified by + // RepoURL. + id?: string + + // Message is the message associated with the commit. At present, + // this only + // contains the first line (subject) of the commit message. + message?: string + + // RepoURL is the URL of a Git repository. + repoURL?: string + + // Tag denotes a tag in the repository that matched selection + // criteria and + // resolved to this commit. + tag?: string + }] + + // Images describes specific versions of specific container + // images. + images?: [...{ + // Digest identifies a specific version of the image in the + // repository + // specified by RepoURL. This is a more precise identifier than + // Tag. + digest?: string + + // GitRepoURL specifies the URL of a Git repository that contains + // the source + // code for the image repository referenced by the RepoURL field + // if Kargo was + // able to infer it. + gitRepoURL?: string + + // RepoURL describes the repository in which the image can be + // found. + repoURL?: string + + // Tag identifies a specific version of the image in the + // repository specified + // by RepoURL. + tag?: string + }] + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Freight" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Origin describes a kind of Freight in terms of its origin. + origin: { + // Kind is the kind of resource from which Freight may have + // originated. At + // present, this can only be "Warehouse". + kind: "Warehouse" + + // Name is the name of the resource of the kind indicated by the + // Kind field + // from which Freight may originated. + name: string + } +} diff --git a/cue.mod/gen/kargo.akuity.io/project/v1alpha1/types_gen.cue b/cue.mod/gen/kargo.akuity.io/project/v1alpha1/types_gen.cue new file mode 100644 index 00000000..bde564fe --- /dev/null +++ b/cue.mod/gen/kargo.akuity.io/project/v1alpha1/types_gen.cue @@ -0,0 +1,72 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f /Users/jeff/Holos/kargo-demo/deploy/components/kargo/kargo.gen.yaml + +package v1alpha1 + +import "strings" + +// Project is a resource type that reconciles to a specially +// labeled namespace +// and other TODO: TBD project-level resources. +#Project: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kargo.akuity.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Project" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec describes a Project. + spec!: #ProjectSpec +} +#ProjectSpec: { + // PromotionPolicies defines policies governing the promotion of + // Freight to + // specific Stages within this Project. + promotionPolicies?: [...{ + // AutoPromotionEnabled indicates whether new Freight can + // automatically be + // promoted into the Stage referenced by the Stage field. Note: + // There are may + // be other conditions also required for an auto-promotion to + // occur. This + // field defaults to false, but is commonly set to true for Stages + // that + // subscribe to Warehouses instead of other, upstream Stages. This + // allows + // users to define Stages that are automatically updated as soon + // as new + // artifacts are detected. + autoPromotionEnabled?: bool + stage: strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] +} diff --git a/cue.mod/gen/kargo.akuity.io/promotion/v1alpha1/types_gen.cue b/cue.mod/gen/kargo.akuity.io/promotion/v1alpha1/types_gen.cue new file mode 100644 index 00000000..882f2bbc --- /dev/null +++ b/cue.mod/gen/kargo.akuity.io/promotion/v1alpha1/types_gen.cue @@ -0,0 +1,163 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f /Users/jeff/Holos/kargo-demo/deploy/components/kargo/kargo.gen.yaml + +package v1alpha1 + +import "strings" + +// Promotion represents a request to transition a particular Stage +// into a +// particular Freight. +#Promotion: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kargo.akuity.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Promotion" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec describes the desired transition of a specific Stage into + // a specific + // Freight. + spec!: #PromotionSpec +} + +// Spec describes the desired transition of a specific Stage into +// a specific +// Freight. +#PromotionSpec: { + // Freight specifies the piece of Freight to be promoted into the + // Stage + // referenced by the Stage field. + freight: strings.MinRunes(1) + + // Stage specifies the name of the Stage to which this Promotion + // applies. The Stage referenced by this field MUST be in the same + // namespace as the Promotion. + stage: strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Steps specifies the directives to be executed as part of this + // Promotion. + // The order in which the directives are executed is the order in + // which they + // are listed in this field. + steps?: [...{ + // As is the alias this step can be referred to as. + as?: string + + // Config is opaque configuration for the PromotionStep that is + // understood + // only by each PromotionStep's implementation. It is legal to + // utilize + // expressions in defining values at any level of this block. + // See https://docs.kargo.io/references/expression-language for + // details. + config?: _ + + // Retry is the retry policy for this step. + retry?: { + // ErrorThreshold is the number of consecutive times the step must + // fail (for + // any reason) before retries are abandoned and the entire + // Promotion is marked + // as failed. + // + // If this field is set to 0, the effective default will be a + // step-specific + // one. If no step-specific default exists (i.e. is also 0), the + // effective + // default will be the system-wide default of 1. + // + // A value of 1 will cause the Promotion to be marked as failed + // after just + // a single failure; i.e. no retries will be attempted. + // + // There is no option to specify an infinite number of retries + // using a value + // such as -1. + // + // In a future release, Kargo is likely to become capable of + // distinguishing + // between recoverable and non-recoverable step failures. At that + // time, it is + // planned that unrecoverable failures will not be subject to this + // threshold + // and will immediately cause the Promotion to be marked as failed + // without + // further condition. + errorThreshold?: int + + // Timeout is the soft maximum interval in which a step that + // returns a Running + // status (which typically indicates it's waiting for something to + // happen) + // may be retried. + // + // The maximum is a soft one because the check for whether the + // interval has + // elapsed occurs AFTER the step has run. This effectively means a + // step may + // run ONCE beyond the close of the interval. + // + // If this field is set to nil, the effective default will be a + // step-specific + // one. If no step-specific default exists (i.e. is also nil), the + // effective + // default will be the system-wide default of 0. + // + // A value of 0 will cause the step to be retried indefinitely + // unless the + // ErrorThreshold is reached. + timeout?: string + } + + // Uses identifies a runner that can execute this step. + uses: strings.MinRunes(1) + }] + + // Vars is a list of variables that can be referenced by + // expressions in + // promotion steps. + vars?: [...{ + // Name is the name of the variable. + name: strings.MinRunes(1) & { + =~"^[a-zA-Z_]\\w*$" + } + + // Value is the value of the variable. It is allowed to utilize + // expressions + // in the value. + // See https://docs.kargo.io/references/expression-language for + // details. + value: string + }] +} diff --git a/cue.mod/gen/kargo.akuity.io/stage/v1alpha1/types_gen.cue b/cue.mod/gen/kargo.akuity.io/stage/v1alpha1/types_gen.cue new file mode 100644 index 00000000..e0956967 --- /dev/null +++ b/cue.mod/gen/kargo.akuity.io/stage/v1alpha1/types_gen.cue @@ -0,0 +1,264 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f /Users/jeff/Holos/kargo-demo/deploy/components/kargo/kargo.gen.yaml + +package v1alpha1 + +import "strings" + +// Stage is the Kargo API's main type. +#Stage: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kargo.akuity.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Stage" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec describes sources of Freight used by the Stage and how to + // incorporate + // Freight into the Stage. + spec!: #StageSpec +} + +// Spec describes sources of Freight used by the Stage and how to +// incorporate +// Freight into the Stage. +#StageSpec: { + promotionTemplate?: { + // PromotionTemplateSpec describes the (partial) specification of + // a Promotion + // for a Stage. This is a template that can be used to create a + // Promotion for a + // Stage. + spec: { + // Steps specifies the directives to be executed as part of a + // Promotion. + // The order in which the directives are executed is the order in + // which they + // are listed in this field. + steps?: [...{ + // As is the alias this step can be referred to as. + as?: string + + // Config is opaque configuration for the PromotionStep that is + // understood + // only by each PromotionStep's implementation. It is legal to + // utilize + // expressions in defining values at any level of this block. + // See https://docs.kargo.io/references/expression-language for + // details. + config?: _ + + // Retry is the retry policy for this step. + retry?: { + // ErrorThreshold is the number of consecutive times the step must + // fail (for + // any reason) before retries are abandoned and the entire + // Promotion is marked + // as failed. + // + // If this field is set to 0, the effective default will be a + // step-specific + // one. If no step-specific default exists (i.e. is also 0), the + // effective + // default will be the system-wide default of 1. + // + // A value of 1 will cause the Promotion to be marked as failed + // after just + // a single failure; i.e. no retries will be attempted. + // + // There is no option to specify an infinite number of retries + // using a value + // such as -1. + // + // In a future release, Kargo is likely to become capable of + // distinguishing + // between recoverable and non-recoverable step failures. At that + // time, it is + // planned that unrecoverable failures will not be subject to this + // threshold + // and will immediately cause the Promotion to be marked as failed + // without + // further condition. + errorThreshold?: int + + // Timeout is the soft maximum interval in which a step that + // returns a Running + // status (which typically indicates it's waiting for something to + // happen) + // may be retried. + // + // The maximum is a soft one because the check for whether the + // interval has + // elapsed occurs AFTER the step has run. This effectively means a + // step may + // run ONCE beyond the close of the interval. + // + // If this field is set to nil, the effective default will be a + // step-specific + // one. If no step-specific default exists (i.e. is also nil), the + // effective + // default will be the system-wide default of 0. + // + // A value of 0 will cause the step to be retried indefinitely + // unless the + // ErrorThreshold is reached. + timeout?: string + } + + // Uses identifies a runner that can execute this step. + uses: strings.MinRunes(1) + }] & [_, ...] + + // Vars is a list of variables that can be referenced by + // expressions in + // promotion steps. + vars?: [...{ + // Name is the name of the variable. + name: strings.MinRunes(1) & { + =~"^[a-zA-Z_]\\w*$" + } + + // Value is the value of the variable. It is allowed to utilize + // expressions + // in the value. + // See https://docs.kargo.io/references/expression-language for + // details. + value: string + }] + } + } + + // RequestedFreight expresses the Stage's need for certain pieces + // of Freight, + // each having originated from a particular Warehouse. This list + // must be + // non-empty. In the common case, a Stage will request Freight + // having + // originated from just one specific Warehouse. In advanced cases, + // requesting + // Freight from multiple Warehouses provides a method of advancing + // new + // artifacts of different types through parallel pipelines at + // different + // speeds. This can be useful, for instance, if a Stage is home to + // multiple + // microservices that are independently versioned. + requestedFreight: [...{ + // Origin specifies from where the requested Freight must have + // originated. + // This is a required field. + origin: { + // Kind is the kind of resource from which Freight may have + // originated. At + // present, this can only be "Warehouse". + kind: "Warehouse" + + // Name is the name of the resource of the kind indicated by the + // Kind field + // from which Freight may originated. + name: string + } + + // Sources describes where the requested Freight may be obtained + // from. This is + // a required field. + sources: { + // Direct indicates the requested Freight may be obtained directly + // from the + // Warehouse from which it originated. If this field's value is + // false, then + // the value of the Stages field must be non-empty. i.e. Between + // the two + // fields, at least one source must be specified. + direct?: bool + + // Stages identifies other "upstream" Stages as potential sources + // of the + // requested Freight. If this field's value is empty, then the + // value of the + // Direct field must be true. i.e. Between the two fields, at + // least on source + // must be specified. + stages?: [...string] + } + }] & [_, ...] + + // Shard is the name of the shard that this Stage belongs to. This + // is an + // optional field. If not specified, the Stage will belong to the + // default + // shard. A defaulting webhook will sync the value of the + // kargo.akuity.io/shard label with the value of this field. When + // this field + // is empty, the webhook will ensure that label is absent. + shard?: string + + // Verification describes how to verify a Stage's current Freight + // is fit for + // promotion downstream. + verification?: { + // AnalysisRunMetadata contains optional metadata that should be + // applied to + // all AnalysisRuns. + analysisRunMetadata?: { + // Additional annotations to apply to an AnalysisRun. + annotations?: { + [string]: string + } + + // Additional labels to apply to an AnalysisRun. + labels?: { + [string]: string + } + } + + // AnalysisTemplates is a list of AnalysisTemplates from which + // AnalysisRuns + // should be created to verify a Stage's current Freight is fit to + // be promoted + // downstream. + analysisTemplates?: [...{ + // Name is the name of the AnalysisTemplate in the same + // project/namespace as + // the Stage. + name: string + }] + + // Args lists arguments that should be added to all AnalysisRuns. + args?: [...{ + // Name is the name of the argument. + name: string + + // Value is the value of the argument. + value: string + }] + } +} diff --git a/cue.mod/gen/kargo.akuity.io/warehouse/v1alpha1/types_gen.cue b/cue.mod/gen/kargo.akuity.io/warehouse/v1alpha1/types_gen.cue new file mode 100644 index 00000000..5d7fb00d --- /dev/null +++ b/cue.mod/gen/kargo.akuity.io/warehouse/v1alpha1/types_gen.cue @@ -0,0 +1,402 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f /Users/jeff/Holos/kargo-demo/deploy/components/kargo/kargo.gen.yaml + +package v1alpha1 + +import "strings" + +// Warehouse is a source of Freight. +#Warehouse: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kargo.akuity.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Warehouse" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec describes sources of artifacts. + spec!: #WarehouseSpec +} + +// Spec describes sources of artifacts. +#WarehouseSpec: { + // FreightCreationPolicy describes how Freight is created by this + // Warehouse. + // This field is optional. When left unspecified, the field is + // implicitly + // treated as if its value were "Automatic". + // Accepted values: Automatic, Manual + freightCreationPolicy?: "Automatic" | "Manual" | *"Automatic" + + // Interval is the reconciliation interval for this Warehouse. On + // each + // reconciliation, the Warehouse will discover new artifacts and + // optionally + // produce new Freight. This field is optional. When left + // unspecified, the + // field is implicitly treated as if its value were "5m0s". + interval: =~"^([0-9]+(\\.[0-9]+)?(s|m|h))+$" | *"5m0s" + + // Shard is the name of the shard that this Warehouse belongs to. + // This is an + // optional field. If not specified, the Warehouse will belong to + // the default + // shard. A defaulting webhook will sync this field with the value + // of the + // kargo.akuity.io/shard label. When the shard label is not + // present or differs + // from the value of this field, the defaulting webhook will set + // the label to + // the value of this field. If the shard label is present and this + // field is + // empty, the defaulting webhook will set the value of this field + // to the value + // of the shard label. + shard?: string + + // Subscriptions describes sources of artifacts to be included in + // Freight + // produced by this Warehouse. + subscriptions: [...{ + // Chart describes a subscription to a Helm chart repository. + chart?: { + // DiscoveryLimit is an optional limit on the number of chart + // versions that + // can be discovered for this subscription. The limit is applied + // after + // filtering charts based on the SemverConstraint field. + // When left unspecified, the field is implicitly treated as if + // its value + // were "20". The upper limit for this field is 100. + discoveryLimit?: int & <=100 & >=1 | *20 + + // Name specifies the name of a Helm chart to subscribe to within + // a classic + // chart repository specified by the RepoURL field. This field is + // required + // when the RepoURL field points to a classic chart repository and + // MUST + // otherwise be empty. + name?: string + + // RepoURL specifies the URL of a Helm chart repository. It may be + // a classic + // chart repository (using HTTP/S) OR a repository within an OCI + // registry. + // Classic chart repositories can contain differently named + // charts. When this + // field points to such a repository, the Name field MUST also be + // used + // to specify the name of the desired chart within that + // repository. In the + // case of a repository within an OCI registry, the URL implicitly + // points to + // a specific chart and the Name field MUST NOT be used. The + // RepoURL field is + // required. + repoURL: strings.MinRunes(1) & { + =~"^(((https?)|(oci))://)([\\w\\d\\.\\-]+)(:[\\d]+)?(/.*)*$" + } + + // SemverConstraint specifies constraints on what new chart + // versions are + // permissible. This field is optional. When left unspecified, + // there will be + // no constraints, which means the latest version of the chart + // will always be + // used. Care should be taken with leaving this field unspecified, + // as it can + // lead to the unanticipated rollout of breaking changes. + // More info: + // https://github.com/masterminds/semver#checking-version-constraints + semverConstraint?: string + } + + // Git describes a subscriptions to a Git repository. + git?: { + // AllowTags is a regular expression that can optionally be used + // to limit the + // tags that are considered in determining the newest commit of + // interest. The + // value in this field only has any effect when the + // CommitSelectionStrategy is + // Lexical, NewestTag, or SemVer. This field is optional. + allowTags?: string + + // Branch references a particular branch of the repository. The + // value in this + // field only has any effect when the CommitSelectionStrategy is + // NewestFromBranch or left unspecified (which is implicitly the + // same as + // NewestFromBranch). This field is optional. When left + // unspecified, (and the + // CommitSelectionStrategy is NewestFromBranch or unspecified), + // the + // subscription is implicitly to the repository's default branch. + branch?: strings.MinRunes(1) & { + =~"^\\w+([-/]\\w+)*$" + } + + // CommitSelectionStrategy specifies the rules for how to identify + // the newest + // commit of interest in the repository specified by the RepoURL + // field. This + // field is optional. When left unspecified, the field is + // implicitly treated + // as if its value were "NewestFromBranch". + // Accepted values: Lexical, NewestFromBranch, NewestTag, SemVer + commitSelectionStrategy?: "Lexical" | "NewestFromBranch" | "NewestTag" | "SemVer" | *"NewestFromBranch" + + // DiscoveryLimit is an optional limit on the number of commits + // that can be + // discovered for this subscription. The limit is applied after + // filtering + // commits based on the AllowTags and IgnoreTags fields. + // When left unspecified, the field is implicitly treated as if + // its value + // were "20". The upper limit for this field is 100. + discoveryLimit?: int & <=100 & >=1 | *20 + + // ExcludePaths is a list of selectors that designate paths in the + // repository + // that should NOT trigger the production of new Freight when + // changes are + // detected therein. When specified, changes in the identified + // paths will not + // trigger Freight production. When not specified, paths that + // should trigger + // Freight production will be defined solely by IncludePaths. + // Selectors may be + // defined using: + // 1. Exact paths to files or directories (ex. "charts/foo") + // 2. Glob patterns (prefix the pattern with "glob:"; ex. + // "glob:*.yaml") + // 3. Regular expressions (prefix the pattern with "regex:" or + // "regexp:"; + // ex. "regexp:^.*\.yaml$") + // Paths selected by IncludePaths may be unselected by + // ExcludePaths. This + // is a useful method for including a broad set of paths and then + // excluding a + // subset of them. + excludePaths?: [...string] + + // IgnoreTags is a list of tags that must be ignored when + // determining the + // newest commit of interest. No regular expressions or glob + // patterns are + // supported yet. The value in this field only has any effect when + // the + // CommitSelectionStrategy is Lexical, NewestTag, or SemVer. This + // field is + // optional. + ignoreTags?: [...string] + + // IncludePaths is a list of selectors that designate paths in the + // repository + // that should trigger the production of new Freight when changes + // are detected + // therein. When specified, only changes in the identified paths + // will trigger + // Freight production. When not specified, changes in any path + // will trigger + // Freight production. Selectors may be defined using: + // 1. Exact paths to files or directories (ex. "charts/foo") + // 2. Glob patterns (prefix the pattern with "glob:"; ex. + // "glob:*.yaml") + // 3. Regular expressions (prefix the pattern with "regex:" or + // "regexp:"; + // ex. "regexp:^.*\.yaml$") + // Paths selected by IncludePaths may be unselected by + // ExcludePaths. This + // is a useful method for including a broad set of paths and then + // excluding a + // subset of them. + includePaths?: [...string] + + // InsecureSkipTLSVerify specifies whether certificate + // verification errors + // should be ignored when connecting to the repository. This + // should be enabled + // only with great caution. + insecureSkipTLSVerify?: bool + + // URL is the repository's URL. This is a required field. + repoURL: strings.MinRunes(1) & { + =~"(?:^(https?)://(?:([\\w-]+):(.+)@)?([\\w-]+(?:\\.[\\w-]+)*)(?::(\\d{1,5}))?(/.*)$)|(?:^([\\w-]+)@([\\w+]+(?:\\.[\\w-]+)*):(/?.*))" + } + + // SemverConstraint specifies constraints on what new tagged + // commits are + // considered in determining the newest commit of interest. The + // value in this + // field only has any effect when the CommitSelectionStrategy is + // SemVer. This + // field is optional. When left unspecified, there will be no + // constraints, + // which means the latest semantically tagged commit will always + // be used. Care + // should be taken with leaving this field unspecified, as it can + // lead to the + // unanticipated rollout of breaking changes. + semverConstraint?: string + + // StrictSemvers specifies whether only "strict" semver tags + // should be + // considered. A "strict" semver tag is one containing ALL of + // major, minor, + // and patch version components. This is enabled by default, but + // only has any + // effect when the CommitSelectionStrategy is SemVer. This should + // be disabled + // cautiously, as it creates the potential for any tag containing + // numeric + // characters only to be mistaken for a semver string containing + // the major + // version number only. + strictSemvers: bool | *true + } + + // Image describes a subscription to container image repository. + image?: { + // AllowTags is a regular expression that can optionally be used + // to limit the + // image tags that are considered in determining the newest + // version of an + // image. This field is optional. + allowTags?: string + + // DiscoveryLimit is an optional limit on the number of image + // references + // that can be discovered for this subscription. The limit is + // applied after + // filtering images based on the AllowTags and IgnoreTags fields. + // When left unspecified, the field is implicitly treated as if + // its value + // were "20". The upper limit for this field is 100. + discoveryLimit?: int & <=100 & >=1 | *20 + + // GitRepoURL optionally specifies the URL of a Git repository + // that contains + // the source code for the image repository referenced by the + // RepoURL field. + // When this is specified, Kargo MAY be able to infer and link to + // the exact + // revision of that source code that was used to build the image. + gitRepoURL?: =~"^https?://(\\w+([\\.-]\\w+)*@)?\\w+([\\.-]\\w+)*(:[\\d]+)?(/.*)?$" + + // IgnoreTags is a list of tags that must be ignored when + // determining the + // newest version of an image. No regular expressions or glob + // patterns are + // supported yet. This field is optional. + ignoreTags?: [...string] + + // ImageSelectionStrategy specifies the rules for how to identify + // the newest version + // of the image specified by the RepoURL field. This field is + // optional. When + // left unspecified, the field is implicitly treated as if its + // value were + // "SemVer". + // Accepted values: Digest, Lexical, NewestBuild, SemVer + imageSelectionStrategy?: "Digest" | "Lexical" | "NewestBuild" | "SemVer" | *"SemVer" + + // InsecureSkipTLSVerify specifies whether certificate + // verification errors + // should be ignored when connecting to the repository. This + // should be enabled + // only with great caution. + insecureSkipTLSVerify?: bool + + // Platform is a string of the form / that limits the + // tags that can + // be considered when searching for new versions of an image. This + // field is + // optional. When left unspecified, it is implicitly equivalent to + // the + // OS/architecture of the Kargo controller. Care should be taken + // to set this + // value correctly in cases where the image referenced by this + // ImageRepositorySubscription will run on a Kubernetes node with + // a different + // OS/architecture than the Kargo controller. At present this is + // uncommon, but + // not unheard of. + platform?: string + + // RepoURL specifies the URL of the image repository to subscribe + // to. The + // value in this field MUST NOT include an image tag. This field + // is required. + repoURL: strings.MinRunes(1) & { + =~"^(\\w+([\\.-]\\w+)*(:[\\d]+)?/)?(\\w+([\\.-]\\w+)*)(/\\w+([\\.-]\\w+)*)*$" + } + + // SemverConstraint specifies constraints on what new image + // versions are + // permissible. The value in this field only has any effect when + // the + // ImageSelectionStrategy is SemVer or left unspecified (which is + // implicitly + // the same as SemVer). This field is also optional. When left + // unspecified, + // (and the ImageSelectionStrategy is SemVer or unspecified), + // there will be no + // constraints, which means the latest semantically tagged version + // of an image + // will always be used. Care should be taken with leaving this + // field + // unspecified, as it can lead to the unanticipated rollout of + // breaking + // changes. Refer to Image Updater documentation for more details. + // More info: + // https://github.com/masterminds/semver#checking-version-constraints + semverConstraint?: string + + // StrictSemvers specifies whether only "strict" semver tags + // should be + // considered. A "strict" semver tag is one containing ALL of + // major, minor, + // and patch version components. This is enabled by default, but + // only has any + // effect when the ImageSelectionStrategy is SemVer. This should + // be disabled + // cautiously, as it is not uncommon to tag container images with + // short Git + // commit hashes, which have the potential to contain numeric + // characters only + // and could be mistaken for a semver string containing the major + // version + // number only. + strictSemvers: bool | *true + } + }] & [_, ...] +} diff --git a/cue.mod/module.cue b/cue.mod/module.cue index 396c65ab..74392fdc 100644 --- a/cue.mod/module.cue +++ b/cue.mod/module.cue @@ -1,2 +1,2 @@ -module: "user.holos.run/platform" -language: version: "v0.9.2" +module: "example.com/platform" +language: version: "v0.11.0" diff --git a/deploy/components/cilium/cilium.gen.yaml b/deploy/components/cilium/cilium.gen.yaml new file mode 100644 index 00000000..8a9ced52 --- /dev/null +++ b/deploy/components/cilium/cilium.gen.yaml @@ -0,0 +1,1653 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-bgp-control-plane-secrets + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - list + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - delete +- apiGroups: + - "" + resourceNames: + - cilium-config + resources: + - configmaps + verbs: + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + verbs: + - create + - update + - deletecollection + - patch + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + verbs: + - patch + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumidentities + verbs: + - delete + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - create + - update + - get + - list + - watch + - delete +- apiGroups: + - cilium.io + resources: + - ciliumnodes/status + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs + verbs: + - create + - update + - get + - list + - watch + - delete + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resourceNames: + - ciliumloadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io + - ciliumclusterwideenvoyconfigs.cilium.io + - ciliumclusterwidenetworkpolicies.cilium.io + - ciliumegressgatewaypolicies.cilium.io + - ciliumendpoints.cilium.io + - ciliumendpointslices.cilium.io + - ciliumenvoyconfigs.cilium.io + - ciliumexternalworkloads.cilium.io + - ciliumidentities.cilium.io + - ciliumlocalredirectpolicies.cilium.io + - ciliumnetworkpolicies.cilium.io + - ciliumnodes.cilium.io + - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io + resources: + - customresourcedefinitions + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumpodippools + - ciliumbgppeeringpolicies + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools/status + verbs: + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-bgp-control-plane-secrets + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-bgp-control-plane-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-config-agent +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system +--- +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bgp-secrets-namespace: kube-system + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-sock: "false" + bpf-lb-sock-terminate-pod-connections: "false" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + cgroup-root: /sys/fs/cgroup + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: default + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" + cni-exclusive: "true" + cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth + debug: "false" + debug-verbose: "" + devices: eno+ + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "true" + enable-bpf-clock-probe: "false" + enable-endpoint-health-checking: "true" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-ipv4: "true" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "false" + enable-k8s-terminating-endpoint: "true" + enable-l2-announcements: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-selector-labels: "false" + enable-policy: default + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + envoy-base-id: "0" + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "true" + identity-allocation-mode: crd + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + install-no-conntrack-iptables-rules: "false" + ipam: kubernetes + ipam-cilium-node-update-rate: 15s + k8s-client-burst: "20" + k8s-client-qps: "10" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: "" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" + remove-cilium-node-taints: "true" + routing-mode: tunnel + service-no-backend-response: reject + set-cilium-is-up-condition: "true" + set-cilium-node-taints: "true" + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "50" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist +kind: ConfigMap +metadata: + name: cilium-config + namespace: kube-system +--- +apiVersion: v1 +data: + bootstrap-config.json: | + { + "node": { + "id": "host~127.0.0.1~no-id~localdomain", + "cluster": "ingress-cluster" + }, + "staticResources": { + "listeners": [ + { + "name": "envoy-prometheus-metrics-listener", + "address": { + "socket_address": { + "address": "0.0.0.0", + "port_value": 9964 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "stat_prefix": "envoy-prometheus-metrics-listener", + "route_config": { + "virtual_hosts": [ + { + "name": "prometheus_metrics_route", + "domains": [ + "*" + ], + "routes": [ + { + "name": "prometheus_metrics_route", + "match": { + "prefix": "/metrics" + }, + "route": { + "cluster": "/envoy-admin", + "prefix_rewrite": "/stats/prometheus" + } + } + ] + } + ] + }, + "http_filters": [ + { + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "internal_address_config": { + "cidr_ranges": [ + { + "address_prefix": "10.0.0.0", + "prefix_len": 8 + }, + { + "address_prefix": "172.16.0.0", + "prefix_len": 12 + }, + { + "address_prefix": "192.168.0.0", + "prefix_len": 16 + }, + { + "address_prefix": "127.0.0.1", + "prefix_len": 32 + }, + { + "address_prefix": "::1", + "prefix_len": 128 + } + ] + }, + "stream_idle_timeout": "0s" + } + } + ] + } + ] + }, + { + "name": "envoy-health-listener", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 9878 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "stat_prefix": "envoy-health-listener", + "route_config": { + "virtual_hosts": [ + { + "name": "health", + "domains": [ + "*" + ], + "routes": [ + { + "name": "health", + "match": { + "prefix": "/healthz" + }, + "route": { + "cluster": "/envoy-admin", + "prefix_rewrite": "/ready" + } + } + ] + } + ] + }, + "http_filters": [ + { + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "internal_address_config": { + "cidr_ranges": [ + { + "address_prefix": "10.0.0.0", + "prefix_len": 8 + }, + { + "address_prefix": "172.16.0.0", + "prefix_len": 12 + }, + { + "address_prefix": "192.168.0.0", + "prefix_len": 16 + }, + { + "address_prefix": "127.0.0.1", + "prefix_len": 32 + }, + { + "address_prefix": "::1", + "prefix_len": 128 + } + ] + }, + "stream_idle_timeout": "0s" + } + } + ] + } + ] + } + ], + "clusters": [ + { + "name": "ingress-cluster", + "type": "ORIGINAL_DST", + "connectTimeout": "2s", + "lbPolicy": "CLUSTER_PROVIDED", + "typedExtensionProtocolOptions": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "commonHttpProtocolOptions": { + "idleTimeout": "60s", + "maxConnectionDuration": "0s", + "maxRequestsPerConnection": 0 + }, + "useDownstreamProtocolConfig": {} + } + }, + "cleanupInterval": "2.500s" + }, + { + "name": "egress-cluster-tls", + "type": "ORIGINAL_DST", + "connectTimeout": "2s", + "lbPolicy": "CLUSTER_PROVIDED", + "typedExtensionProtocolOptions": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "commonHttpProtocolOptions": { + "idleTimeout": "60s", + "maxConnectionDuration": "0s", + "maxRequestsPerConnection": 0 + }, + "upstreamHttpProtocolOptions": {}, + "useDownstreamProtocolConfig": {} + } + }, + "cleanupInterval": "2.500s", + "transportSocket": { + "name": "cilium.tls_wrapper", + "typedConfig": { + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + } + } + }, + { + "name": "egress-cluster", + "type": "ORIGINAL_DST", + "connectTimeout": "2s", + "lbPolicy": "CLUSTER_PROVIDED", + "typedExtensionProtocolOptions": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "commonHttpProtocolOptions": { + "idleTimeout": "60s", + "maxConnectionDuration": "0s", + "maxRequestsPerConnection": 0 + }, + "useDownstreamProtocolConfig": {} + } + }, + "cleanupInterval": "2.500s" + }, + { + "name": "ingress-cluster-tls", + "type": "ORIGINAL_DST", + "connectTimeout": "2s", + "lbPolicy": "CLUSTER_PROVIDED", + "typedExtensionProtocolOptions": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "commonHttpProtocolOptions": { + "idleTimeout": "60s", + "maxConnectionDuration": "0s", + "maxRequestsPerConnection": 0 + }, + "upstreamHttpProtocolOptions": {}, + "useDownstreamProtocolConfig": {} + } + }, + "cleanupInterval": "2.500s", + "transportSocket": { + "name": "cilium.tls_wrapper", + "typedConfig": { + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + } + } + }, + { + "name": "xds-grpc-cilium", + "type": "STATIC", + "connectTimeout": "2s", + "loadAssignment": { + "clusterName": "xds-grpc-cilium", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "pipe": { + "path": "/var/run/cilium/envoy/sockets/xds.sock" + } + } + } + } + ] + } + ] + }, + "typedExtensionProtocolOptions": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicitHttpConfig": { + "http2ProtocolOptions": {} + } + } + } + }, + { + "name": "/envoy-admin", + "type": "STATIC", + "connectTimeout": "2s", + "loadAssignment": { + "clusterName": "/envoy-admin", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "pipe": { + "path": "/var/run/cilium/envoy/sockets/admin.sock" + } + } + } + } + ] + } + ] + } + } + ] + }, + "dynamicResources": { + "ldsConfig": { + "initialFetchTimeout": "30s", + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "xds-grpc-cilium" + } + } + ], + "setNodeOnFirstMessageOnly": true + }, + "resourceApiVersion": "V3" + }, + "cdsConfig": { + "initialFetchTimeout": "30s", + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "xds-grpc-cilium" + } + } + ], + "setNodeOnFirstMessageOnly": true + }, + "resourceApiVersion": "V3" + } + }, + "bootstrapExtensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" + } + } + ], + "overload_manager": { + "resource_monitors": [ + { + "name": "envoy.resource_monitors.global_downstream_max_connections", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig", + "max_active_downstream_connections": "50000" + } + } + ] + }, + "admin": { + "address": { + "pipe": { + "path": "/var/run/cilium/envoy/sockets/admin.sock" + } + } + } + } +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9964" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: kube-system +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + name: cilium-operator + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + cilium.io/cilium-configmap-checksum: f0c2b5cefd86bc1170b23a59fd07b2db62e4c1be173eec195af45c37dff74143 + prometheus.io/port: "9963" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + command: + - cilium-operator-generic + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + - name: KUBERNETES_SERVICE_HOST + value: 127.0.0.1 + - name: KUBERNETES_SERVICE_PORT + value: "7445" + image: quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + restartPolicy: Always + serviceAccountName: cilium-operator + tolerations: + - operator: Exists + volumes: + - configMap: + name: cilium-config + name: cilium-config-path +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + cilium.io/cilium-configmap-checksum: f0c2b5cefd86bc1170b23a59fd07b2db62e4c1be173eec195af45c37dff74143 + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: KUBERNETES_SERVICE_HOST + value: 127.0.0.1 + - name: KUBERNETES_SERVICE_PORT + value: "7445" + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' + preStop: + exec: + command: + - /cni-uninstall.sh + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /sys/fs/cgroup + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /tmp + name: tmp + hostNetwork: true + initContainers: + - command: + - cilium-dbg + - build-config + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_SERVICE_HOST + value: 127.0.0.1 + - name: KUBERNETES_SERVICE_PORT + value: "7445" + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + name: config + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: tmp + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + securityContext: + privileged: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + - name: WRITE_CNI_CONF_WHEN_READY + valueFrom: + configMapKeyRef: + key: write-cni-conf-when-ready + name: cilium-config + optional: true + - name: KUBERNETES_SERVICE_HOST + value: 127.0.0.1 + - name: KUBERNETES_SERVICE_PORT + value: "7445" + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + name: clean-cilium-state + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /sys/fs/cgroup + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - command: + - /install-plugin.sh + image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: + requests: + cpu: 100m + memory: 10Mi + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + restartPolicy: Always + securityContext: + appArmorProfile: + type: Unconfined + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - emptyDir: {} + name: tmp + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /sys/fs/cgroup + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - name: clustermesh-secrets + projected: + defaultMode: 256 + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: null + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - "true" + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + - --log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_SERVICE_HOST + value: 127.0.0.1 + - name: KUBERNETES_SERVICE_PORT + value: "7445" + image: quay.io/cilium/cilium-envoy:v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8@sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + appArmorProfile: + type: Unconfined + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/deploy/components/coredns/coredns.gen.yaml b/deploy/components/coredns/coredns.gen.yaml new file mode 100644 index 00000000..ff3e505e --- /dev/null +++ b/deploy/components/coredns/coredns.gen.yaml @@ -0,0 +1,232 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +data: + Corefile: |- + .:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + prometheus 0.0.0.0:9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns + namespace: kube-system +spec: + clusterIP: 10.96.0.10 + ports: + - name: udp-53 + port: 53 + protocol: UDP + targetPort: 53 + - name: tcp-53 + port: 53 + protocol: TCP + targetPort: 53 + selector: + app.kubernetes.io/instance: coredns + app.kubernetes.io/name: coredns + k8s-app: coredns + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coredns + app.kubernetes.io/version: 1.11.4 + helm.sh/chart: coredns-1.37.0 + k8s-app: coredns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: CoreDNS + name: coredns + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/name: coredns + k8s-app: coredns + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 00f4dfa5bcd48c8950928182a87ad2f0b72a91ea458fd32e5dde421177e7c5ba + scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", + "operator":"Exists"}]' + labels: + app.kubernetes.io/instance: coredns + app.kubernetes.io/name: coredns + k8s-app: coredns + spec: + containers: + - args: + - -conf + - /etc/coredns/Corefile + image: coredns/coredns:1.11.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: coredns + ports: + - containerPort: 53 + name: udp-53 + protocol: UDP + - containerPort: 53 + name: tcp-53 + protocol: TCP + - containerPort: 9153 + name: tcp-9153 + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + path: /ready + port: 8181 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/coredns + name: config-volume + dnsPolicy: Default + priorityClassName: system-cluster-critical + serviceAccountName: coredns + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + items: + - key: Corefile + path: Corefile + name: coredns + name: config-volume diff --git a/deploy/components/forgejo/forgejo.gen.yaml b/deploy/components/forgejo/forgejo.gen.yaml index 75a70e81..fa265490 100644 --- a/deploy/components/forgejo/forgejo.gen.yaml +++ b/deploy/components/forgejo/forgejo.gen.yaml @@ -328,8 +328,8 @@ apiVersion: v1 kind: Service metadata: annotations: + lbipam.cilium.io/ips: 192.168.2.11 metallb.universe.tf/allow-shared-ip: gitea-192.168.2.11 - metallb.universe.tf/loadBalancerIPs: 192.168.2.11 labels: app: forgejo app.kubernetes.io/instance: forgejo @@ -354,8 +354,8 @@ apiVersion: v1 kind: Service metadata: annotations: + lbipam.cilium.io/ips: 192.168.2.11 metallb.universe.tf/allow-shared-ip: gitea-192.168.2.11 - metallb.universe.tf/loadBalancerIPs: 192.168.2.11 labels: app: forgejo app.kubernetes.io/instance: forgejo diff --git a/deploy/components/grafana/grafana.gen.yaml b/deploy/components/grafana/grafana.gen.yaml index 669939da..f78e48e8 100644 --- a/deploy/components/grafana/grafana.gen.yaml +++ b/deploy/components/grafana/grafana.gen.yaml @@ -229,7 +229,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 2Gi + storage: 1Gi --- apiVersion: apps/v1 kind: Deployment diff --git a/deploy/components/jellyfin/jellyfin.gen.yaml b/deploy/components/jellyfin/jellyfin.gen.yaml index a35154cc..3aa407f4 100644 --- a/deploy/components/jellyfin/jellyfin.gen.yaml +++ b/deploy/components/jellyfin/jellyfin.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.7 + lbipam.cilium.io/ips: 192.168.2.7 labels: app.kubernetes.io/instance: jellyfin app.kubernetes.io/managed-by: Helm @@ -27,12 +27,20 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellyfin - helm.sh/chart: app-template-3.5.1 - name: jellyfin-config + name: jellyfin-cache + namespace: default +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: ceph-block +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-data namespace: default spec: accessModes: @@ -40,6 +48,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -81,6 +90,8 @@ spec: image: lscr.io/linuxserver/jellyfin:10.10.3 name: main volumeMounts: + - mountPath: /config/cache + name: cache - mountPath: /config name: config - mountPath: /media @@ -94,13 +105,15 @@ spec: hostPID: false serviceAccountName: default volumes: + - name: cache + persistentVolumeClaim: + claimName: jellyfin-cache - name: config persistentVolumeClaim: - claimName: jellyfin-config - - hostPath: - path: /media - type: Directory - name: media + claimName: jellyfin-data + - name: media + persistentVolumeClaim: + claimName: media - emptyDir: {} name: transcode --- diff --git a/deploy/components/jellyseerr/jellyseerr.gen.yaml b/deploy/components/jellyseerr/jellyseerr.gen.yaml index 62166ad1..7f157c3a 100644 --- a/deploy/components/jellyseerr/jellyseerr.gen.yaml +++ b/deploy/components/jellyseerr/jellyseerr.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.8 + lbipam.cilium.io/ips: 192.168.2.8 labels: app.kubernetes.io/instance: jellyseerr app.kubernetes.io/managed-by: Helm @@ -27,12 +27,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: jellyseerr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellyseerr - helm.sh/chart: app-template-3.5.1 - name: jellyseerr-config + name: jellyseerr namespace: default spec: accessModes: @@ -40,6 +35,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -90,7 +86,7 @@ spec: volumes: - name: config persistentVolumeClaim: - claimName: jellyseerr-config + claimName: jellyseerr --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/deploy/components/linkding/linkding.gen.yaml b/deploy/components/linkding/linkding.gen.yaml index 62749d80..3c8b7fc3 100644 --- a/deploy/components/linkding/linkding.gen.yaml +++ b/deploy/components/linkding/linkding.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.9 + lbipam.cilium.io/ips: 192.168.2.9 labels: app.kubernetes.io/instance: linkding app.kubernetes.io/managed-by: Helm @@ -27,13 +27,6 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: linkding - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: linkding - helm.sh/chart: app-template-3.5.1 name: linkding-data namespace: default spec: @@ -42,6 +35,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment diff --git a/deploy/components/media/media.gen.yaml b/deploy/components/media/media.gen.yaml new file mode 100644 index 00000000..7df18293 --- /dev/null +++ b/deploy/components/media/media.gen.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: media + namespace: default +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 300Gi + storageClassName: ceph-filesystem diff --git a/deploy/components/metallb/metallb.gen.yaml b/deploy/components/metallb/metallb.gen.yaml deleted file mode 100644 index ebc6fb2a..00000000 --- a/deploy/components/metallb/metallb.gen.yaml +++ /dev/null @@ -1,2330 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: bfdprofiles.metallb.io -spec: - group: metallb.io - names: - kind: BFDProfile - listKind: BFDProfileList - plural: bfdprofiles - singular: bfdprofile - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.passiveMode - name: Passive Mode - type: boolean - - jsonPath: .spec.transmitInterval - name: Transmit Interval - type: integer - - jsonPath: .spec.receiveInterval - name: Receive Interval - type: integer - - jsonPath: .spec.detectMultiplier - name: Multiplier - type: integer - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - BFDProfile represents the settings of the bfd session that can be - optionally associated with a BGP session. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BFDProfileSpec defines the desired state of BFDProfile. - properties: - detectMultiplier: - description: |- - Configures the detection multiplier to determine - packet loss. The remote transmission interval will be multiplied - by this value to determine the connection loss detection timer. - format: int32 - maximum: 255 - minimum: 2 - type: integer - echoInterval: - description: |- - Configures the minimal echo receive transmission - interval that this system is capable of handling in milliseconds. - Defaults to 50ms - format: int32 - maximum: 60000 - minimum: 10 - type: integer - echoMode: - description: |- - Enables or disables the echo transmission mode. - This mode is disabled by default, and not supported on multi - hops setups. - type: boolean - minimumTtl: - description: |- - For multi hop sessions only: configure the minimum - expected TTL for an incoming BFD control packet. - format: int32 - maximum: 254 - minimum: 1 - type: integer - passiveMode: - description: |- - Mark session as passive: a passive session will not - attempt to start the connection and will wait for control packets - from peer before it begins replying. - type: boolean - receiveInterval: - description: |- - The minimum interval that this system is capable of - receiving control packets in milliseconds. - Defaults to 300ms. - format: int32 - maximum: 60000 - minimum: 10 - type: integer - transmitInterval: - description: |- - The minimum transmission interval (less jitter) - that this system wants to use to send BFD control packets in - milliseconds. Defaults to 300ms - format: int32 - maximum: 60000 - minimum: 10 - type: integer - type: object - status: - description: BFDProfileStatus defines the observed state of BFDProfile. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: bgpadvertisements.metallb.io -spec: - group: metallb.io - names: - kind: BGPAdvertisement - listKind: BGPAdvertisementList - plural: bgpadvertisements - singular: bgpadvertisement - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.ipAddressPools - name: IPAddressPools - type: string - - jsonPath: .spec.ipAddressPoolSelectors - name: IPAddressPool Selectors - type: string - - jsonPath: .spec.peers - name: Peers - type: string - - jsonPath: .spec.nodeSelectors - name: Node Selectors - priority: 10 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - BGPAdvertisement allows to advertise the IPs coming - from the selected IPAddressPools via BGP, setting the parameters of the - BGP Advertisement. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement. - properties: - aggregationLength: - default: 32 - description: The aggregation-length advertisement option lets you - “roll up” the /32s into a larger prefix. Defaults to 32. Works for - IPv4 addresses. - format: int32 - minimum: 1 - type: integer - aggregationLengthV6: - default: 128 - description: The aggregation-length advertisement option lets you - “roll up” the /128s into a larger prefix. Defaults to 128. Works - for IPv6 addresses. - format: int32 - type: integer - communities: - description: |- - The BGP communities to be associated with the announcement. Each item can be a standard community of the - form 1234:1234, a large community of the form large:1234:1234:1234 or the name of an alias defined in the - Community CRD. - items: - type: string - type: array - ipAddressPoolSelectors: - description: |- - A selector for the IPAddressPools which would get advertised via this advertisement. - If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - ipAddressPools: - description: The list of IPAddressPools to advertise via this advertisement, - selected by name. - items: - type: string - type: array - localPref: - description: |- - The BGP LOCAL_PREF attribute which is used by BGP best path algorithm, - Path with higher localpref is preferred over one with lower localpref. - format: int32 - type: integer - nodeSelectors: - description: NodeSelectors allows to limit the nodes to announce as - next hops for the LoadBalancer IP. When empty, all the nodes having are - announced as next hops. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - peers: - description: |- - Peers limits the bgppeer to advertise the ips of the selected pools to. - When empty, the loadbalancer IP is announced to all the BGPPeers configured. - items: - type: string - type: array - type: object - status: - description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: bgppeers.metallb.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - service: - name: metallb-webhook-service - namespace: kube-system - path: /convert - conversionReviewVersions: - - v1beta1 - - v1beta2 - group: metallb.io - names: - kind: BGPPeer - listKind: BGPPeerList - plural: bgppeers - singular: bgppeer - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.peerAddress - name: Address - type: string - - jsonPath: .spec.peerASN - name: ASN - type: string - - jsonPath: .spec.bfdProfile - name: BFD Profile - type: string - - jsonPath: .spec.ebgpMultiHop - name: Multi Hops - type: string - deprecated: true - deprecationWarning: v1beta1 is deprecated, please use v1beta2 - name: v1beta1 - schema: - openAPIV3Schema: - description: BGPPeer is the Schema for the peers API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPPeerSpec defines the desired state of Peer. - properties: - bfdProfile: - type: string - ebgpMultiHop: - description: EBGP peer is multi-hops away - type: boolean - holdTime: - description: Requested BGP hold time, per RFC4271. - type: string - keepaliveTime: - description: Requested BGP keepalive time, per RFC4271. - type: string - myASN: - description: AS number to use for the local end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - nodeSelectors: - description: |- - Only connect to this peer on nodes that match one of these - selectors. - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - minItems: 1 - type: array - required: - - key - - operator - - values - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - password: - description: Authentication password for routers enforcing TCP MD5 - authenticated sessions - type: string - peerASN: - description: AS number to expect from the remote end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - peerAddress: - description: Address to dial when establishing the session. - type: string - peerPort: - description: Port to dial when establishing the session. - maximum: 16384 - minimum: 0 - type: integer - routerID: - description: BGP router ID to advertise to the peer - type: string - sourceAddress: - description: Source address to use when establishing the session. - type: string - required: - - myASN - - peerASN - - peerAddress - type: object - status: - description: BGPPeerStatus defines the observed state of Peer. - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.peerAddress - name: Address - type: string - - jsonPath: .spec.peerASN - name: ASN - type: string - - jsonPath: .spec.bfdProfile - name: BFD Profile - type: string - - jsonPath: .spec.ebgpMultiHop - name: Multi Hops - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: BGPPeer is the Schema for the peers API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPPeerSpec defines the desired state of Peer. - properties: - bfdProfile: - description: The name of the BFD Profile to be used for the BFD session - associated to the BGP session. If not set, the BFD session won't - be set up. - type: string - connectTime: - description: Requested BGP connect time, controls how long BGP waits - between connection attempts to a neighbor. - type: string - x-kubernetes-validations: - - message: connect time should be between 1 seconds to 65535 - rule: duration(self).getSeconds() >= 1 && duration(self).getSeconds() - <= 65535 - - message: connect time should contain a whole number of seconds - rule: duration(self).getMilliseconds() % 1000 == 0 - disableMP: - default: false - description: To set if we want to disable MP BGP that will separate - IPv4 and IPv6 route exchanges into distinct BGP sessions. - type: boolean - dynamicASN: - description: |- - DynamicASN detects the AS number to use for the remote end of the session - without explicitly setting it via the ASN field. Limited to: - internal - if the neighbor's ASN is different than MyASN connection is denied. - external - if the neighbor's ASN is the same as MyASN the connection is denied. - ASN and DynamicASN are mutually exclusive and one of them must be specified. - enum: - - internal - - external - type: string - ebgpMultiHop: - description: To set if the BGPPeer is multi-hops away. Needed for - FRR mode only. - type: boolean - enableGracefulRestart: - description: |- - EnableGracefulRestart allows BGP peer to continue to forward data packets - along known routes while the routing protocol information is being - restored. This field is immutable because it requires restart of the BGP - session. Supported for FRR mode only. - type: boolean - x-kubernetes-validations: - - message: EnableGracefulRestart cannot be changed after creation - rule: self == oldSelf - holdTime: - description: Requested BGP hold time, per RFC4271. - type: string - keepaliveTime: - description: Requested BGP keepalive time, per RFC4271. - type: string - myASN: - description: AS number to use for the local end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - nodeSelectors: - description: |- - Only connect to this peer on nodes that match one of these - selectors. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - password: - description: Authentication password for routers enforcing TCP MD5 - authenticated sessions - type: string - passwordSecret: - description: |- - passwordSecret is name of the authentication secret for BGP Peer. - the secret must be of type "kubernetes.io/basic-auth", and created in the - same namespace as the MetalLB deployment. The password is stored in the - secret as the key "password". - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - peerASN: - description: |- - AS number to expect from the remote end of the session. - ASN and DynamicASN are mutually exclusive and one of them must be specified. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - peerAddress: - description: Address to dial when establishing the session. - type: string - peerPort: - default: 179 - description: Port to dial when establishing the session. - maximum: 16384 - minimum: 0 - type: integer - routerID: - description: BGP router ID to advertise to the peer - type: string - sourceAddress: - description: Source address to use when establishing the session. - type: string - vrf: - description: |- - To set if we want to peer with the BGPPeer using an interface belonging to - a host vrf - type: string - required: - - myASN - - peerAddress - type: object - status: - description: BGPPeerStatus defines the observed state of Peer. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: communities.metallb.io -spec: - group: metallb.io - names: - kind: Community - listKind: CommunityList - plural: communities - singular: community - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - Community is a collection of aliases for communities. - Users can define named aliases to be used in the BGPPeer CRD. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CommunitySpec defines the desired state of Community. - properties: - communities: - items: - properties: - name: - description: The name of the alias for the community. - type: string - value: - description: |- - The BGP community value corresponding to the given name. Can be a standard community of the form 1234:1234 - or a large community of the form large:1234:1234:1234. - type: string - type: object - type: array - type: object - status: - description: CommunityStatus defines the observed state of Community. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: ipaddresspools.metallb.io -spec: - group: metallb.io - names: - kind: IPAddressPool - listKind: IPAddressPoolList - plural: ipaddresspools - singular: ipaddresspool - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.autoAssign - name: Auto Assign - type: boolean - - jsonPath: .spec.avoidBuggyIPs - name: Avoid Buggy IPs - type: boolean - - jsonPath: .spec.addresses - name: Addresses - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - IPAddressPool represents a pool of IP addresses that can be allocated - to LoadBalancer services. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAddressPoolSpec defines the desired state of IPAddressPool. - properties: - addresses: - description: |- - A list of IP address ranges over which MetalLB has authority. - You can list multiple ranges in a single pool, they will all share the - same settings. Each range can be either a CIDR prefix, or an explicit - start-end range of IPs. - items: - type: string - type: array - autoAssign: - default: true - description: |- - AutoAssign flag used to prevent MetallB from automatic allocation - for a pool. - type: boolean - avoidBuggyIPs: - default: false - description: |- - AvoidBuggyIPs prevents addresses ending with .0 and .255 - to be used by a pool. - type: boolean - serviceAllocation: - description: |- - AllocateTo makes ip pool allocation to specific namespace and/or service. - The controller will use the pool with lowest value of priority in case of - multiple matches. A pool with no priority set will be used only if the - pools with priority can't be used. If multiple matching IPAddressPools are - available it will check for the availability of IPs sorting the matching - IPAddressPools by priority, starting from the highest to the lowest. If - multiple IPAddressPools have the same priority, choice will be random. - properties: - namespaceSelectors: - description: |- - NamespaceSelectors list of label selectors to select namespace(s) for ip pool, - an alternative to using namespace list. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Namespaces list of namespace(s) on which ip pool - can be attached. - items: - type: string - type: array - priority: - description: Priority priority given for ip pool while ip allocation - on a service. - type: integer - serviceSelectors: - description: |- - ServiceSelectors list of label selector to select service(s) for which ip pool - can be used for ip allocation. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - type: object - required: - - addresses - type: object - status: - description: IPAddressPoolStatus defines the observed state of IPAddressPool. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: l2advertisements.metallb.io -spec: - group: metallb.io - names: - kind: L2Advertisement - listKind: L2AdvertisementList - plural: l2advertisements - singular: l2advertisement - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.ipAddressPools - name: IPAddressPools - type: string - - jsonPath: .spec.ipAddressPoolSelectors - name: IPAddressPool Selectors - type: string - - jsonPath: .spec.interfaces - name: Interfaces - type: string - - jsonPath: .spec.nodeSelectors - name: Node Selectors - priority: 10 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - L2Advertisement allows to advertise the LoadBalancer IPs provided - by the selected pools via L2. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: L2AdvertisementSpec defines the desired state of L2Advertisement. - properties: - interfaces: - description: |- - A list of interfaces to announce from. The LB IP will be announced only from these interfaces. - If the field is not set, we advertise from all the interfaces on the host. - items: - type: string - type: array - ipAddressPoolSelectors: - description: |- - A selector for the IPAddressPools which would get advertised via this advertisement. - If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - ipAddressPools: - description: The list of IPAddressPools to advertise via this advertisement, - selected by name. - items: - type: string - type: array - nodeSelectors: - description: NodeSelectors allows to limit the nodes to announce as - next hops for the LoadBalancer IP. When empty, all the nodes having are - announced as next hops. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - type: object - status: - description: L2AdvertisementStatus defines the observed state of L2Advertisement. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: servicel2statuses.metallb.io -spec: - group: metallb.io - names: - kind: ServiceL2Status - listKind: ServiceL2StatusList - plural: servicel2statuses - singular: servicel2status - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.node - name: Allocated Node - type: string - - jsonPath: .status.serviceName - name: Service Name - type: string - - jsonPath: .status.serviceNamespace - name: Service Namespace - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ServiceL2Status reveals the actual traffic status of loadbalancer - services in layer2 mode. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ServiceL2StatusSpec defines the desired state of ServiceL2Status. - type: object - status: - description: MetalLBServiceL2Status defines the observed state of ServiceL2Status. - properties: - interfaces: - description: Interfaces indicates the interfaces that receive the - directed traffic - items: - description: InterfaceInfo defines interface info of layer2 announcement. - properties: - name: - description: Name the name of network interface card - type: string - type: object - type: array - node: - description: Node indicates the node that receives the directed traffic - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - serviceName: - description: ServiceName indicates the service this status represents - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - serviceNamespace: - description: ServiceNamespace indicates the namespace of the service - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-controller - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: speaker - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-speaker - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-controller - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - metallb-memberlist - resources: - - secrets - verbs: - - list -- apiGroups: - - apps - resourceNames: - - metallb-controller - resources: - - deployments - verbs: - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metallb.io - resources: - - ipaddresspools - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - bgppeers - verbs: - - get - - list -- apiGroups: - - metallb.io - resources: - - bgpadvertisements - verbs: - - get - - list -- apiGroups: - - metallb.io - resources: - - l2advertisements - verbs: - - get - - list -- apiGroups: - - metallb.io - resources: - - communities - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - bfdprofiles - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-pod-lister - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - bfdprofiles - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - bgppeers - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - l2advertisements - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - bgpadvertisements - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - ipaddresspools - verbs: - - get - - list - - watch -- apiGroups: - - metallb.io - resources: - - communities - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb:controller -rules: -- apiGroups: - - "" - resources: - - services - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - services/status - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - metallb-webhook-configuration - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resourceNames: - - bfdprofiles.metallb.io - - bgpadvertisements.metallb.io - - bgppeers.metallb.io - - ipaddresspools.metallb.io - - l2advertisements.metallb.io - - communities.metallb.io - resources: - - customresourcedefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb:speaker -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - nodes - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - metallb.io - resources: - - servicel2statuses - - servicel2statuses/status - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-controller - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: metallb-controller -subjects: -- kind: ServiceAccount - name: metallb-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-pod-lister - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: metallb-pod-lister -subjects: -- kind: ServiceAccount - name: metallb-speaker - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb:controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb:controller -subjects: -- kind: ServiceAccount - name: metallb-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb:speaker -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb:speaker -subjects: -- kind: ServiceAccount - name: metallb-speaker - namespace: kube-system ---- -apiVersion: v1 -data: - excludel2.yaml: | - announcedInterfacesToExclude: - - ^docker.* - - ^cbr.* - - ^dummy.* - - ^virbr.* - - ^lxcbr.* - - ^veth.* - - ^lo$ - - ^cali.* - - ^tunl.* - - ^flannel.* - - ^kube-ipvs.* - - ^cni.* - - ^nodelocaldns.* -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-excludel2 - namespace: kube-system ---- -apiVersion: v1 -data: - daemons: | - # This file tells the frr package which daemons to start. - # - # Sample configurations for these daemons can be found in - # /usr/share/doc/frr/examples/. - # - # ATTENTION: - # - # When activating a daemon for the first time, a config file, even if it is - # empty, has to be present *and* be owned by the user and group "frr", else - # the daemon will not be started by /etc/init.d/frr. The permissions should - # be u=rw,g=r,o=. - # When using "vtysh" such a config file is also needed. It should be owned by - # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too. - # - # The watchfrr and zebra daemons are always started. - # - bgpd=yes - ospfd=no - ospf6d=no - ripd=no - ripngd=no - isisd=no - pimd=no - ldpd=no - nhrpd=no - eigrpd=no - babeld=no - sharpd=no - pbrd=no - bfdd=yes - fabricd=no - vrrpd=no - - # - # If this option is set the /etc/init.d/frr script automatically loads - # the config via "vtysh -b" when the servers are started. - # Check /etc/pam.d/frr if you intend to use "vtysh"! - # - vtysh_enable=yes - zebra_options=" -A 127.0.0.1 -s 90000000" - bgpd_options=" -A 127.0.0.1 -p 0" - ospfd_options=" -A 127.0.0.1" - ospf6d_options=" -A ::1" - ripd_options=" -A 127.0.0.1" - ripngd_options=" -A ::1" - isisd_options=" -A 127.0.0.1" - pimd_options=" -A 127.0.0.1" - ldpd_options=" -A 127.0.0.1" - nhrpd_options=" -A 127.0.0.1" - eigrpd_options=" -A 127.0.0.1" - babeld_options=" -A 127.0.0.1" - sharpd_options=" -A 127.0.0.1" - pbrd_options=" -A 127.0.0.1" - staticd_options="-A 127.0.0.1" - bfdd_options=" -A 127.0.0.1" - fabricd_options="-A 127.0.0.1" - vrrpd_options=" -A 127.0.0.1" - - # configuration profile - # - #frr_profile="traditional" - #frr_profile="datacenter" - - # - # This is the maximum number of FD's that will be available. - # Upon startup this is read by the control files and ulimit - # is called. Uncomment and use a reasonable value for your - # setup if you are expecting a large number of peers in - # say BGP. - #MAX_FDS=1024 - - # The list of daemons to watch is automatically generated by the init script. - #watchfrr_options="" - - # for debugging purposes, you can specify a "wrap" command to start instead - # of starting the daemon directly, e.g. to use valgrind on ospfd: - # ospfd_wrap="/usr/bin/valgrind" - # or you can use "all_wrap" for all daemons, e.g. to use perf record: - # all_wrap="/usr/bin/perf record --call-graph -" - # the normal daemon command is added to this at the end. - frr.conf: | - ! This file gets overriden the first time the speaker renders a config. - ! So anything configured here is only temporary. - frr version 8.0 - frr defaults traditional - hostname Router - line vty - log file /etc/frr/frr.log informational - vtysh.conf: | - service integrated-vtysh-config -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: speaker - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-frr-startup - namespace: kube-system ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-webhook-cert - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-webhook-service - namespace: kube-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: metallb - app.kubernetes.io/name: metallb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-controller - namespace: kube-system -spec: - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: metallb - app.kubernetes.io/name: metallb - strategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: metallb - app.kubernetes.io/name: metallb - spec: - containers: - - args: - - --port=7472 - - --log-level=info - - --tls-min-version=VersionTLS12 - env: - - name: METALLB_ML_SECRET_NAME - value: metallb-memberlist - - name: METALLB_DEPLOYMENT - value: metallb-controller - - name: METALLB_BGP_TYPE - value: frr - image: quay.io/metallb/controller:v0.14.9 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 7472 - name: monitoring - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - serviceAccountName: metallb-controller - terminationGracePeriodSeconds: 0 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: metallb-webhook-cert ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app.kubernetes.io/component: speaker - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-speaker - namespace: kube-system -spec: - selector: - matchLabels: - app.kubernetes.io/component: speaker - app.kubernetes.io/instance: metallb - app.kubernetes.io/name: metallb - template: - metadata: - labels: - app.kubernetes.io/component: speaker - app.kubernetes.io/instance: metallb - app.kubernetes.io/name: metallb - spec: - containers: - - args: - - --port=7472 - - --log-level=info - env: - - name: METALLB_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: METALLB_HOST - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: METALLB_ML_BIND_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: METALLB_ML_LABELS - value: app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker - - name: METALLB_ML_BIND_PORT - value: "7946" - - name: METALLB_ML_SECRET_KEY_PATH - value: /etc/ml_secret_key - - name: FRR_CONFIG_FILE - value: /etc/frr_reloader/frr.conf - - name: FRR_RELOADER_PID_FILE - value: /etc/frr_reloader/reloader.pid - - name: METALLB_BGP_TYPE - value: frr - - name: METALLB_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: quay.io/metallb/speaker:v0.14.9 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: speaker - ports: - - containerPort: 7472 - name: monitoring - - containerPort: 7946 - name: memberlist-tcp - protocol: TCP - - containerPort: 7946 - name: memberlist-udp - protocol: UDP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_RAW - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/ml_secret_key - name: memberlist - - mountPath: /etc/frr_reloader - name: reloader - - mountPath: /etc/metallb - name: metallb-excludel2 - - command: - - /bin/sh - - -c - - | - /sbin/tini -- /usr/lib/frr/docker-start & - attempts=0 - until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do - sleep 1 - attempts=$(( $attempts + 1 )) - done - tail -f /etc/frr/frr.log - env: - - name: TINI_SUBREAPER - value: "true" - image: quay.io/frrouting/frr:9.1.0 - livenessProbe: - failureThreshold: 3 - httpGet: - path: livez - port: 7473 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: frr - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - - NET_BIND_SERVICE - startupProbe: - failureThreshold: 30 - httpGet: - path: /livez - port: 7473 - periodSeconds: 5 - volumeMounts: - - mountPath: /var/run/frr - name: frr-sockets - - mountPath: /etc/frr - name: frr-conf - - command: - - /etc/frr_reloader/frr-reloader.sh - image: quay.io/frrouting/frr:9.1.0 - name: reloader - volumeMounts: - - mountPath: /var/run/frr - name: frr-sockets - - mountPath: /etc/frr - name: frr-conf - - mountPath: /etc/frr_reloader - name: reloader - - args: - - --metrics-port=7473 - command: - - /etc/frr_metrics/frr-metrics - env: - - name: VTYSH_HISTFILE - value: /dev/null - image: quay.io/frrouting/frr:9.1.0 - name: frr-metrics - ports: - - containerPort: 7473 - name: monitoring - volumeMounts: - - mountPath: /var/run/frr - name: frr-sockets - - mountPath: /etc/frr - name: frr-conf - - mountPath: /etc/frr_metrics - name: metrics - hostNetwork: true - initContainers: - - command: - - /bin/sh - - -c - - cp -rLf /tmp/frr/* /etc/frr/ - image: quay.io/frrouting/frr:9.1.0 - name: cp-frr-files - securityContext: - runAsGroup: 101 - runAsUser: 100 - volumeMounts: - - mountPath: /tmp/frr - name: frr-startup - - mountPath: /etc/frr - name: frr-conf - - command: - - /cp-tool - - /frr-reloader.sh - - /etc/frr_reloader/frr-reloader.sh - image: quay.io/metallb/speaker:v0.14.9 - name: cp-reloader - volumeMounts: - - mountPath: /etc/frr_reloader - name: reloader - - command: - - /cp-tool - - /frr-metrics - - /etc/frr_metrics/frr-metrics - image: quay.io/metallb/speaker:v0.14.9 - name: cp-metrics - volumeMounts: - - mountPath: /etc/frr_metrics - name: metrics - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: metallb-speaker - shareProcessNamespace: true - terminationGracePeriodSeconds: 0 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - volumes: - - name: memberlist - secret: - defaultMode: 420 - secretName: metallb-memberlist - - configMap: - defaultMode: 256 - name: metallb-excludel2 - name: metallb-excludel2 - - emptyDir: {} - name: frr-sockets - - configMap: - name: metallb-frr-startup - name: frr-startup - - emptyDir: {} - name: frr-conf - - emptyDir: {} - name: reloader - - emptyDir: {} - name: metrics - updateStrategy: - type: RollingUpdate ---- -apiVersion: metallb.io/v1beta1 -kind: BGPAdvertisement -metadata: - name: default - namespace: kube-system -spec: {} ---- -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: default - namespace: kube-system -spec: - addresses: - - 192.168.2.0-192.168.2.255 - autoAssign: true - avoidBuggyIPs: false ---- -apiVersion: metallb.io/v1beta2 -kind: BGPPeer -metadata: - name: opnsense - namespace: kube-system -spec: - myASN: 64513 - peerASN: 64512 - peerAddress: 192.168.1.1 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/instance: metallb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: metallb - app.kubernetes.io/version: v0.14.9 - helm.sh/chart: metallb-0.14.9 - name: metallb-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta2-bgppeer - failurePolicy: Fail - name: bgppeervalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta2 - operations: - - CREATE - - UPDATE - resources: - - bgppeers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta1-ipaddresspool - failurePolicy: Fail - name: ipaddresspoolvalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ipaddresspools - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta1-bgpadvertisement - failurePolicy: Fail - name: bgpadvertisementvalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - bgpadvertisements - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta1-community - failurePolicy: Fail - name: communityvalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - communities - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta1-bfdprofile - failurePolicy: Fail - name: bfdprofilevalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - DELETE - resources: - - bfdprofiles - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: kube-system - path: /validate-metallb-io-v1beta1-l2advertisement - failurePolicy: Fail - name: l2advertisementvalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - l2advertisements - sideEffects: None diff --git a/deploy/components/metrics-server/metrics-server.gen.yaml b/deploy/components/metrics-server/metrics-server.gen.yaml new file mode 100644 index 00000000..a2ab6fc1 --- /dev/null +++ b/deploy/components/metrics-server/metrics-server.gen.yaml @@ -0,0 +1,252 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:metrics-server-aggregated-reader +rules: +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: metrics-server + namespace: kube-system +spec: + ports: + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/name: metrics-server + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: metrics-server + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/name: metrics-server + template: + metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/name: metrics-server + spec: + containers: + - args: + - --secure-port=10250 + - --cert-dir=/tmp + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --v=1 + - --cert-dir=/tmp + - --kubelet-insecure-tls + - --requestheader-client-ca-file=/var/run/ssl/auth-proxy-ca/requestheader-client-ca-file + image: registry.k8s.io/metrics-server/metrics-server:v0.7.2 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + initialDelaySeconds: 0 + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 10250 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /var/run/ssl/auth-proxy-ca + name: auth-proxy-ca-cert + readOnly: true + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + volumes: + - emptyDir: {} + name: tmp + - configMap: + name: extension-apiserver-authentication + name: auth-proxy-ca-cert +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app.kubernetes.io/instance: metrics-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: metrics-server + app.kubernetes.io/version: 0.7.2 + helm.sh/chart: metrics-server-3.12.2 + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + port: 443 + version: v1beta1 + versionPriority: 100 diff --git a/deploy/components/mongodb/mongodb.gen.yaml b/deploy/components/mongodb/mongodb.gen.yaml index 1c5c89ea..1222da9a 100644 --- a/deploy/components/mongodb/mongodb.gen.yaml +++ b/deploy/components/mongodb/mongodb.gen.yaml @@ -24,21 +24,15 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: mongodb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: mongodb - helm.sh/chart: app-template-3.5.1 - name: mongodb-data + name: mongo-data namespace: default spec: accessModes: - ReadWriteOnce resources: requests: - storage: 8Gi + storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: StatefulSet @@ -86,7 +80,7 @@ spec: volumes: - name: data persistentVolumeClaim: - claimName: mongodb-data + claimName: mongo-data - name: initdb secret: secretName: mongodb-init diff --git a/deploy/components/nginx-external/nginx-external.gen.yaml b/deploy/components/nginx-external/nginx-external.gen.yaml index 03f2186d..a196f60c 100644 --- a/deploy/components/nginx-external/nginx-external.gen.yaml +++ b/deploy/components/nginx-external/nginx-external.gen.yaml @@ -272,7 +272,7 @@ kind: Service metadata: annotations: external-dns.alpha.kubernetes.io/hostname: external.brenix.com - metallb.universe.tf/loadBalancerIPs: 192.168.2.20 + lbipam.cilium.io/ips: 192.168.2.20 labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: nginx-external diff --git a/deploy/components/nginx-internal/nginx-internal.gen.yaml b/deploy/components/nginx-internal/nginx-internal.gen.yaml index c2fc0e87..2795427d 100644 --- a/deploy/components/nginx-internal/nginx-internal.gen.yaml +++ b/deploy/components/nginx-internal/nginx-internal.gen.yaml @@ -271,7 +271,7 @@ kind: Service metadata: annotations: external-dns.alpha.kubernetes.io/hostname: internal.brenix.com - metallb.universe.tf/loadBalancerIPs: 192.168.2.21 + lbipam.cilium.io/ips: 192.168.2.21 labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: nginx-internal diff --git a/deploy/components/prowlarr/prowlarr.gen.yaml b/deploy/components/prowlarr/prowlarr.gen.yaml index 7039ac1b..12eba89f 100644 --- a/deploy/components/prowlarr/prowlarr.gen.yaml +++ b/deploy/components/prowlarr/prowlarr.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.5 + lbipam.cilium.io/ips: 192.168.2.5 labels: app.kubernetes.io/instance: prowlarr app.kubernetes.io/managed-by: Helm @@ -27,12 +27,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: prowlarr - helm.sh/chart: app-template-3.5.1 - name: prowlarr-config + name: prowlarr namespace: default spec: accessModes: @@ -40,6 +35,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -92,7 +88,7 @@ spec: volumes: - name: config persistentVolumeClaim: - claimName: prowlarr-config + claimName: prowlarr --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/deploy/components/radarr/radarr.gen.yaml b/deploy/components/radarr/radarr.gen.yaml index 06a18c48..2d20b9a9 100644 --- a/deploy/components/radarr/radarr.gen.yaml +++ b/deploy/components/radarr/radarr.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.3 + lbipam.cilium.io/ips: 192.168.2.3 labels: app.kubernetes.io/instance: radarr app.kubernetes.io/managed-by: Helm @@ -27,12 +27,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: radarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr - helm.sh/chart: app-template-3.5.1 - name: radarr-config + name: radarr-cache namespace: default spec: accessModes: @@ -40,6 +35,20 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: radarr-data + namespace: default +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -95,12 +104,15 @@ spec: timeoutSeconds: 10 name: main volumeMounts: + - mountPath: /config/MediaCover + name: cache - mountPath: /config name: config - - mountPath: /downloads - name: downloads - mountPath: /media name: media + - mountPath: /downloads + name: media + subPath: downloads dnsPolicy: ClusterFirst enableServiceLinks: false hostIPC: false @@ -108,17 +120,15 @@ spec: hostPID: false serviceAccountName: default volumes: + - name: cache + persistentVolumeClaim: + claimName: radarr-cache - name: config persistentVolumeClaim: - claimName: radarr-config - - hostPath: - path: /media/downloads - type: Directory - name: downloads - - hostPath: - path: /media - type: Directory - name: media + claimName: radarr-data + - name: media + persistentVolumeClaim: + claimName: media --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/deploy/components/rook-ceph-cluster/rook-ceph-cluster.gen.yaml b/deploy/components/rook-ceph-cluster/rook-ceph-cluster.gen.yaml new file mode 100644 index 00000000..3ee24ccf --- /dev/null +++ b/deploy/components/rook-ceph-cluster/rook-ceph-cluster.gen.yaml @@ -0,0 +1,1332 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "true" + name: ceph-block +parameters: + clusterID: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/fstype: ext4 + csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + imageFeatures: layering + imageFormat: "2" + pool: ceph-blockpool +provisioner: rook-ceph.rbd.csi.ceph.com +reclaimPolicy: Delete +volumeBindingMode: Immediate +--- +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "false" + name: ceph-filesystem +parameters: + clusterID: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/fstype: ext4 + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + fsName: ceph-filesystem + pool: ceph-filesystem-data0 +provisioner: rook-ceph.cephfs.csi.ceph.com +reclaimPolicy: Delete +volumeBindingMode: Immediate +--- +apiVersion: v1 +data: + config: |2 + + [global] + bdev_enable_discard = true + bdev_async_discard = true + osd_class_update_on_start = false +kind: ConfigMap +metadata: + name: rook-config-override + namespace: rook-ceph +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: ceph-blockpool + namespace: rook-ceph +spec: + failureDomain: host + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephCluster +metadata: + name: rook-ceph + namespace: rook-ceph +spec: + cephVersion: + allowUnsupported: false + image: quay.io/ceph/ceph:v18.2.4 + cleanupPolicy: + allowUninstallWithVolumes: false + confirmation: "" + sanitizeDisks: + dataSource: zero + iteration: 1 + method: quick + continueUpgradeAfterChecksEvenIfNotHealthy: false + crashCollector: + disable: true + dashboard: + enabled: true + prometheusEndpoint: http://prometheus-operated.monitoring.svc.cluster.local:9090 + ssl: false + urlPrefix: / + dataDirHostPath: /var/lib/rook + disruptionManagement: + managePodBudgets: true + osdMaintenanceTimeout: 30 + pgHealthCheckTimeout: 0 + healthCheck: + daemonHealth: + mon: + disabled: false + interval: 45s + osd: + disabled: false + interval: 60s + status: + disabled: false + interval: 60s + livenessProbe: + mgr: + disabled: false + mon: + disabled: false + osd: + disabled: false + logCollector: + enabled: true + maxLogSize: 500M + periodicity: daily + mgr: + allowMultiplePerNode: false + count: 2 + modules: null + mon: + allowMultiplePerNode: false + count: 3 + monitoring: + enabled: true + network: + connections: + compression: + enabled: false + encryption: + enabled: false + requireMsgr2: true + provider: host + priorityClassNames: + mgr: system-cluster-critical + mon: system-node-critical + osd: system-node-critical + removeOSDsIfOutAndSafeToRemove: false + resources: + cleanup: + limits: + memory: 1Gi + requests: + cpu: 500m + memory: 100Mi + crashcollector: + limits: + memory: 60Mi + requests: + cpu: 100m + memory: 60Mi + exporter: + limits: + memory: 128Mi + requests: + cpu: 50m + memory: 50Mi + logcollector: + limits: + memory: 1Gi + requests: + cpu: 100m + memory: 100Mi + mgr: + limits: + memory: 2Gi + requests: + cpu: 100m + memory: 512Mi + mgr-sidecar: + limits: + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + mon: + limits: + memory: 1Gi + requests: + cpu: 50m + memory: 512Mi + osd: + limits: + memory: 4Gi + requests: + cpu: 500m + memory: 2Gi + prepareosd: + requests: + cpu: 500m + memory: 50Mi + skipUpgradeChecks: false + storage: + useAllDevices: true + useAllNodes: true + upgradeOSDRequiresHealthyPGs: false + waitTimeoutForHealthyOSDInMinutes: 10 +--- +apiVersion: ceph.rook.io/v1 +kind: CephFilesystem +metadata: + name: ceph-filesystem + namespace: rook-ceph +spec: + dataPools: + - failureDomain: host + name: data0 + replicated: + size: 3 + metadataPool: + replicated: + size: 3 + metadataServer: + activeCount: 1 + activeStandby: true + priorityClassName: system-cluster-critical + resources: + limits: + memory: 3Gi + requests: + cpu: 100m + memory: 1Gi +--- +apiVersion: ceph.rook.io/v1 +kind: CephFilesystemSubVolumeGroup +metadata: + name: ceph-filesystem-csi + namespace: rook-ceph +spec: + filesystemName: ceph-filesystem + name: csi + pinning: + distributed: 1 +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: rook-prometheus + role: alert-rules + name: prometheus-ceph-rules + namespace: rook-ceph +spec: + groups: + - name: cluster health + rules: + - alert: CephHealthError + annotations: + description: The cluster state has been HEALTH_ERROR for more than 5 minutes. + Please check 'ceph health detail' for more information. + summary: Ceph is in the ERROR state + expr: ceph_health_status == 2 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.2.1 + severity: critical + type: ceph_default + - alert: CephHealthWarning + annotations: + description: The cluster state has been HEALTH_WARN for more than 15 minutes. + Please check 'ceph health detail' for more information. + summary: Ceph is in the WARNING state + expr: ceph_health_status == 1 + for: 15m + labels: + severity: warning + type: ceph_default + - name: mon + rules: + - alert: CephMonDownQuorumAtRisk + annotations: + description: '{{ $min := query "floor(count(ceph_mon_metadata) / 2) + 1" | + first | value }}Quorum requires a majority of monitors (x {{ $min }}) to + be active. Without quorum the cluster will become inoperable, affecting + all services and connected clients. The following monitors are down: {{- + range query "(ceph_mon_quorum_status == 0) + on(ceph_daemon) group_left(hostname) + (ceph_mon_metadata * 0)" }} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname + }} {{- end }}' + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down + summary: Monitor quorum is at risk + expr: | + ( + (ceph_health_detail{name="MON_DOWN"} == 1) * on() ( + count(ceph_mon_quorum_status == 1) == bool (floor(count(ceph_mon_metadata) / 2) + 1) + ) + ) == 1 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.3.1 + severity: critical + type: ceph_default + - alert: CephMonDown + annotations: + description: | + {{ $down := query "count(ceph_mon_quorum_status == 0)" | first | value }}{{ $s := "" }}{{ if gt $down 1.0 }}{{ $s = "s" }}{{ end }}You have {{ $down }} monitor{{ $s }} down. Quorum is still intact, but the loss of an additional monitor will make your cluster inoperable. The following monitors are down: {{- range query "(ceph_mon_quorum_status == 0) + on(ceph_daemon) group_left(hostname) (ceph_mon_metadata * 0)" }} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname }} {{- end }} + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down + summary: One or more monitors down + expr: | + count(ceph_mon_quorum_status == 0) <= (count(ceph_mon_metadata) - floor(count(ceph_mon_metadata) / 2) + 1) + for: 30s + labels: + severity: warning + type: ceph_default + - alert: CephMonDiskspaceCritical + annotations: + description: The free space available to a monitor's store is critically low. + You should increase the space available to the monitor(s). The default directory + is /var/lib/ceph/mon-*/data/store.db on traditional deployments, and /var/lib/rook/mon-*/data/store.db + on the mon pod's worker node for Rook. Look for old, rotated versions of + *.log and MANIFEST*. Do NOT touch any *.sst files. Also check any other + directories under /var/lib/rook and other directories on the same filesystem, + often /var/log and /var/tmp are culprits. Your monitor hosts are; {{- range + query "ceph_mon_metadata"}} - {{ .Labels.hostname }} {{- end }} + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-crit + summary: Filesystem space on at least one monitor is critically low + expr: ceph_health_detail{name="MON_DISK_CRIT"} == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.3.2 + severity: critical + type: ceph_default + - alert: CephMonDiskspaceLow + annotations: + description: The space available to a monitor's store is approaching full + (>70% is the default). You should increase the space available to the monitor(s). + The default directory is /var/lib/ceph/mon-*/data/store.db on traditional + deployments, and /var/lib/rook/mon-*/data/store.db on the mon pod's worker + node for Rook. Look for old, rotated versions of *.log and MANIFEST*. Do + NOT touch any *.sst files. Also check any other directories under /var/lib/rook + and other directories on the same filesystem, often /var/log and /var/tmp + are culprits. Your monitor hosts are; {{- range query "ceph_mon_metadata"}} + - {{ .Labels.hostname }} {{- end }} + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-low + summary: Drive space on at least one monitor is approaching full + expr: ceph_health_detail{name="MON_DISK_LOW"} == 1 + for: 5m + labels: + severity: warning + type: ceph_default + - alert: CephMonClockSkew + annotations: + description: Ceph monitors rely on closely synchronized time to maintain quorum + and cluster consistency. This event indicates that the time on at least + one mon has drifted too far from the lead mon. Review cluster status with + ceph -s. This will show which monitors are affected. Check the time sync + status on each monitor host with 'ceph time-sync-status' and the state and + peers of your ntpd or chrony daemon. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-clock-skew + summary: Clock skew detected among monitors + expr: ceph_health_detail{name="MON_CLOCK_SKEW"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - name: osd + rules: + - alert: CephOSDDownHigh + annotations: + description: '{{ $value | humanize }}% or {{ with query "count(ceph_osd_up + == 0)" }}{{ . | first | value }}{{ end }} of {{ with query "count(ceph_osd_up)" + }}{{ . | first | value }}{{ end }} OSDs are down (>= 10%). The following + OSDs are down: {{- range query "(ceph_osd_up * on(ceph_daemon) group_left(hostname) + ceph_osd_metadata) == 0" }} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname + }} {{- end }}' + summary: More than 10% of OSDs are down + expr: count(ceph_osd_up == 0) / count(ceph_osd_up) * 100 >= 10 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.1 + severity: critical + type: ceph_default + - alert: CephOSDHostDown + annotations: + description: 'The following OSDs are down: {{- range query "(ceph_osd_up * + on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0" }} - {{ .Labels.hostname + }} : {{ .Labels.ceph_daemon }} {{- end }}' + summary: An OSD host is offline + expr: ceph_health_detail{name="OSD_HOST_DOWN"} == 1 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.8 + severity: warning + type: ceph_default + - alert: CephOSDDown + annotations: + description: | + {{ $num := query "count(ceph_osd_up == 0)" | first | value }}{{ $s := "" }}{{ if gt $num 1.0 }}{{ $s = "s" }}{{ end }}{{ $num }} OSD{{ $s }} down for over 5mins. The following OSD{{ $s }} {{ if eq $s "" }}is{{ else }}are{{ end }} down: {{- range query "(ceph_osd_up * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0"}} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname }} {{- end }} + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-down + summary: An OSD has been marked down + expr: ceph_health_detail{name="OSD_DOWN"} == 1 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.2 + severity: warning + type: ceph_default + - alert: CephOSDNearFull + annotations: + description: One or more OSDs have reached the NEARFULL threshold. Use 'ceph + health detail' and 'ceph osd df' to identify the problem. To resolve, add + capacity to the affected OSD's failure domain, restore down/out OSDs, or + delete unwanted data. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-nearfull + summary: OSD(s) running low on free space (NEARFULL) + expr: ceph_health_detail{name="OSD_NEARFULL"} == 1 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.3 + severity: warning + type: ceph_default + - alert: CephOSDFull + annotations: + description: An OSD has reached the FULL threshold. Writes to pools that share + the affected OSD will be blocked. Use 'ceph health detail' and 'ceph osd + df' to identify the problem. To resolve, add capacity to the affected OSD's + failure domain, restore down/out OSDs, or delete unwanted data. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-full + summary: OSD full, writes blocked + expr: ceph_health_detail{name="OSD_FULL"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.6 + severity: critical + type: ceph_default + - alert: CephOSDBackfillFull + annotations: + description: An OSD has reached the BACKFILL FULL threshold. This will prevent + rebalance operations from completing. Use 'ceph health detail' and 'ceph + osd df' to identify the problem. To resolve, add capacity to the affected + OSD's failure domain, restore down/out OSDs, or delete unwanted data. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-backfillfull + summary: OSD(s) too full for backfill operations + expr: ceph_health_detail{name="OSD_BACKFILLFULL"} > 0 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephOSDTooManyRepairs + annotations: + description: Reads from an OSD have used a secondary PG to return data to + the client, indicating a potential failing drive. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-too-many-repairs + summary: OSD reports a high number of read errors + expr: ceph_health_detail{name="OSD_TOO_MANY_REPAIRS"} == 1 + for: 30s + labels: + severity: warning + type: ceph_default + - alert: CephOSDTimeoutsPublicNetwork + annotations: + description: OSD heartbeats on the cluster's 'public' network (frontend) are + running slow. Investigate the network for latency or loss issues. Use 'ceph + health detail' to show the affected OSDs. + summary: Network issues delaying OSD heartbeats (public network) + expr: ceph_health_detail{name="OSD_SLOW_PING_TIME_FRONT"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephOSDTimeoutsClusterNetwork + annotations: + description: OSD heartbeats on the cluster's 'cluster' network (backend) are + slow. Investigate the network for latency issues on this subnet. Use 'ceph + health detail' to show the affected OSDs. + summary: Network issues delaying OSD heartbeats (cluster network) + expr: ceph_health_detail{name="OSD_SLOW_PING_TIME_BACK"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephOSDInternalDiskSizeMismatch + annotations: + description: One or more OSDs have an internal inconsistency between metadata + and the size of the device. This could lead to the OSD(s) crashing in future. + You should redeploy the affected OSDs. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-disk-size-mismatch + summary: OSD size inconsistency error + expr: ceph_health_detail{name="BLUESTORE_DISK_SIZE_MISMATCH"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephDeviceFailurePredicted + annotations: + description: The device health module has determined that one or more devices + will fail soon. To review device status use 'ceph device ls'. To show a + specific device use 'ceph device info '. Mark the OSD out so that + data may migrate to other OSDs. Once the OSD has drained, destroy the OSD, + replace the device, and redeploy the OSD. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#id2 + summary: Device(s) predicted to fail soon + expr: ceph_health_detail{name="DEVICE_HEALTH"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephDeviceFailurePredictionTooHigh + annotations: + description: The device health module has determined that devices predicted + to fail can not be remediated automatically, since too many OSDs would be + removed from the cluster to ensure performance and availability. Prevent + data integrity issues by adding new OSDs so that data may be relocated. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-toomany + summary: Too many devices are predicted to fail, unable to resolve + expr: ceph_health_detail{name="DEVICE_HEALTH_TOOMANY"} == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.7 + severity: critical + type: ceph_default + - alert: CephDeviceFailureRelocationIncomplete + annotations: + description: "The device health module has determined that one or more devices + will fail soon, but the normal process of relocating the data on the device + to other OSDs in the cluster is blocked. \nEnsure that the cluster has available + free space. It may be necessary to add capacity to the cluster to allow + data from the failing device to successfully migrate, or to enable the balancer." + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-in-use + summary: Device failure is predicted, but unable to relocate data + expr: ceph_health_detail{name="DEVICE_HEALTH_IN_USE"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephOSDFlapping + annotations: + description: OSD {{ $labels.ceph_daemon }} on {{ $labels.hostname }} was marked + down and back up {{ $value | humanize }} times once a minute for 5 minutes. + This may indicate a network issue (latency, packet loss, MTU mismatch) on + the cluster network, or the public network if no cluster network is deployed. + Check the network stats on the listed host(s). + documentation: https://docs.ceph.com/en/latest/rados/troubleshooting/troubleshooting-osd#flapping-osds + summary: Network issues are causing OSDs to flap (mark each other down) + expr: (rate(ceph_osd_up[5m]) * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) + * 60 > 1 + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.4 + severity: warning + type: ceph_default + - alert: CephOSDReadErrors + annotations: + description: An OSD has encountered read errors, but the OSD has recovered + by retrying the reads. This may indicate an issue with hardware or the kernel. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-spurious-read-errors + summary: Device read errors detected + expr: ceph_health_detail{name="BLUESTORE_SPURIOUS_READ_ERRORS"} == 1 + for: 30s + labels: + severity: warning + type: ceph_default + - alert: CephPGImbalance + annotations: + description: OSD {{ $labels.ceph_daemon }} on {{ $labels.hostname }} deviates + by more than 30% from average PG count. + summary: PGs are not balanced across OSDs + expr: | + abs( + ((ceph_osd_numpg > 0) - on (job) group_left avg(ceph_osd_numpg > 0) by (job)) / + on (job) group_left avg(ceph_osd_numpg > 0) by (job) + ) * on (ceph_daemon) group_left(hostname) ceph_osd_metadata > 0.30 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.4.5 + severity: warning + type: ceph_default + - name: mds + rules: + - alert: CephFilesystemDamaged + annotations: + description: Filesystem metadata has been corrupted. Data may be inaccessible. + Analyze metrics from the MDS daemon admin socket, or escalate to support. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages + summary: CephFS filesystem is damaged. + expr: ceph_health_detail{name="MDS_DAMAGE"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.5.1 + severity: critical + type: ceph_default + - alert: CephFilesystemOffline + annotations: + description: All MDS ranks are unavailable. The MDS daemons managing metadata + are down, rendering the filesystem offline. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-all-down + summary: CephFS filesystem is offline + expr: ceph_health_detail{name="MDS_ALL_DOWN"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.5.3 + severity: critical + type: ceph_default + - alert: CephFilesystemDegraded + annotations: + description: One or more metadata daemons (MDS ranks) are failed or in a damaged + state. At best the filesystem is partially available, at worst the filesystem + is completely unusable. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-degraded + summary: CephFS filesystem is degraded + expr: ceph_health_detail{name="FS_DEGRADED"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.5.4 + severity: critical + type: ceph_default + - alert: CephFilesystemMDSRanksLow + annotations: + description: The filesystem's 'max_mds' setting defines the number of MDS + ranks in the filesystem. The current number of active MDS daemons is less + than this value. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-up-less-than-max + summary: Ceph MDS daemon count is lower than configured + expr: ceph_health_detail{name="MDS_UP_LESS_THAN_MAX"} > 0 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephFilesystemInsufficientStandby + annotations: + description: The minimum number of standby daemons required by standby_count_wanted + is less than the current number of standby daemons. Adjust the standby count + or increase the number of MDS daemons. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-insufficient-standby + summary: Ceph filesystem standby daemons too few + expr: ceph_health_detail{name="MDS_INSUFFICIENT_STANDBY"} > 0 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephFilesystemFailureNoStandby + annotations: + description: An MDS daemon has failed, leaving only one active rank and no + available standby. Investigate the cause of the failure or add a standby + MDS. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-with-failed-mds + summary: MDS daemon failed, no further standby available + expr: ceph_health_detail{name="FS_WITH_FAILED_MDS"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.5.5 + severity: critical + type: ceph_default + - alert: CephFilesystemReadOnly + annotations: + description: The filesystem has switched to READ ONLY due to an unexpected + error when writing to the metadata pool. Either analyze the output from + the MDS daemon admin socket, or escalate to support. + documentation: https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages + summary: CephFS filesystem in read only mode due to write error(s) + expr: ceph_health_detail{name="MDS_HEALTH_READ_ONLY"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.5.2 + severity: critical + type: ceph_default + - name: mgr + rules: + - alert: CephMgrModuleCrash + annotations: + description: One or more mgr modules have crashed and have yet to be acknowledged + by an administrator. A crashed module may impact functionality within the + cluster. Use the 'ceph crash' command to determine which module has failed, + and archive it to acknowledge the failure. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#recent-mgr-module-crash + summary: A manager module has recently crashed + expr: ceph_health_detail{name="RECENT_MGR_MODULE_CRASH"} == 1 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.6.1 + severity: critical + type: ceph_default + - alert: CephMgrPrometheusModuleInactive + annotations: + description: The mgr/prometheus module at {{ $labels.instance }} is unreachable. + This could mean that the module has been disabled or the mgr daemon itself + is down. Without the mgr/prometheus module metrics and alerts will no longer + function. Open a shell to an admin node or toolbox pod and use 'ceph -s' + to to determine whether the mgr is active. If the mgr is not active, restart + it, otherwise you can determine module status with 'ceph mgr module ls'. + If it is not listed as enabled, enable it with 'ceph mgr module enable prometheus'. + summary: The mgr/prometheus module is not available + expr: up{job="ceph"} == 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.6.2 + severity: critical + type: ceph_default + - name: pgs + rules: + - alert: CephPGsInactive + annotations: + description: '{{ $value }} PGs have been inactive for more than 5 minutes + in pool {{ $labels.name }}. Inactive placement groups are not able to serve + read/write requests.' + summary: One or more placement groups are inactive + expr: ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total + - ceph_pg_active) > 0 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.1 + severity: critical + type: ceph_default + - alert: CephPGsUnclean + annotations: + description: '{{ $value }} PGs have been unclean for more than 15 minutes + in pool {{ $labels.name }}. Unclean PGs have not recovered from a previous + failure.' + summary: One or more placement groups are marked unclean + expr: ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total + - ceph_pg_clean) > 0 + for: 15m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.2 + severity: warning + type: ceph_default + - alert: CephPGsDamaged + annotations: + description: During data consistency checks (scrub), at least one PG has been + flagged as being damaged or inconsistent. Check to see which PG is affected, + and attempt a manual repair if necessary. To list problematic placement + groups, use 'rados list-inconsistent-pg '. To repair PGs use the 'ceph + pg repair ' command. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-damaged + summary: Placement group damaged, manual intervention needed + expr: ceph_health_detail{name=~"PG_DAMAGED|OSD_SCRUB_ERRORS"} == 1 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.4 + severity: critical + type: ceph_default + - alert: CephPGRecoveryAtRisk + annotations: + description: Data redundancy is at risk since one or more OSDs are at or above + the 'full' threshold. Add more capacity to the cluster, restore down/out + OSDs, or delete unwanted data. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-recovery-full + summary: OSDs are too full for recovery + expr: ceph_health_detail{name="PG_RECOVERY_FULL"} == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.5 + severity: critical + type: ceph_default + - alert: CephPGUnavailableBlockingIO + annotations: + description: Data availability is reduced, impacting the cluster's ability + to service I/O. One or more placement groups (PGs) are in a state that blocks + I/O. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-availability + summary: PG is unavailable, blocking I/O + expr: ((ceph_health_detail{name="PG_AVAILABILITY"} == 1) - scalar(ceph_health_detail{name="OSD_DOWN"})) + == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.3 + severity: critical + type: ceph_default + - alert: CephPGBackfillAtRisk + annotations: + description: Data redundancy may be at risk due to lack of free space within + the cluster. One or more OSDs have reached the 'backfillfull' threshold. + Add more capacity, or delete unwanted data. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-backfill-full + summary: Backfill operations are blocked due to lack of free space + expr: ceph_health_detail{name="PG_BACKFILL_FULL"} == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.7.6 + severity: critical + type: ceph_default + - alert: CephPGNotScrubbed + annotations: + description: 'One or more PGs have not been scrubbed recently. Scrubs check + metadata integrity, protecting against bit-rot. They check that metadata + is consistent across data replicas. When PGs miss their scrub interval, + it may indicate that the scrub window is too small, or PGs were not in a + ''clean'' state during the scrub window. You can manually initiate a scrub + with: ceph pg scrub ' + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-scrubbed + summary: Placement group(s) have not been scrubbed + expr: ceph_health_detail{name="PG_NOT_SCRUBBED"} == 1 + for: 5m + labels: + severity: warning + type: ceph_default + - alert: CephPGsHighPerOSD + annotations: + description: |- + The number of placement groups per OSD is too high (exceeds the mon_max_pg_per_osd setting). + Check that the pg_autoscaler has not been disabled for any pools with 'ceph osd pool autoscale-status', and that the profile selected is appropriate. You may also adjust the target_size_ratio of a pool to guide the autoscaler based on the expected relative size of the pool ('ceph osd pool set cephfs.cephfs.meta target_size_ratio .1') or set the pg_autoscaler mode to 'warn' and adjust pg_num appropriately for one or more pools. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks/#too-many-pgs + summary: Placement groups per OSD is too high + expr: ceph_health_detail{name="TOO_MANY_PGS"} == 1 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: CephPGNotDeepScrubbed + annotations: + description: One or more PGs have not been deep scrubbed recently. Deep scrubs + protect against bit-rot. They compare data replicas to ensure consistency. + When PGs miss their deep scrub interval, it may indicate that the window + is too small or PGs were not in a 'clean' state during the deep-scrub window. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-deep-scrubbed + summary: Placement group(s) have not been deep scrubbed + expr: ceph_health_detail{name="PG_NOT_DEEP_SCRUBBED"} == 1 + for: 5m + labels: + severity: warning + type: ceph_default + - name: nodes + rules: + - alert: CephNodeRootFilesystemFull + annotations: + description: 'Root volume is dangerously full: {{ $value | humanize }}% free.' + summary: Root filesystem is dangerously full + expr: node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} + * 100 < 5 + for: 5m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.8.1 + severity: critical + type: ceph_default + - alert: CephNodeNetworkPacketDrops + annotations: + description: Node {{ $labels.instance }} experiences packet drop > 0.5% or + > 10 packets/s on interface {{ $labels.device }}. + summary: One or more NICs reports packet drops + expr: | + ( + rate(node_network_receive_drop_total{device!="lo"}[1m]) + + rate(node_network_transmit_drop_total{device!="lo"}[1m]) + ) / ( + rate(node_network_receive_packets_total{device!="lo"}[1m]) + + rate(node_network_transmit_packets_total{device!="lo"}[1m]) + ) >= 0.0050000000000000001 and ( + rate(node_network_receive_drop_total{device!="lo"}[1m]) + + rate(node_network_transmit_drop_total{device!="lo"}[1m]) + ) >= 10 + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.8.2 + severity: warning + type: ceph_default + - alert: CephNodeNetworkPacketErrors + annotations: + description: Node {{ $labels.instance }} experiences packet errors > 0.01% + or > 10 packets/s on interface {{ $labels.device }}. + summary: One or more NICs reports packet errors + expr: | + ( + rate(node_network_receive_errs_total{device!="lo"}[1m]) + + rate(node_network_transmit_errs_total{device!="lo"}[1m]) + ) / ( + rate(node_network_receive_packets_total{device!="lo"}[1m]) + + rate(node_network_transmit_packets_total{device!="lo"}[1m]) + ) >= 0.0001 or ( + rate(node_network_receive_errs_total{device!="lo"}[1m]) + + rate(node_network_transmit_errs_total{device!="lo"}[1m]) + ) >= 10 + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.8.3 + severity: warning + type: ceph_default + - alert: CephNodeNetworkBondDegraded + annotations: + description: Bond {{ $labels.master }} is degraded on Node {{ $labels.instance + }}. + summary: Degraded Bond on Node {{ $labels.instance }} + expr: | + node_bonding_slaves - node_bonding_active != 0 + labels: + severity: warning + type: ceph_default + - alert: CephNodeDiskspaceWarning + annotations: + description: Mountpoint {{ $labels.mountpoint }} on {{ $labels.nodename }} + will be full in less than 5 days based on the 48 hour trailing fill rate. + summary: Host filesystem free space is getting low + expr: predict_linear(node_filesystem_free_bytes{device=~"/.*"}[2d], 3600 * 24 + * 5) *on(instance) group_left(nodename) node_uname_info < 0 + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.8.4 + severity: warning + type: ceph_default + - alert: CephNodeInconsistentMTU + annotations: + description: Node {{ $labels.instance }} has a different MTU size ({{ $value + }}) than the median of devices named {{ $labels.device }}. + summary: MTU settings across Ceph hosts are inconsistent + expr: node_network_mtu_bytes * (node_network_up{device!="lo"} > 0) == scalar( max + by (device) (node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) + != quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!="lo"} + > 0)) )or node_network_mtu_bytes * (node_network_up{device!="lo"} > 0) == scalar( min + by (device) (node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) + != quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!="lo"} + > 0)) ) + labels: + severity: warning + type: ceph_default + - name: pools + rules: + - alert: CephPoolGrowthWarning + annotations: + description: Pool '{{ $labels.name }}' will be full in less than 5 days assuming + the average fill-up rate of the past 48 hours. + summary: Pool growth rate may soon exceed capacity + expr: (predict_linear(ceph_pool_percent_used[2d], 3600 * 24 * 5) * on(pool_id, + instance, pod) group_right() ceph_pool_metadata) >= 95 + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.9.2 + severity: warning + type: ceph_default + - alert: CephPoolBackfillFull + annotations: + description: A pool is approaching the near full threshold, which will prevent + recovery/backfill operations from completing. Consider adding more capacity. + summary: Free space in a pool is too low for recovery/backfill + expr: ceph_health_detail{name="POOL_BACKFILLFULL"} > 0 + labels: + severity: warning + type: ceph_default + - alert: CephPoolFull + annotations: + description: A pool has reached its MAX quota, or OSDs supporting the pool + have reached the FULL threshold. Until this is resolved, writes to the pool + will be blocked. Pool Breakdown (top 5) {{- range query "topk(5, sort_desc(ceph_pool_percent_used + * on(pool_id) group_right ceph_pool_metadata))" }} - {{ .Labels.name }} + at {{ .Value }}% {{- end }} Increase the pool's quota, or add capacity to + the cluster first then increase the pool's quota (e.g. ceph osd pool set + quota max_bytes ) + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pool-full + summary: Pool is full - writes are blocked + expr: ceph_health_detail{name="POOL_FULL"} > 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.9.1 + severity: critical + type: ceph_default + - alert: CephPoolNearFull + annotations: + description: A pool has exceeded the warning (percent full) threshold, or + OSDs supporting the pool have reached the NEARFULL threshold. Writes may + continue, but you are at risk of the pool going read-only if more capacity + isn't made available. Determine the affected pool with 'ceph df detail', + looking at QUOTA BYTES and STORED. Increase the pool's quota, or add capacity + to the cluster first then increase the pool's quota (e.g. ceph osd pool + set quota max_bytes ). Also ensure that the balancer + is active. + summary: One or more Ceph pools are nearly full + expr: ceph_health_detail{name="POOL_NEAR_FULL"} > 0 + for: 5m + labels: + severity: warning + type: ceph_default + - name: healthchecks + rules: + - alert: CephSlowOps + annotations: + description: '{{ $value }} OSD requests are taking too long to process (osd_op_complaint_time + exceeded)' + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops + summary: OSD operations are slow to complete + expr: ceph_healthcheck_slow_ops > 0 + for: 30s + labels: + severity: warning + type: ceph_default + - alert: CephDaemonSlowOps + annotations: + description: '{{ $labels.ceph_daemon }} operations are taking too long to + process (complaint time exceeded)' + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops + summary: '{{ $labels.ceph_daemon }} operations are slow to complete' + expr: ceph_daemon_health_metrics{type="SLOW_OPS"} > 0 + for: 30s + labels: + severity: warning + type: ceph_default + - name: hardware + rules: + - alert: HardwareStorageError + annotations: + description: Some storage devices are in error. Check `ceph health detail`. + summary: Storage devices error(s) detected + expr: ceph_health_detail{name="HARDWARE_STORAGE"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.1 + severity: critical + type: ceph_default + - alert: HardwareMemoryError + annotations: + description: DIMM error(s) detected. Check `ceph health detail`. + summary: DIMM error(s) detected + expr: ceph_health_detail{name="HARDWARE_MEMORY"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.2 + severity: critical + type: ceph_default + - alert: HardwareProcessorError + annotations: + description: Processor error(s) detected. Check `ceph health detail`. + summary: Processor error(s) detected + expr: ceph_health_detail{name="HARDWARE_PROCESSOR"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.3 + severity: critical + type: ceph_default + - alert: HardwareNetworkError + annotations: + description: Network error(s) detected. Check `ceph health detail`. + summary: Network error(s) detected + expr: ceph_health_detail{name="HARDWARE_NETWORK"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.4 + severity: critical + type: ceph_default + - alert: HardwarePowerError + annotations: + description: Power supply error(s) detected. Check `ceph health detail`. + summary: Power supply error(s) detected + expr: ceph_health_detail{name="HARDWARE_POWER"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.5 + severity: critical + type: ceph_default + - alert: HardwareFanError + annotations: + description: Fan error(s) detected. Check `ceph health detail`. + summary: Fan error(s) detected + expr: ceph_health_detail{name="HARDWARE_FANS"} > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.13.6 + severity: critical + type: ceph_default + - name: PrometheusServer + rules: + - alert: PrometheusJobMissing + annotations: + description: The prometheus job that scrapes from Ceph MGR is no longer defined, + this will effectively mean you'll have no metrics or alerts for the cluster. Please + review the job definitions in the prometheus.yml file of the prometheus + instance. + summary: The scrape job for Ceph MGR is missing from Prometheus + expr: absent(up{job="rook-ceph-mgr"}) + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.12.1 + severity: critical + type: ceph_default + - alert: PrometheusJobExporterMissing + annotations: + description: The prometheus job that scrapes from Ceph Exporter is no longer + defined, this will effectively mean you'll have no metrics or alerts for + the cluster. Please review the job definitions in the prometheus.yml file + of the prometheus instance. + summary: The scrape job for Ceph Exporter is missing from Prometheus + expr: sum(absent(up{job="rook-ceph-exporter"})) and sum(ceph_osd_metadata{ceph_version=~"^ceph + version (1[89]|[2-9][0-9]).*"}) > 0 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.12.1 + severity: critical + type: ceph_default + - name: rados + rules: + - alert: CephObjectMissing + annotations: + description: The latest version of a RADOS object can not be found, even though + all OSDs are up. I/O requests for this object from clients will block (hang). + Resolving this issue may require the object to be rolled back to a prior + version manually, and manually verified. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#object-unfound + summary: Object(s) marked UNFOUND + expr: (ceph_health_detail{name="OBJECT_UNFOUND"} == 1) * on() (count(ceph_osd_up + == 1) == bool count(ceph_osd_metadata)) == 1 + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.10.1 + severity: critical + type: ceph_default + - name: generic + rules: + - alert: CephDaemonCrash + annotations: + description: One or more daemons have crashed recently, and need to be acknowledged. + This notification ensures that software crashes do not go unseen. To acknowledge + a crash, use the 'ceph crash archive ' command. + documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks/#recent-crash + summary: One or more Ceph daemons have crashed, and are pending acknowledgement + expr: ceph_health_detail{name="RECENT_CRASH"} == 1 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.1.2 + severity: critical + type: ceph_default + - name: rbdmirror + rules: + - alert: CephRBDMirrorImagesPerDaemonHigh + annotations: + description: Number of image replications per daemon is not supposed to go + beyond threshold 100 + summary: Number of image replications are now above 100 + expr: sum by (ceph_daemon, namespace) (ceph_rbd_mirror_snapshot_image_snapshots) + > 100 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.10.2 + severity: critical + type: ceph_default + - alert: CephRBDMirrorImagesNotInSync + annotations: + description: Both local and remote RBD mirror images should be in sync. + summary: Some of the RBD mirror images are not in sync with the remote counter + parts. + expr: sum by (ceph_daemon, image, namespace, pool) (topk by (ceph_daemon, image, + namespace, pool) (1, ceph_rbd_mirror_snapshot_image_local_timestamp) - topk + by (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) + != 0 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.10.3 + severity: critical + type: ceph_default + - alert: CephRBDMirrorImagesNotInSyncVeryHigh + annotations: + description: More than 10% of the images have synchronization problems + summary: Number of unsynchronized images are very high. + expr: count by (ceph_daemon) ((topk by (ceph_daemon, image, namespace, pool) + (1, ceph_rbd_mirror_snapshot_image_local_timestamp) - topk by (ceph_daemon, + image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) + != 0) > (sum by (ceph_daemon) (ceph_rbd_mirror_snapshot_snapshots)*.1) + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.10.4 + severity: critical + type: ceph_default + - alert: CephRBDMirrorImageTransferBandwidthHigh + annotations: + description: Detected a heavy increase in bandwidth for rbd replications (over + 80%) in the last 30 min. This might not be a problem, but it is good to + review the number of images being replicated simultaneously + summary: The replication network usage has been increased over 80% in the + last 30 minutes. Review the number of images being replicated. This alert + will be cleaned automatically after 30 minutes + expr: rate(ceph_rbd_mirror_journal_replay_bytes[30m]) > 0.80 + for: 1m + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.10.5 + severity: warning + type: ceph_default + - name: nvmeof + rules: + - alert: NVMeoFSubsystemNamespaceLimit + annotations: + description: Subsystems have a max namespace limit defined at creation time. + This alert means that no more namespaces can be added to {{ $labels.nqn + }} + summary: '{{ $labels.nqn }} subsystem has reached its maximum number of namespaces ' + expr: (count by(nqn) (ceph_nvmeof_subsystem_namespace_metadata)) >= ceph_nvmeof_subsystem_namespace_limit + for: 1m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFTooManyGateways + annotations: + description: You may create many gateways, but 4 is the tested limit + summary: 'Max supported gateways exceeded ' + expr: count(ceph_nvmeof_gateway_info) > 4.00 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFMaxGatewayGroupSize + annotations: + description: You may create many gateways in a gateway group, but 2 is the + tested limit + summary: 'Max gateways within a gateway group ({{ $labels.group }}) exceeded ' + expr: count by(group) (ceph_nvmeof_gateway_info) > 2.00 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFSingleGatewayGroup + annotations: + description: Although a single member gateway group is valid, it should only + be used for test purposes + summary: 'The gateway group {{ $labels.group }} consists of a single gateway + - HA is not possible ' + expr: count by(group) (ceph_nvmeof_gateway_info) == 1 + for: 5m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFHighGatewayCPU + annotations: + description: Typically, high CPU may indicate degraded performance. Consider + increasing the number of reactor cores + summary: 'CPU used by {{ $labels.instance }} NVMe-oF Gateway is high ' + expr: label_replace(avg by(instance) (rate(ceph_nvmeof_reactor_seconds_total{mode="busy"}[1m])),"instance","$1","instance","(.*):.*") + > 80.00 + for: 10m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFGatewayOpenSecurity + annotations: + description: It is good practice to ensure subsystems use host security to + reduce the risk of unexpected data loss + summary: 'Subsystem {{ $labels.nqn }} has been defined without host level + security ' + expr: ceph_nvmeof_subsystem_metadata{allow_any_host="yes"} + for: 5m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFTooManySubsystems + annotations: + description: Although you may continue to create subsystems in {{ $labels.gateway_host + }}, the configuration may not be supported + summary: 'The number of subsystems defined to the gateway exceeds supported + values ' + expr: count by(gateway_host) (label_replace(ceph_nvmeof_subsystem_metadata,"gateway_host","$1","instance","(.*):.*")) + > 16.00 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFVersionMismatch + annotations: + description: This may indicate an issue with deployment. Check cephadm logs + summary: 'The cluster has different NVMe-oF gateway releases active ' + expr: count(count by(version) (ceph_nvmeof_gateway_info)) > 1 + for: 1h + labels: + severity: warning + type: ceph_default + - alert: NVMeoFHighClientCount + annotations: + description: The supported limit for clients connecting to a subsystem is + 32 + summary: 'The number of clients connected to {{ $labels.nqn }} is too high ' + expr: ceph_nvmeof_subsystem_host_count > 32.00 + for: 1m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFHighHostCPU + annotations: + description: High CPU on a gateway host can lead to CPU contention and performance + degradation + summary: 'The CPU is high ({{ $value }}%) on NVMeoF Gateway host ({{ $labels.host + }}) ' + expr: 100-((100*(avg by(host) (label_replace(rate(node_cpu_seconds_total{mode="idle"}[5m]),"host","$1","instance","(.*):.*")) + * on(host) group_right label_replace(ceph_nvmeof_gateway_info,"host","$1","instance","(.*):.*")))) + >= 80.00 + for: 10m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFInterfaceDown + annotations: + description: A NIC used by one or more subsystems is in a down state + summary: 'Network interface {{ $labels.device }} is down ' + expr: ceph_nvmeof_subsystem_listener_iface_info{operstate="down"} + for: 30s + labels: + oid: 1.3.6.1.4.1.50495.1.2.1.14.1 + severity: warning + type: ceph_default + - alert: NVMeoFInterfaceDuplex + annotations: + description: Until this is resolved, performance from the gateway will be + degraded + summary: 'Network interface {{ $labels.device }} is not running in full duplex + mode ' + expr: ceph_nvmeof_subsystem_listener_iface_info{duplex!="full"} + for: 30s + labels: + severity: warning + type: ceph_default + - alert: NVMeoFHighReadLatency + annotations: + description: High latencies may indicate a constraint within the cluster e.g. + CPU, network. Please investigate + summary: The average read latency over the last 5 mins has reached 10 ms or + more on {{ $labels.gateway }} + expr: label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_read_seconds_total[1m]) + / rate(ceph_nvmeof_bdev_reads_completed_total[1m])))),"gateway","$1","instance","(.*):.*") + > 0.01 + for: 5m + labels: + severity: warning + type: ceph_default + - alert: NVMeoFHighWriteLatency + annotations: + description: High latencies may indicate a constraint within the cluster e.g. + CPU, network. Please investigate + summary: The average write latency over the last 5 mins has reached 20 ms + or more on {{ $labels.gateway }} + expr: label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_write_seconds_total[5m]) + / rate(ceph_nvmeof_bdev_writes_completed_total[5m])))),"gateway","$1","instance","(.*):.*") + > 0.02 + for: 5m + labels: + severity: warning + type: ceph_default +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: rook-ceph-dashboard + namespace: rook-ceph +spec: + ingressClassName: internal-nginx + rules: + - host: rook.brenix.com + http: + paths: + - backend: + service: + name: rook-ceph-mgr-dashboard + port: + name: http-dashboard + path: / + pathType: Prefix diff --git a/deploy/components/rook-ceph-operator/rook-ceph-operator.gen.yaml b/deploy/components/rook-ceph-operator/rook-ceph-operator.gen.yaml new file mode 100644 index 00000000..3249a1e0 --- /dev/null +++ b/deploy/components/rook-ceph-operator/rook-ceph-operator.gen.yaml @@ -0,0 +1,16656 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephblockpoolradosnamespaces.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephBlockPoolRadosNamespace + listKind: CephBlockPoolRadosNamespaceList + plural: cephblockpoolradosnamespaces + singular: cephblockpoolradosnamespace + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - description: Name of the Ceph BlockPool + jsonPath: .spec.blockPoolName + name: BlockPool + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephBlockPoolRadosNamespace represents a Ceph BlockPool Rados + Namespace + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec represents the specification of a Ceph BlockPool Rados + Namespace + properties: + blockPoolName: + description: |- + BlockPoolName is the name of Ceph BlockPool. Typically it's the name of + the CephBlockPool CR. + type: string + x-kubernetes-validations: + - message: blockPoolName is immutable + rule: self == oldSelf + name: + description: The name of the CephBlockPoolRadosNamespaceSpec namespace. + If not set, the default is the name of the CR. + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + required: + - blockPoolName + type: object + status: + description: Status represents the status of a CephBlockPool Rados Namespace + properties: + info: + additionalProperties: + type: string + nullable: true + type: object + phase: + description: ConditionType represent a resource's status + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephblockpools.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephBlockPool + listKind: CephBlockPoolList + plural: cephblockpools + singular: cephblockpool + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.info.type + name: Type + type: string + - jsonPath: .status.info.failureDomain + name: FailureDomain + type: string + - jsonPath: .spec.replicated.size + name: Replication + priority: 1 + type: integer + - jsonPath: .spec.erasureCoded.codingChunks + name: EC-CodingChunks + priority: 1 + type: integer + - jsonPath: .spec.erasureCoded.dataChunks + name: EC-DataChunks + priority: 1 + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephBlockPool represents a Ceph Storage Pool + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + NamedBlockPoolSpec allows a block pool to be created with a non-default name. + This is more specific than the NamedPoolSpec so we get schema validation on the + allowed pool names that can be specified. + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in the + pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if available) + - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot for + mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot scheduling + settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the snapshot. + type: string + path: + description: Path is the path to snapshot, only valid for + CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + name: + description: The desired name of the pool if different from the CephBlockPool + CR name. + enum: + - .rgw.root + - .nfs + - .mgr + type: string + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a given + pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica in + the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to set + replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for replicated + pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of an + object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: CephBlockPoolStatus represents the mirroring status of Ceph + Storage Pool + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + info: + additionalProperties: + type: string + nullable: true + type: object + mirroringInfo: + description: MirroringInfoSpec is the status of the pool mirroring + properties: + details: + type: string + lastChanged: + type: string + lastChecked: + type: string + mode: + description: Mode is the mirroring mode + type: string + peers: + description: Peers are the list of peer sites connected to that + cluster + items: + description: PeersSpec contains peer details + properties: + client_name: + description: ClientName is the CephX user used to connect + to the peer + type: string + direction: + description: Direction is the peer mirroring direction + type: string + mirror_uuid: + description: MirrorUUID is the mirror UUID + type: string + site_name: + description: SiteName is the current site name + type: string + uuid: + description: UUID is the peer UUID + type: string + type: object + type: array + site_name: + description: SiteName is the current site name + type: string + type: object + mirroringStatus: + description: MirroringStatusSpec is the status of the pool mirroring + properties: + details: + description: Details contains potential status errors + type: string + lastChanged: + description: LastChanged is the last time time the status last + changed + type: string + lastChecked: + description: LastChecked is the last time time the status was + checked + type: string + summary: + description: Summary is the mirroring status summary + properties: + daemon_health: + description: DaemonHealth is the health of the mirroring daemon + type: string + health: + description: Health is the mirroring health + type: string + image_health: + description: ImageHealth is the health of the mirrored image + type: string + states: + description: States is the various state for all mirrored + images + nullable: true + properties: + error: + description: Error is when the mirroring state is errored + type: integer + replaying: + description: Replaying is when the replay of the mirroring + journal is on-going + type: integer + starting_replay: + description: StartingReplay is when the replay of the + mirroring journal starts + type: integer + stopped: + description: Stopped is when the mirroring state is stopped + type: integer + stopping_replay: + description: StopReplaying is when the replay of the mirroring + journal stops + type: integer + syncing: + description: Syncing is when the image is syncing + type: integer + unknown: + description: Unknown is when the mirroring state is unknown + type: integer + type: object + type: object + type: object + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + snapshotScheduleStatus: + description: SnapshotScheduleStatusSpec is the status of the snapshot + schedule + properties: + details: + description: Details contains potential status errors + type: string + lastChanged: + description: LastChanged is the last time time the status last + changed + type: string + lastChecked: + description: LastChecked is the last time time the status was + checked + type: string + snapshotSchedules: + description: SnapshotSchedules is the list of snapshots scheduled + items: + description: SnapshotSchedulesSpec is the list of snapshot scheduled + for images in a pool + properties: + image: + description: Image is the mirrored image + type: string + items: + description: Items is the list schedules times for a given + snapshot + items: + description: SnapshotSchedule is a schedule + properties: + interval: + description: Interval is the interval in which snapshots + will be taken + type: string + start_time: + description: StartTime is the snapshot starting time + type: string + type: object + type: array + namespace: + description: Namespace is the RADOS namespace the image + is part of + type: string + pool: + description: Pool is the pool name + type: string + type: object + nullable: true + type: array + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephbucketnotifications.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephBucketNotification + listKind: CephBucketNotificationList + plural: cephbucketnotifications + singular: cephbucketnotification + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: CephBucketNotification represents a Bucket Notifications + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BucketNotificationSpec represent the spec of a Bucket Notification + properties: + events: + description: List of events that should trigger the notification + items: + description: BucketNotificationSpec represent the event type of + the bucket notification + enum: + - s3:ObjectCreated:* + - s3:ObjectCreated:Put + - s3:ObjectCreated:Post + - s3:ObjectCreated:Copy + - s3:ObjectCreated:CompleteMultipartUpload + - s3:ObjectRemoved:* + - s3:ObjectRemoved:Delete + - s3:ObjectRemoved:DeleteMarkerCreated + type: string + type: array + filter: + description: Spec of notification filter + properties: + keyFilters: + description: Filters based on the object's key + items: + description: NotificationKeyFilterRule represent a single key + rule in the Notification Filter spec + properties: + name: + description: Name of the filter - prefix/suffix/regex + enum: + - prefix + - suffix + - regex + type: string + value: + description: Value to filter on + type: string + required: + - name + - value + type: object + type: array + metadataFilters: + description: Filters based on the object's metadata + items: + description: NotificationFilterRule represent a single rule + in the Notification Filter spec + properties: + name: + description: Name of the metadata or tag + minLength: 1 + type: string + value: + description: Value to filter on + type: string + required: + - name + - value + type: object + type: array + tagFilters: + description: Filters based on the object's tags + items: + description: NotificationFilterRule represent a single rule + in the Notification Filter spec + properties: + name: + description: Name of the metadata or tag + minLength: 1 + type: string + value: + description: Value to filter on + type: string + required: + - name + - value + type: object + type: array + type: object + topic: + description: The name of the topic associated with this notification + minLength: 1 + type: string + required: + - topic + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephbuckettopics.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephBucketTopic + listKind: CephBucketTopicList + plural: cephbuckettopics + singular: cephbuckettopic + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephBucketTopic represents a Ceph Object Topic for Bucket Notifications + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BucketTopicSpec represent the spec of a Bucket Topic + properties: + endpoint: + description: Contains the endpoint spec of the topic + properties: + amqp: + description: Spec of AMQP endpoint + properties: + ackLevel: + default: broker + description: The ack level required for this topic (none/broker/routeable) + enum: + - none + - broker + - routeable + type: string + disableVerifySSL: + description: Indicate whether the server certificate is validated + by the client or not + type: boolean + exchange: + description: Name of the exchange that is used to route messages + based on topics + minLength: 1 + type: string + uri: + description: The URI of the AMQP endpoint to push notification + to + minLength: 1 + type: string + required: + - exchange + - uri + type: object + http: + description: Spec of HTTP endpoint + properties: + disableVerifySSL: + description: Indicate whether the server certificate is validated + by the client or not + type: boolean + sendCloudEvents: + description: 'Send the notifications with the CloudEvents + header: https://github.com/cloudevents/spec/blob/main/cloudevents/adapters/aws-s3.md' + type: boolean + uri: + description: The URI of the HTTP endpoint to push notification + to + minLength: 1 + type: string + required: + - uri + type: object + kafka: + description: Spec of Kafka endpoint + properties: + ackLevel: + default: broker + description: The ack level required for this topic (none/broker) + enum: + - none + - broker + type: string + disableVerifySSL: + description: Indicate whether the server certificate is validated + by the client or not + type: boolean + uri: + description: The URI of the Kafka endpoint to push notification + to + minLength: 1 + type: string + useSSL: + description: Indicate whether to use SSL when communicating + with the broker + type: boolean + required: + - uri + type: object + type: object + objectStoreName: + description: The name of the object store on which to define the topic + minLength: 1 + type: string + objectStoreNamespace: + description: The namespace of the object store on which to define + the topic + minLength: 1 + type: string + opaqueData: + description: Data which is sent in each event + type: string + persistent: + description: Indication whether notifications to this endpoint are + persistent or not + type: boolean + required: + - endpoint + - objectStoreName + - objectStoreNamespace + type: object + status: + description: BucketTopicStatus represents the Status of a CephBucketTopic + properties: + ARN: + description: The ARN of the topic generated by the RGW + nullable: true + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephclients.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephClient + listKind: CephClientList + plural: cephclients + singular: cephclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephClient represents a Ceph Client + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec represents the specification of a Ceph Client + properties: + caps: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + - caps + type: object + status: + description: Status represents the status of a Ceph Client + properties: + info: + additionalProperties: + type: string + nullable: true + type: object + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephclusters.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephCluster + listKind: CephClusterList + plural: cephclusters + singular: cephcluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Directory used on the K8s nodes + jsonPath: .spec.dataDirHostPath + name: DataDirHostPath + type: string + - description: Number of MONs + jsonPath: .spec.mon.count + name: MonCount + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + - description: Message + jsonPath: .status.message + name: Message + type: string + - description: Ceph Health + jsonPath: .status.ceph.health + name: Health + type: string + - jsonPath: .spec.external.enable + name: External + type: boolean + - description: Ceph FSID + jsonPath: .status.ceph.fsid + name: FSID + type: string + name: v1 + schema: + openAPIV3Schema: + description: CephCluster is a Ceph storage cluster + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterSpec represents the specification of Ceph Cluster + properties: + annotations: + additionalProperties: + additionalProperties: + type: string + description: Annotations are annotations + type: object + description: The annotations-related configuration to add/set on each + Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + cephConfig: + additionalProperties: + additionalProperties: + type: string + type: object + description: Ceph Config options + nullable: true + type: object + cephVersion: + description: The version information that instructs Rook to orchestrate + a particular version of Ceph. + nullable: true + properties: + allowUnsupported: + description: Whether to allow unsupported versions (do not set + to true in production) + type: boolean + image: + description: |- + Image is the container image used to launch the ceph daemons, such as quay.io/ceph/ceph: + The full list of images can be found at https://quay.io/repository/ceph/ceph?tab=tags + type: string + imagePullPolicy: + description: |- + ImagePullPolicy describes a policy for if/when to pull a container image + One of Always, Never, IfNotPresent. + enum: + - IfNotPresent + - Always + - Never + - "" + type: string + type: object + cleanupPolicy: + description: |- + Indicates user intent when deleting a cluster; blocks orchestration and should not be set if cluster + deletion is not imminent. + nullable: true + properties: + allowUninstallWithVolumes: + description: AllowUninstallWithVolumes defines whether we can + proceed with the uninstall if they are RBD images still present + type: boolean + confirmation: + description: Confirmation represents the cleanup confirmation + nullable: true + pattern: ^$|^yes-really-destroy-data$ + type: string + sanitizeDisks: + description: SanitizeDisks represents way we sanitize disks + nullable: true + properties: + dataSource: + description: DataSource is the data source to use to sanitize + the disk with + enum: + - zero + - random + type: string + iteration: + description: Iteration is the number of pass to apply the + sanitizing + format: int32 + type: integer + method: + description: Method is the method we use to sanitize disks + enum: + - complete + - quick + type: string + type: object + type: object + continueUpgradeAfterChecksEvenIfNotHealthy: + description: ContinueUpgradeAfterChecksEvenIfNotHealthy defines if + an upgrade should continue even if PGs are not clean + type: boolean + crashCollector: + description: A spec for the crash controller + nullable: true + properties: + daysToRetain: + description: DaysToRetain represents the number of days to retain + crash until they get pruned + type: integer + disable: + description: Disable determines whether we should enable the crash + collector + type: boolean + type: object + csi: + description: CSI Driver Options applied per cluster. + properties: + cephfs: + description: CephFS defines CSI Driver settings for CephFS driver. + properties: + fuseMountOptions: + description: FuseMountOptions defines the mount options for + ceph fuse mounter. + type: string + kernelMountOptions: + description: KernelMountOptions defines the mount options + for kernel mounter. + type: string + type: object + readAffinity: + description: ReadAffinity defines the read affinity settings for + CSI driver. + properties: + crushLocationLabels: + description: |- + CrushLocationLabels defines which node labels to use + as CRUSH location. This should correspond to the values set in + the CRUSH map. + items: + type: string + type: array + enabled: + description: Enables read affinity for CSI driver. + type: boolean + type: object + type: object + dashboard: + description: Dashboard settings + nullable: true + properties: + enabled: + description: Enabled determines whether to enable the dashboard + type: boolean + port: + description: Port is the dashboard webserver port + maximum: 65535 + minimum: 0 + type: integer + prometheusEndpoint: + description: Endpoint for the Prometheus host + type: string + prometheusEndpointSSLVerify: + description: Whether to verify the ssl endpoint for prometheus. + Set to false for a self-signed cert. + type: boolean + ssl: + description: SSL determines whether SSL should be used + type: boolean + urlPrefix: + description: URLPrefix is a prefix for all URLs to use the dashboard + with a reverse proxy + type: string + type: object + dataDirHostPath: + description: The path on the host where config and data can be persisted + pattern: ^/(\S+) + type: string + x-kubernetes-validations: + - message: DataDirHostPath is immutable + rule: self == oldSelf + disruptionManagement: + description: A spec for configuring disruption management. + nullable: true + properties: + machineDisruptionBudgetNamespace: + description: Deprecated. Namespace to look for MDBs by the machineDisruptionBudgetController + type: string + manageMachineDisruptionBudgets: + description: Deprecated. This enables management of machinedisruptionbudgets. + type: boolean + managePodBudgets: + description: This enables management of poddisruptionbudgets + type: boolean + osdMaintenanceTimeout: + description: |- + OSDMaintenanceTimeout sets how many additional minutes the DOWN/OUT interval is for drained failure domains + it only works if managePodBudgets is true. + the default is 30 minutes + format: int64 + type: integer + pgHealthCheckTimeout: + description: |- + PGHealthCheckTimeout is the time (in minutes) that the operator will wait for the placement groups to become + healthy (active+clean) after a drain was completed and OSDs came back up. Rook will continue with the next drain + if the timeout exceeds. It only works if managePodBudgets is true. + No values or 0 means that the operator will wait until the placement groups are healthy before unblocking the next drain. + format: int64 + type: integer + pgHealthyRegex: + description: |- + PgHealthyRegex is the regular expression that is used to determine which PG states should be considered healthy. + The default is `^(active\+clean|active\+clean\+scrubbing|active\+clean\+scrubbing\+deep)$` + type: string + type: object + external: + description: |- + Whether the Ceph Cluster is running external to this Kubernetes cluster + mon, mgr, osd, mds, and discover daemons will not be created for external clusters. + nullable: true + properties: + enable: + description: Enable determines whether external mode is enabled + or not + type: boolean + type: object + x-kubernetes-preserve-unknown-fields: true + healthCheck: + description: Internal daemon healthchecks and liveness probe + nullable: true + properties: + daemonHealth: + description: DaemonHealth is the health check for a given daemon + nullable: true + properties: + mon: + description: Monitor represents the health check settings + for the Ceph monitor + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + osd: + description: ObjectStorageDaemon represents the health check + settings for the Ceph OSDs + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + status: + description: Status represents the health check settings for + the Ceph health + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + livenessProbe: + additionalProperties: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + description: LivenessProbe allows changing the livenessProbe configuration + for a given daemon + type: object + startupProbe: + additionalProperties: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + description: StartupProbe allows changing the startupProbe configuration + for a given daemon + type: object + type: object + labels: + additionalProperties: + additionalProperties: + type: string + description: Labels are label for a given daemons + type: object + description: The labels-related configuration to add/set on each Pod + related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + logCollector: + description: Logging represents loggings settings + nullable: true + properties: + enabled: + description: Enabled represents whether the log collector is enabled + type: boolean + maxLogSize: + anyOf: + - type: integer + - type: string + description: MaxLogSize is the maximum size of the log per ceph + daemons. Must be at least 1M. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + periodicity: + description: Periodicity is the periodicity of the log rotation. + pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$ + type: string + type: object + mgr: + description: A spec for mgr related options + nullable: true + properties: + allowMultiplePerNode: + description: AllowMultiplePerNode allows to run multiple managers + on the same node (not recommended) + type: boolean + count: + description: Count is the number of manager daemons to run + maximum: 5 + minimum: 0 + type: integer + modules: + description: Modules is the list of ceph manager modules to enable/disable + items: + description: Module represents mgr modules that the user wants + to enable or disable + properties: + enabled: + description: Enabled determines whether a module should + be enabled or not + type: boolean + name: + description: Name is the name of the ceph manager module + type: string + settings: + description: Settings to further configure the module + properties: + balancerMode: + description: BalancerMode sets the `balancer` module + with different modes like `upmap`, `crush-compact` + etc + enum: + - "" + - crush-compat + - upmap + - read + - upmap-read + type: string + type: object + type: object + nullable: true + type: array + type: object + mon: + description: A spec for mon related options + nullable: true + properties: + allowMultiplePerNode: + description: AllowMultiplePerNode determines if we can run multiple + monitors on the same node (not recommended) + type: boolean + count: + description: Count is the number of Ceph monitors + maximum: 9 + minimum: 0 + type: integer + failureDomainLabel: + type: string + stretchCluster: + description: StretchCluster is the stretch cluster specification + properties: + failureDomainLabel: + description: 'FailureDomainLabel the failure domain name (e,g: + zone)' + type: string + subFailureDomain: + description: SubFailureDomain is the failure domain within + a zone + type: string + zones: + description: Zones is the list of zones + items: + description: MonZoneSpec represents the specification of + a zone in a Ceph Cluster + properties: + arbiter: + description: Arbiter determines if the zone contains + the arbiter used for stretch cluster mode + type: boolean + name: + description: Name is the name of the zone + type: string + volumeClaimTemplate: + description: VolumeClaimTemplate is the PVC template + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + nullable: true + type: array + type: object + volumeClaimTemplate: + description: VolumeClaimTemplate is the PVC definition + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes to + consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the + PersistentVolume backing this claim. + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + zones: + description: Zones are specified when we want to provide zonal + awareness to mons + items: + description: MonZoneSpec represents the specification of a zone + in a Ceph Cluster + properties: + arbiter: + description: Arbiter determines if the zone contains the + arbiter used for stretch cluster mode + type: boolean + name: + description: Name is the name of the zone + type: string + volumeClaimTemplate: + description: VolumeClaimTemplate is the PVC template + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-validations: + - message: zones must be less than or equal to count + rule: '!has(self.zones) || (has(self.zones) && (size(self.zones) + <= self.count))' + - message: stretchCluster zones must be equal to 3 + rule: '!has(self.stretchCluster) || (has(self.stretchCluster) && + (size(self.stretchCluster.zones) > 0) && (size(self.stretchCluster.zones) + == 3))' + monitoring: + description: Prometheus based Monitoring settings + nullable: true + properties: + enabled: + description: |- + Enabled determines whether to create the prometheus rules for the ceph cluster. If true, the prometheus + types must exist or the creation will fail. Default is false. + type: boolean + exporter: + description: Ceph exporter configuration + properties: + perfCountersPrioLimit: + default: 5 + description: Only performance counters greater than or equal + to this option are fetched + format: int64 + type: integer + statsPeriodSeconds: + default: 5 + description: Time to wait before sending requests again to + exporter server (seconds) + format: int64 + type: integer + type: object + externalMgrEndpoints: + description: ExternalMgrEndpoints points to an existing Ceph prometheus + exporter endpoint + items: + description: EndpointAddress is a tuple that describes single + IP address. + properties: + hostname: + description: The Hostname of this endpoint + type: string + ip: + description: |- + The IP of this endpoint. + May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), + or link-local multicast (224.0.0.0/24 or ff02::/16). + type: string + nodeName: + description: 'Optional: Node hosting this endpoint. This + can be used to determine endpoints local to a node.' + type: string + targetRef: + description: Reference to object providing the endpoint. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + required: + - ip + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + externalMgrPrometheusPort: + description: ExternalMgrPrometheusPort Prometheus exporter port + maximum: 65535 + minimum: 0 + type: integer + interval: + description: Interval determines prometheus scrape interval + type: string + metricsDisabled: + description: |- + Whether to disable the metrics reported by Ceph. If false, the prometheus mgr module and Ceph exporter are enabled. + If true, the prometheus mgr module and Ceph exporter are both disabled. Default is false. + type: boolean + port: + description: Port is the prometheus server port + maximum: 65535 + minimum: 0 + type: integer + type: object + network: + description: Network related configuration + nullable: true + properties: + addressRanges: + description: |- + AddressRanges specify a list of CIDRs that Rook will apply to Ceph's 'public_network' and/or + 'cluster_network' configurations. This config section may be used for the "host" or "multus" + network providers. + nullable: true + properties: + cluster: + description: Cluster defines a list of CIDRs to use for Ceph + cluster network communication. + items: + description: |- + An IPv4 or IPv6 network CIDR. + + This naive kubebuilder regex provides immediate feedback for some typos and for a common problem + case where the range spec is forgotten (e.g., /24). Rook does in-depth validation in code. + pattern: ^[0-9a-fA-F:.]{2,}\/[0-9]{1,3}$ + type: string + type: array + public: + description: Public defines a list of CIDRs to use for Ceph + public network communication. + items: + description: |- + An IPv4 or IPv6 network CIDR. + + This naive kubebuilder regex provides immediate feedback for some typos and for a common problem + case where the range spec is forgotten (e.g., /24). Rook does in-depth validation in code. + pattern: ^[0-9a-fA-F:.]{2,}\/[0-9]{1,3}$ + type: string + type: array + type: object + connections: + description: |- + Settings for network connections such as compression and encryption across the + wire. + nullable: true + properties: + compression: + description: Compression settings for the network connections. + nullable: true + properties: + enabled: + description: |- + Whether to compress the data in transit across the wire. + The default is not set. + type: boolean + type: object + encryption: + description: Encryption settings for the network connections. + nullable: true + properties: + enabled: + description: |- + Whether to encrypt the data in transit across the wire to prevent eavesdropping + the data on the network. The default is not set. Even if encryption is not enabled, + clients still establish a strong initial authentication for the connection + and data integrity is still validated with a crc check. When encryption is enabled, + all communication between clients and Ceph daemons, or between Ceph daemons will + be encrypted. + type: boolean + type: object + requireMsgr2: + description: |- + Whether to require msgr2 (port 3300) even if compression or encryption are not enabled. + If true, the msgr1 port (6789) will be disabled. + Requires a kernel that supports msgr2 (kernel 5.11 or CentOS 8.4 or newer). + type: boolean + type: object + dualStack: + description: DualStack determines whether Ceph daemons should + listen on both IPv4 and IPv6 + type: boolean + hostNetwork: + description: |- + HostNetwork to enable host network. + If host networking is enabled or disabled on a running cluster, then the operator will automatically fail over all the mons to + apply the new network settings. + type: boolean + ipFamily: + description: IPFamily is the single stack IPv6 or IPv4 protocol + enum: + - IPv4 + - IPv6 + nullable: true + type: string + multiClusterService: + description: Enable multiClusterService to export the Services + between peer clusters + properties: + clusterID: + description: |- + ClusterID uniquely identifies a cluster. It is used as a prefix to nslookup exported + services. For example: ...svc.clusterset.local + type: string + enabled: + description: |- + Enable multiClusterService to export the mon and OSD services to peer cluster. + Ensure that peer clusters are connected using an MCS API compatible application, + like Globalnet Submariner. + type: boolean + type: object + provider: + description: |- + Provider is what provides network connectivity to the cluster e.g. "host" or "multus". + If the Provider is updated from being empty to "host" on a running cluster, then the operator will automatically fail over all the mons to apply the "host" network settings. + enum: + - "" + - host + - multus + nullable: true + type: string + x-kubernetes-validations: + - message: network provider must be disabled (reverted to empty + string) before a new provider is enabled + rule: self == '' || self == oldSelf + selectors: + additionalProperties: + type: string + description: |- + Selectors define NetworkAttachmentDefinitions to be used for Ceph public and/or cluster + networks when the "multus" network provider is used. This config section is not used for + other network providers. + + Valid keys are "public" and "cluster". Refer to Ceph networking documentation for more: + https://docs.ceph.com/en/reef/rados/configuration/network-config-ref/ + + Refer to Multus network annotation documentation for help selecting values: + https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/how-to-use.md#run-pod-with-network-annotation + + Rook will make a best-effort attempt to automatically detect CIDR address ranges for given + network attachment definitions. Rook's methods are robust but may be imprecise for + sufficiently complicated networks. Rook's auto-detection process obtains a new IP address + lease for each CephCluster reconcile. If Rook fails to detect, incorrectly detects, only + partially detects, or if underlying networks do not support reusing old IP addresses, it is + best to use the 'addressRanges' config section to specify CIDR ranges for the Ceph cluster. + + As a contrived example, one can use a theoretical Kubernetes-wide network for Ceph client + traffic and a theoretical Rook-only network for Ceph replication traffic as shown: + selectors: + public: "default/cluster-fast-net" + cluster: "rook-ceph/ceph-backend-net" + nullable: true + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-validations: + - message: at least one network selector must be specified when using + multus + rule: '!has(self.provider) || (self.provider != ''multus'' || (self.provider + == ''multus'' && size(self.selectors) > 0))' + - message: the legacy hostNetwork setting can only be set if the network.provider + is set to the empty string + rule: '!has(self.hostNetwork) || self.hostNetwork == false || !has(self.provider) + || self.provider == ""' + placement: + additionalProperties: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + priorityClassNames: + additionalProperties: + type: string + description: PriorityClassNames sets priority classes on components + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + removeOSDsIfOutAndSafeToRemove: + description: Remove the OSD that is out and safe to remove only if + this option is true + type: boolean + resources: + additionalProperties: + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + description: Resources set resource requests and limits + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + security: + description: Security represents security settings + nullable: true + properties: + keyRotation: + description: KeyRotation defines options for Key Rotation. + nullable: true + properties: + enabled: + default: false + description: Enabled represents whether the key rotation is + enabled. + type: boolean + schedule: + description: Schedule represents the cron schedule for key + rotation. + type: string + type: object + kms: + description: KeyManagementService is the main Key Management option + nullable: true + properties: + connectionDetails: + additionalProperties: + type: string + description: ConnectionDetails contains the KMS connection + details (address, port etc) + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + tokenSecretName: + description: TokenSecretName is the kubernetes secret containing + the KMS token + type: string + type: object + type: object + skipUpgradeChecks: + description: SkipUpgradeChecks defines if an upgrade should be forced + even if one of the check fails + type: boolean + storage: + description: A spec for available storage in the cluster and how it + should be used + nullable: true + properties: + allowDeviceClassUpdate: + description: Whether to allow updating the device class after + the OSD is initially provisioned + type: boolean + allowOsdCrushWeightUpdate: + description: |- + Whether Rook will resize the OSD CRUSH weight when the OSD PVC size is increased. + This allows cluster data to be rebalanced to make most effective use of new OSD space. + The default is false since data rebalancing can cause temporary cluster slowdown. + type: boolean + backfillFullRatio: + description: BackfillFullRatio is the ratio at which the cluster + is too full for backfill. Backfill will be disabled if above + this threshold. Default is 0.90. + maximum: 1 + minimum: 0 + nullable: true + type: number + config: + additionalProperties: + type: string + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + deviceFilter: + description: A regular expression to allow more fine-grained selection + of devices on nodes across the cluster + type: string + devicePathFilter: + description: A regular expression to allow more fine-grained selection + of devices with path names + type: string + devices: + description: List of devices to use as storage devices + items: + description: Device represents a disk to use in the cluster + properties: + config: + additionalProperties: + type: string + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + fullpath: + type: string + name: + type: string + type: object + nullable: true + type: array + x-kubernetes-preserve-unknown-fields: true + flappingRestartIntervalHours: + description: |- + FlappingRestartIntervalHours defines the time for which the OSD pods, that failed with zero exit code, will sleep before restarting. + This is needed for OSD flapping where OSD daemons are marked down more than 5 times in 600 seconds by Ceph. + Preventing the OSD pods to restart immediately in such scenarios will prevent Rook from marking OSD as `up` and thus + peering of the PGs mapped to the OSD. + User needs to manually restart the OSD pod if they manage to fix the underlying OSD flapping issue before the restart interval. + The sleep will be disabled if this interval is set to 0. + type: integer + fullRatio: + description: FullRatio is the ratio at which the cluster is considered + full and ceph will stop accepting writes. Default is 0.95. + maximum: 1 + minimum: 0 + nullable: true + type: number + nearFullRatio: + description: NearFullRatio is the ratio at which the cluster is + considered nearly full and will raise a ceph health warning. + Default is 0.85. + maximum: 1 + minimum: 0 + nullable: true + type: number + nodes: + items: + description: Node is a storage nodes + properties: + config: + additionalProperties: + type: string + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + deviceFilter: + description: A regular expression to allow more fine-grained + selection of devices on nodes across the cluster + type: string + devicePathFilter: + description: A regular expression to allow more fine-grained + selection of devices with path names + type: string + devices: + description: List of devices to use as storage devices + items: + description: Device represents a disk to use in the cluster + properties: + config: + additionalProperties: + type: string + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + fullpath: + type: string + name: + type: string + type: object + nullable: true + type: array + x-kubernetes-preserve-unknown-fields: true + name: + type: string + resources: + description: ResourceRequirements describes the compute + resource requirements. + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + useAllDevices: + description: Whether to consume all the storage devices + found on a machine + type: boolean + volumeClaimTemplates: + description: PersistentVolumeClaims to use as storage + items: + description: VolumeClaimTemplate is a simplified version + of K8s corev1's PVC. It has no type meta or status. + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + type: array + type: object + nullable: true + type: array + onlyApplyOSDPlacement: + type: boolean + scheduleAlways: + description: Whether to always schedule OSDs on a node even if + the node is not currently scheduleable or ready + type: boolean + storageClassDeviceSets: + items: + description: StorageClassDeviceSet is a storage class device + set + properties: + config: + additionalProperties: + type: string + description: Provider-specific device configuration + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + count: + description: Count is the number of devices in this set + minimum: 1 + type: integer + encrypted: + description: Whether to encrypt the deviceSet + type: boolean + name: + description: Name is a unique identifier for the set + type: string + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + portable: + description: Portable represents OSD portability across + the hosts + type: boolean + preparePlacement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + resources: + description: ResourceRequirements describes the compute + resource requirements. + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: Scheduler name for OSD pod placement + type: string + tuneDeviceClass: + description: TuneSlowDeviceClass Tune the OSD when running + on a slow Device Class + type: boolean + tuneFastDeviceClass: + description: TuneFastDeviceClass Tune the OSD when running + on a fast Device Class + type: boolean + volumeClaimTemplates: + description: VolumeClaimTemplates is a list of PVC templates + for the underlying storage devices + items: + description: VolumeClaimTemplate is a simplified version + of K8s corev1's PVC. It has no type meta or status. + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + type: array + required: + - count + - name + - volumeClaimTemplates + type: object + nullable: true + type: array + store: + description: OSDStore is the backend storage type used for creating + the OSDs + properties: + type: + description: Type of backend storage to be used while creating + OSDs. If empty, then bluestore will be used + enum: + - bluestore + - bluestore-rdr + type: string + updateStore: + description: |- + UpdateStore updates the backend store for existing OSDs. It destroys each OSD one at a time, cleans up the backing disk + and prepares same OSD on that disk + pattern: ^$|^yes-really-update-store$ + type: string + type: object + useAllDevices: + description: Whether to consume all the storage devices found + on a machine + type: boolean + useAllNodes: + type: boolean + volumeClaimTemplates: + description: PersistentVolumeClaims to use as storage + items: + description: VolumeClaimTemplate is a simplified version of + K8s corev1's PVC. It has no type meta or status. + properties: + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + type: object + type: array + type: object + upgradeOSDRequiresHealthyPGs: + description: |- + UpgradeOSDRequiresHealthyPGs defines if OSD upgrade requires PGs are clean. If set to `true` OSD upgrade process won't start until PGs are healthy. + This configuration will be ignored if `skipUpgradeChecks` is `true`. + Default is false. + type: boolean + waitTimeoutForHealthyOSDInMinutes: + description: |- + WaitTimeoutForHealthyOSDInMinutes defines the time the operator would wait before an OSD can be stopped for upgrade or restart. + If the timeout exceeds and OSD is not ok to stop, then the operator would skip upgrade for the current OSD and proceed with the next one + if `continueUpgradeAfterChecksEvenIfNotHealthy` is `false`. If `continueUpgradeAfterChecksEvenIfNotHealthy` is `true`, then operator would + continue with the upgrade of an OSD even if its not ok to stop after the timeout. This timeout won't be applied if `skipUpgradeChecks` is `true`. + The default wait timeout is 10 minutes. + format: int64 + type: integer + type: object + status: + description: ClusterStatus represents the status of a Ceph cluster + nullable: true + properties: + ceph: + description: CephStatus is the details health of a Ceph Cluster + properties: + capacity: + description: Capacity is the capacity information of a Ceph Cluster + properties: + bytesAvailable: + format: int64 + type: integer + bytesTotal: + format: int64 + type: integer + bytesUsed: + format: int64 + type: integer + lastUpdated: + type: string + type: object + details: + additionalProperties: + description: CephHealthMessage represents the health message + of a Ceph Cluster + properties: + message: + type: string + severity: + type: string + required: + - message + - severity + type: object + type: object + fsid: + type: string + health: + type: string + lastChanged: + type: string + lastChecked: + type: string + previousHealth: + type: string + versions: + description: CephDaemonsVersions show the current ceph version + for different ceph daemons + properties: + cephfs-mirror: + additionalProperties: + type: integer + description: CephFSMirror shows CephFSMirror Ceph version + type: object + mds: + additionalProperties: + type: integer + description: Mds shows Mds Ceph version + type: object + mgr: + additionalProperties: + type: integer + description: Mgr shows Mgr Ceph version + type: object + mon: + additionalProperties: + type: integer + description: Mon shows Mon Ceph version + type: object + osd: + additionalProperties: + type: integer + description: Osd shows Osd Ceph version + type: object + overall: + additionalProperties: + type: integer + description: Overall shows overall Ceph version + type: object + rbd-mirror: + additionalProperties: + type: integer + description: RbdMirror shows RbdMirror Ceph version + type: object + rgw: + additionalProperties: + type: integer + description: Rgw shows Rgw Ceph version + type: object + type: object + type: object + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + message: + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + state: + description: ClusterState represents the state of a Ceph Cluster + type: string + storage: + description: CephStorage represents flavors of Ceph Cluster Storage + properties: + deprecatedOSDs: + additionalProperties: + items: + type: integer + type: array + type: object + deviceClasses: + items: + description: DeviceClasses represents device classes of a Ceph + Cluster + properties: + name: + type: string + type: object + type: array + osd: + description: OSDStatus represents OSD status of the ceph Cluster + properties: + storeType: + additionalProperties: + type: integer + description: StoreType is a mapping between the OSD backend + stores and number of OSDs using these stores + type: object + type: object + type: object + version: + description: ClusterVersion represents the version of a Ceph Cluster + properties: + image: + type: string + version: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephcosidrivers.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephCOSIDriver + listKind: CephCOSIDriverList + plural: cephcosidrivers + shortNames: + - cephcosi + singular: cephcosidriver + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: CephCOSIDriver represents the CRD for the Ceph COSI Driver Deployment + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec represents the specification of a Ceph COSI Driver + properties: + deploymentStrategy: + description: DeploymentStrategy is the strategy to use to deploy the + COSI driver. + enum: + - Never + - Auto + - Always + type: string + image: + description: Image is the container image to run the Ceph COSI driver + type: string + objectProvisionerImage: + description: ObjectProvisionerImage is the container image to run + the COSI driver sidecar + type: string + placement: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + resources: + description: Resources is the resource requirements for the COSI driver + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephfilesystemmirrors.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephFilesystemMirror + listKind: CephFilesystemMirrorList + plural: cephfilesystemmirrors + singular: cephfilesystemmirror + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephFilesystemMirror is the Ceph Filesystem Mirror object definition + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FilesystemMirroringSpec is the filesystem mirroring specification + properties: + annotations: + additionalProperties: + type: string + description: The annotations-related configuration to add/set on each + Pod related object. + nullable: true + type: object + labels: + additionalProperties: + type: string + description: The labels-related configuration to add/set on each Pod + related object. + nullable: true + type: object + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + priorityClassName: + description: PriorityClassName sets priority class on the cephfs-mirror + pods + type: string + resources: + description: The resource requirements for the cephfs-mirror pods + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephfilesystems.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephFilesystem + listKind: CephFilesystemList + plural: cephfilesystems + singular: cephfilesystem + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Number of desired active MDS daemons + jsonPath: .spec.metadataServer.activeCount + name: ActiveMDS + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + name: v1 + schema: + openAPIV3Schema: + description: CephFilesystem represents a Ceph Filesystem + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FilesystemSpec represents the spec of a file system + properties: + dataPools: + description: The data pool settings, with optional predefined pool + name. + items: + description: NamedPoolSpec represents the named ceph pool spec + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the + pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use + in the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or + image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of + the snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the + snapshot + type: string + type: object + type: array + type: object + name: + description: Name of the pool + type: string + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on + a given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a + string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you + to set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in + terms of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check + of an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + nullable: true + type: array + metadataPool: + description: The metadata pool settings + nullable: true + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in + the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the + snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + name: + description: Name of the pool + type: string + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a + given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to + set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of + an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + metadataServer: + description: The mds pod info + properties: + activeCount: + description: The number of metadata servers that are active. The + remaining servers in the cluster will be in standby mode. + format: int32 + maximum: 50 + minimum: 1 + type: integer + activeStandby: + description: |- + Whether each active MDS instance will have an active standby with a warm metadata cache for faster failover. + If false, standbys will still be available, but will not have a warm metadata cache. + type: boolean + annotations: + additionalProperties: + type: string + description: The annotations-related configuration to add/set + on each Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + labels: + additionalProperties: + type: string + description: The labels-related configuration to add/set on each + Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + livenessProbe: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + priorityClassName: + description: PriorityClassName sets priority classes on components + type: string + resources: + description: The resource requirements for the mds pods + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + startupProbe: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + required: + - activeCount + type: object + mirroring: + description: The mirroring settings + nullable: true + properties: + enabled: + description: Enabled whether this filesystem is mirrored or not + type: boolean + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotRetention: + description: |- + Retention is the retention policy for a snapshot schedule + One path has exactly one retention policy. + A policy can however contain multiple count-time period pairs in order to specify complex retention policies + items: + description: SnapshotScheduleRetentionSpec is a retention policy + properties: + duration: + description: Duration represents the retention duration + for a snapshot + type: string + path: + description: Path is the path to snapshot + type: string + type: object + type: array + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot for + mirrored filesystems + items: + description: SnapshotScheduleSpec represents the snapshot scheduling + settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the snapshot. + type: string + path: + description: Path is the path to snapshot, only valid for + CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + preserveFilesystemOnDelete: + description: Preserve the fs in the cluster on CephFilesystem CR deletion. + Setting this to true automatically implies PreservePoolsOnDelete + is true. + type: boolean + preservePoolNames: + description: Preserve pool names as specified + type: boolean + preservePoolsOnDelete: + description: Preserve pools on filesystem deletion + type: boolean + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of an + object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - dataPools + - metadataPool + - metadataServer + type: object + status: + description: CephFilesystemStatus represents the status of a Ceph Filesystem + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + info: + additionalProperties: + type: string + description: Use only info and put mirroringStatus in it? + nullable: true + type: object + mirroringStatus: + description: MirroringStatus is the filesystem mirroring status + properties: + daemonsStatus: + description: PoolMirroringStatus is the mirroring status of a + filesystem + items: + description: FilesystemMirrorInfoSpec is the filesystem mirror + status of a given filesystem + properties: + daemon_id: + description: DaemonID is the cephfs-mirror name + type: integer + filesystems: + description: Filesystems is the list of filesystems managed + by a given cephfs-mirror daemon + items: + description: FilesystemsSpec is spec for the mirrored + filesystem + properties: + directory_count: + description: DirectoryCount is the number of directories + in the filesystem + type: integer + filesystem_id: + description: FilesystemID is the filesystem identifier + type: integer + name: + description: Name is name of the filesystem + type: string + peers: + description: Peers represents the mirroring peers + items: + description: FilesystemMirrorInfoPeerSpec is the + specification of a filesystem peer mirror + properties: + remote: + description: Remote are the remote cluster information + properties: + client_name: + description: ClientName is cephx name + type: string + cluster_name: + description: ClusterName is the name of + the cluster + type: string + fs_name: + description: FsName is the filesystem name + type: string + type: object + stats: + description: Stats are the stat a peer mirror + properties: + failure_count: + description: FailureCount is the number + of mirroring failure + type: integer + recovery_count: + description: RecoveryCount is the number + of recovery attempted after failures + type: integer + type: object + uuid: + description: UUID is the peer unique identifier + type: string + type: object + type: array + type: object + type: array + type: object + nullable: true + type: array + details: + description: Details contains potential status errors + type: string + lastChanged: + description: LastChanged is the last time time the status last + changed + type: string + lastChecked: + description: LastChecked is the last time time the status was + checked + type: string + type: object + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + snapshotScheduleStatus: + description: FilesystemSnapshotScheduleStatusSpec is the status of + the snapshot schedule + properties: + details: + description: Details contains potential status errors + type: string + lastChanged: + description: LastChanged is the last time time the status last + changed + type: string + lastChecked: + description: LastChecked is the last time time the status was + checked + type: string + snapshotSchedules: + description: SnapshotSchedules is the list of snapshots scheduled + items: + description: FilesystemSnapshotSchedulesSpec is the list of + snapshot scheduled for images in a pool + properties: + fs: + description: Fs is the name of the Ceph Filesystem + type: string + path: + description: Path is the path on the filesystem + type: string + rel_path: + type: string + retention: + description: FilesystemSnapshotScheduleStatusRetention is + the retention specification for a filesystem snapshot + schedule + properties: + active: + description: Active is whether the scheduled is active + or not + type: boolean + created: + description: Created is when the snapshot schedule was + created + type: string + created_count: + description: CreatedCount is total amount of snapshots + type: integer + first: + description: First is when the first snapshot schedule + was taken + type: string + last: + description: Last is when the last snapshot schedule + was taken + type: string + last_pruned: + description: LastPruned is when the last snapshot schedule + was pruned + type: string + pruned_count: + description: PrunedCount is total amount of pruned snapshots + type: integer + start: + description: Start is when the snapshot schedule starts + type: string + type: object + schedule: + type: string + subvol: + description: Subvol is the name of the sub volume + type: string + type: object + nullable: true + type: array + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephfilesystemsubvolumegroups.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephFilesystemSubVolumeGroup + listKind: CephFilesystemSubVolumeGroupList + plural: cephfilesystemsubvolumegroups + singular: cephfilesystemsubvolumegroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - description: Name of the CephFileSystem + jsonPath: .spec.filesystemName + name: Filesystem + type: string + - jsonPath: .spec.quota + name: Quota + type: string + - jsonPath: .status.info.pinning + name: Pinning + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephFilesystemSubVolumeGroup represents a Ceph Filesystem SubVolumeGroup + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec represents the specification of a Ceph Filesystem SubVolumeGroup + properties: + dataPoolName: + description: The data pool name for the Ceph Filesystem subvolume + group layout, if the default CephFS pool is not desired. + type: string + filesystemName: + description: |- + FilesystemName is the name of Ceph Filesystem SubVolumeGroup volume name. Typically it's the name of + the CephFilesystem CR. If not coming from the CephFilesystem CR, it can be retrieved from the + list of Ceph Filesystem volumes with `ceph fs volume ls`. To learn more about Ceph Filesystem + abstractions see https://docs.ceph.com/en/latest/cephfs/fs-volumes/#fs-volumes-and-subvolumes + type: string + x-kubernetes-validations: + - message: filesystemName is immutable + rule: self == oldSelf + name: + description: The name of the subvolume group. If not set, the default + is the name of the subvolumeGroup CR. + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + pinning: + description: |- + Pinning configuration of CephFilesystemSubVolumeGroup, + reference https://docs.ceph.com/en/latest/cephfs/fs-volumes/#pinning-subvolumes-and-subvolume-groups + only one out of (export, distributed, random) can be set at a time + properties: + distributed: + maximum: 1 + minimum: 0 + nullable: true + type: integer + export: + maximum: 256 + minimum: -1 + nullable: true + type: integer + random: + maximum: 1 + minimum: 0 + nullable: true + type: number + type: object + x-kubernetes-validations: + - message: only one pinning type should be set + rule: (has(self.export) && !has(self.distributed) && !has(self.random)) + || (!has(self.export) && has(self.distributed) && !has(self.random)) + || (!has(self.export) && !has(self.distributed) && has(self.random)) + || (!has(self.export) && !has(self.distributed) && !has(self.random)) + quota: + anyOf: + - type: integer + - type: string + description: Quota size of the Ceph Filesystem subvolume group. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - filesystemName + type: object + status: + description: Status represents the status of a CephFilesystem SubvolumeGroup + properties: + info: + additionalProperties: + type: string + nullable: true + type: object + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephnfses.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephNFS + listKind: CephNFSList + plural: cephnfses + shortNames: + - nfs + singular: cephnfs + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: CephNFS represents a Ceph NFS + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: NFSGaneshaSpec represents the spec of an nfs ganesha server + properties: + rados: + description: RADOS is the Ganesha RADOS specification + nullable: true + properties: + namespace: + description: |- + The namespace inside the Ceph pool (set by 'pool') where shared NFS-Ganesha config is stored. + This setting is deprecated as it is internally set to the name of the CephNFS. + type: string + pool: + description: |- + The Ceph pool used store the shared configuration for NFS-Ganesha daemons. + This setting is deprecated, as it is internally required to be ".nfs". + type: string + type: object + security: + description: Security allows specifying security configurations for + the NFS cluster + nullable: true + properties: + kerberos: + description: Kerberos configures NFS-Ganesha to secure NFS client + connections with Kerberos. + nullable: true + properties: + configFiles: + description: |- + ConfigFiles defines where the Kerberos configuration should be sourced from. Config files + will be placed into the `/etc/krb5.conf.rook/` directory. + + If this is left empty, Rook will not add any files. This allows you to manage the files + yourself however you wish. For example, you may build them into your custom Ceph container + image or use the Vault agent injector to securely add the files via annotations on the + CephNFS spec (passed to the NFS server pods). + + Rook configures Kerberos to log to stderr. We suggest removing logging sections from config + files to avoid consuming unnecessary disk space from logging to files. + properties: + volumeSource: + properties: + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + type: object + type: object + domainName: + description: DomainName should be set to the Kerberos Realm. + type: string + keytabFile: + description: |- + KeytabFile defines where the Kerberos keytab should be sourced from. The keytab file will be + placed into `/etc/krb5.keytab`. If this is left empty, Rook will not add the file. + This allows you to manage the `krb5.keytab` file yourself however you wish. For example, you + may build it into your custom Ceph container image or use the Vault agent injector to + securely add the file via annotations on the CephNFS spec (passed to the NFS server pods). + properties: + volumeSource: + properties: + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + type: object + type: object + principalName: + default: nfs + description: |- + PrincipalName corresponds directly to NFS-Ganesha's NFS_KRB5:PrincipalName config. In + practice, this is the service prefix of the principal name. The default is "nfs". + This value is combined with (a) the namespace and name of the CephNFS (with a hyphen between) + and (b) the Realm configured in the user-provided krb5.conf to determine the full principal + name: /-@. e.g., nfs/rook-ceph-my-nfs@example.net. + See https://github.com/nfs-ganesha/nfs-ganesha/wiki/RPCSEC_GSS for more detail. + type: string + type: object + sssd: + description: |- + SSSD enables integration with System Security Services Daemon (SSSD). SSSD can be used to + provide user ID mapping from a number of sources. See https://sssd.io for more information + about the SSSD project. + nullable: true + properties: + sidecar: + description: Sidecar tells Rook to run SSSD in a sidecar alongside + the NFS-Ganesha server in each NFS pod. + properties: + additionalFiles: + description: |- + AdditionalFiles defines any number of additional files that should be mounted into the SSSD + sidecar with a directory root of `/etc/sssd/rook-additional/`. + These files may be referenced by the sssd.conf config file. + items: + description: |- + AdditionalVolumeMount represents the source from where additional files in pod containers + should come from and what subdirectory they are made available in. + properties: + subPath: + description: |- + SubPath defines the sub-path (subdirectory) of the directory root where the volumeSource will + be mounted. All files/keys in the volume source's volume will be mounted to the subdirectory. + This is not the same as the Kubernetes `subPath` volume mount option. + Each subPath definition must be unique and must not contain ':'. + minLength: 1 + pattern: ^[^:]+$ + type: string + volumeSource: + properties: + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + type: object + required: + - subPath + - volumeSource + type: object + type: array + debugLevel: + description: |- + DebugLevel sets the debug level for SSSD. If unset or set to 0, Rook does nothing. Otherwise, + this may be a value between 1 and 10. See SSSD docs for more info: + https://sssd.io/troubleshooting/basics.html#sssd-debug-logs + maximum: 10 + minimum: 0 + type: integer + image: + description: Image defines the container image that should + be used for the SSSD sidecar. + minLength: 1 + type: string + resources: + description: Resources allow specifying resource requests/limits + on the SSSD sidecar container. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + sssdConfigFile: + description: |- + SSSDConfigFile defines where the SSSD configuration should be sourced from. The config file + will be placed into `/etc/sssd/sssd.conf`. If this is left empty, Rook will not add the file. + This allows you to manage the `sssd.conf` file yourself however you wish. For example, you + may build it into your custom Ceph container image or use the Vault agent injector to + securely add the file via annotations on the CephNFS spec (passed to the NFS server pods). + properties: + volumeSource: + properties: + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + type: object + type: object + required: + - image + type: object + type: object + type: object + server: + description: Server is the Ganesha Server specification + properties: + active: + description: The number of active Ganesha servers + type: integer + annotations: + additionalProperties: + type: string + description: The annotations-related configuration to add/set + on each Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + hostNetwork: + description: Whether host networking is enabled for the Ganesha + server. If not set, the network settings from the cluster CR + will be applied. + nullable: true + type: boolean + labels: + additionalProperties: + type: string + description: The labels-related configuration to add/set on each + Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + livenessProbe: + description: |- + A liveness-probe to verify that Ganesha server has valid run-time state. + If LivenessProbe.Disabled is false and LivenessProbe.Probe is nil uses default probe. + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + logLevel: + description: LogLevel set logging level + type: string + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + priorityClassName: + description: PriorityClassName sets the priority class on the + pods + type: string + resources: + description: Resources set resource requests and limits + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - active + type: object + required: + - server + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephobjectrealms.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephObjectRealm + listKind: CephObjectRealmList + plural: cephobjectrealms + singular: cephobjectrealm + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: CephObjectRealm represents a Ceph Object Store Gateway Realm + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ObjectRealmSpec represent the spec of an ObjectRealm + nullable: true + properties: + pull: + description: PullSpec represents the pulling specification of a Ceph + Object Storage Gateway Realm + properties: + endpoint: + pattern: ^https*:// + type: string + type: object + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephobjectstores.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephObjectStore + listKind: CephObjectStoreList + plural: cephobjectstores + singular: cephobjectstore + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.info.endpoint + name: Endpoint + type: string + - jsonPath: .status.info.secureEndpoint + name: SecureEndpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephObjectStore represents a Ceph Object Store Gateway + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ObjectStoreSpec represent the spec of a pool + properties: + allowUsersInNamespaces: + description: |- + The list of allowed namespaces in addition to the object store namespace + where ceph object store users may be created. Specify "*" to allow all + namespaces, otherwise list individual namespaces that are to be allowed. + This is useful for applications that need object store credentials + to be created in their own namespace, where neither OBCs nor COSI + is being used to create buckets. The default is empty. + items: + type: string + type: array + auth: + description: The authentication configuration + properties: + keystone: + description: The spec for Keystone + nullable: true + properties: + acceptedRoles: + description: The roles requires to serve requests. + items: + type: string + type: array + implicitTenants: + description: Create new users in their own tenants of the + same name. Possible values are true, false, swift and s3. + The latter have the effect of splitting the identity space + such that only the indicated protocol will use implicit + tenants. + type: string + revocationInterval: + description: The number of seconds between token revocation + checks. + nullable: true + type: integer + serviceUserSecretName: + description: The name of the secret containing the credentials + for the service user account used by RGW. It has to be in + the same namespace as the object store resource. + type: string + tokenCacheSize: + description: The maximum number of entries in each Keystone + token cache. + nullable: true + type: integer + url: + description: The URL for the Keystone server. + type: string + required: + - acceptedRoles + - serviceUserSecretName + - url + type: object + type: object + dataPool: + description: The data pool settings + nullable: true + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in + the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the + snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a + given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to + set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of + an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + gateway: + description: The rgw pod info + nullable: true + properties: + additionalVolumeMounts: + description: |- + AdditionalVolumeMounts allows additional volumes to be mounted to the RGW pod. + The root directory for each additional volume mount is `/var/rgw`. + Example: for an additional mount at subPath `ldap`, mounted from a secret that has key + `bindpass.secret`, the file would reside at `/var/rgw/ldap/bindpass.secret`. + items: + description: |- + AdditionalVolumeMount represents the source from where additional files in pod containers + should come from and what subdirectory they are made available in. + properties: + subPath: + description: |- + SubPath defines the sub-path (subdirectory) of the directory root where the volumeSource will + be mounted. All files/keys in the volume source's volume will be mounted to the subdirectory. + This is not the same as the Kubernetes `subPath` volume mount option. + Each subPath definition must be unique and must not contain ':'. + minLength: 1 + pattern: ^[^:]+$ + type: string + volumeSource: + properties: + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + type: object + required: + - subPath + - volumeSource + type: object + type: array + annotations: + additionalProperties: + type: string + description: The annotations-related configuration to add/set + on each Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + caBundleRef: + description: The name of the secret that stores custom ca-bundle + with root and intermediate certificates. + nullable: true + type: string + dashboardEnabled: + description: Whether rgw dashboard is enabled for the rgw daemon. + If not set, the rgw dashboard will be enabled. + nullable: true + type: boolean + x-kubernetes-preserve-unknown-fields: true + disableMultisiteSyncTraffic: + description: |- + DisableMultisiteSyncTraffic, when true, prevents this object store's gateways from + transmitting multisite replication data. Note that this value does not affect whether + gateways receive multisite replication traffic: see ObjectZone.spec.customEndpoints for that. + If false or unset, this object store's gateways will be able to transmit multisite + replication data. + type: boolean + externalRgwEndpoints: + description: |- + ExternalRgwEndpoints points to external RGW endpoint(s). Multiple endpoints can be given, but + for stability of ObjectBucketClaims, we highly recommend that users give only a single + external RGW endpoint that is a load balancer that sends requests to the multiple RGWs. + items: + description: |- + EndpointAddress is a tuple that describes a single IP address or host name. This is a subset of + Kubernetes's v1.EndpointAddress. + properties: + hostname: + description: The DNS-addressable Hostname of this endpoint. + This field will be preferred over IP if both are given. + type: string + ip: + description: The IP of this endpoint. As a legacy behavior, + this supports being given a DNS-addressable hostname as + well. + type: string + type: object + x-kubernetes-map-type: atomic + nullable: true + type: array + hostNetwork: + description: Whether host networking is enabled for the rgw daemon. + If not set, the network settings from the cluster CR will be + applied. + nullable: true + type: boolean + x-kubernetes-preserve-unknown-fields: true + instances: + description: The number of pods in the rgw replicaset. + format: int32 + nullable: true + type: integer + labels: + additionalProperties: + type: string + description: The labels-related configuration to add/set on each + Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + port: + description: The port the rgw service will be listening on (http) + format: int32 + type: integer + priorityClassName: + description: PriorityClassName sets priority classes on the rgw + pods + type: string + resources: + description: The resource requirements for the rgw pods + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + securePort: + description: The port the rgw service will be listening on (https) + format: int32 + maximum: 65535 + minimum: 0 + nullable: true + type: integer + service: + description: The configuration related to add/set on each rgw + service. + nullable: true + properties: + annotations: + additionalProperties: + type: string + description: |- + The annotations-related configuration to add/set on each rgw service. + nullable + optional + type: object + type: object + sslCertificateRef: + description: The name of the secret that stores the ssl certificate + for secure rgw connections + nullable: true + type: string + type: object + healthCheck: + description: The RGW health probes + nullable: true + properties: + readinessProbe: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + startupProbe: + description: ProbeSpec is a wrapper around Probe so it can be + enabled or disabled for a Ceph daemon + properties: + disabled: + description: Disabled determines whether probe is disable + or not + type: boolean + probe: + description: |- + Probe describes a health check to be performed against a container to determine whether it is + alive or ready to receive traffic. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + type: object + type: object + hosting: + description: |- + Hosting settings for the object store. + A common use case for hosting configuration is to inform Rook of endpoints that support DNS + wildcards, which in turn allows virtual host-style bucket addressing. + nullable: true + properties: + advertiseEndpoint: + description: |- + AdvertiseEndpoint is the default endpoint Rook will return for resources dependent on this + object store. This endpoint will be returned to CephObjectStoreUsers, Object Bucket Claims, + and COSI Buckets/Accesses. + By default, Rook returns the endpoint for the object store's Kubernetes service using HTTPS + with `gateway.securePort` if it is defined (otherwise, HTTP with `gateway.port`). + nullable: true + properties: + dnsName: + description: |- + DnsName is the DNS name (in RFC-1123 format) of the endpoint. + If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the + wildcard itself in the list of hostnames. + E.g., use "mystore.example.com" instead of "*.mystore.example.com". + minLength: 1 + type: string + port: + description: Port is the port on which S3 connections can + be made for this endpoint. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + useTls: + description: UseTls defines whether the endpoint uses TLS + (HTTPS) or not (HTTP). + type: boolean + required: + - dnsName + - port + - useTls + type: object + dnsNames: + description: |- + A list of DNS host names on which object store gateways will accept client S3 connections. + When specified, object store gateways will reject client S3 connections to hostnames that are + not present in this list, so include all endpoints. + The object store's advertiseEndpoint and Kubernetes service endpoint, plus CephObjectZone + `customEndpoints` are automatically added to the list but may be set here again if desired. + Each DNS name must be valid according RFC-1123. + If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the + wildcard itself in the list of hostnames. + E.g., use "mystore.example.com" instead of "*.mystore.example.com". + The feature is supported only for Ceph v18 and later versions. + items: + type: string + type: array + type: object + metadataPool: + description: The metadata pool settings + nullable: true + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in + the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the + snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a + given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to + set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of + an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + preservePoolsOnDelete: + description: Preserve pools on object store deletion + type: boolean + protocols: + description: The protocol specification + properties: + s3: + description: The spec for S3 + nullable: true + properties: + authUseKeystone: + description: Whether to use Keystone for authentication. This + option maps directly to the rgw_s3_auth_use_keystone option. + Enabling it allows generating S3 credentials via an OpenStack + API call, see the docs. If not given, the defaults of the + corresponding RGW option apply. + nullable: true + type: boolean + enabled: + description: Whether to enable S3. This defaults to true (even + if protocols.s3 is not present in the CRD). This maintains + backwards compatibility – by default S3 is enabled. + nullable: true + type: boolean + type: object + swift: + description: The spec for Swift + nullable: true + properties: + accountInUrl: + description: Whether or not the Swift account name should + be included in the Swift API URL. If set to false (the default), + then the Swift API will listen on a URL formed like http://host:port//v1. + If set to true, the Swift API URL will be http://host:port//v1/AUTH_. + You must set this option to true (and update the Keystone + service catalog) if you want radosgw to support publicly-readable + containers and temporary URLs. + nullable: true + type: boolean + urlPrefix: + description: The URL prefix for the Swift API, to distinguish + it from the S3 API endpoint. The default is swift, which + makes the Swift API available at the URL http://host:port/swift/v1 + (or http://host:port/swift/v1/AUTH_%(tenant_id)s if rgw + swift account in url is enabled). + nullable: true + type: string + versioningEnabled: + description: Enables the Object Versioning of OpenStack Object + Storage API. This allows clients to put the X-Versions-Location + attribute on containers that should be versioned. + nullable: true + type: boolean + type: object + type: object + security: + description: Security represents security settings + nullable: true + properties: + keyRotation: + description: KeyRotation defines options for Key Rotation. + nullable: true + properties: + enabled: + default: false + description: Enabled represents whether the key rotation is + enabled. + type: boolean + schedule: + description: Schedule represents the cron schedule for key + rotation. + type: string + type: object + kms: + description: KeyManagementService is the main Key Management option + nullable: true + properties: + connectionDetails: + additionalProperties: + type: string + description: ConnectionDetails contains the KMS connection + details (address, port etc) + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + tokenSecretName: + description: TokenSecretName is the kubernetes secret containing + the KMS token + type: string + type: object + s3: + description: The settings for supporting AWS-SSE:S3 with RGW + nullable: true + properties: + connectionDetails: + additionalProperties: + type: string + description: ConnectionDetails contains the KMS connection + details (address, port etc) + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + tokenSecretName: + description: TokenSecretName is the kubernetes secret containing + the KMS token + type: string + type: object + type: object + sharedPools: + description: The pool information when configuring RADOS namespaces + in existing pools. + nullable: true + properties: + dataPoolName: + description: The data pool used for creating RADOS namespaces + in the object store + type: string + x-kubernetes-validations: + - message: object store shared data pool is immutable + rule: self == oldSelf + metadataPoolName: + description: The metadata pool used for creating RADOS namespaces + in the object store + type: string + x-kubernetes-validations: + - message: object store shared metadata pool is immutable + rule: self == oldSelf + poolPlacements: + description: |- + PoolPlacements control which Pools are associated with a particular RGW bucket. + Once PoolPlacements are defined, RGW client will be able to associate pool + with ObjectStore bucket by providing "" during s3 bucket creation + or "X-Storage-Policy" header during swift container creation. + See: https://docs.ceph.com/en/latest/radosgw/placement/#placement-targets + PoolPlacement with name: "default" will be used as a default pool if no option + is provided during bucket creation. + If default placement is not provided, spec.sharedPools.dataPoolName and spec.sharedPools.MetadataPoolName will be used as default pools. + If spec.sharedPools are also empty, then RGW pools (spec.dataPool and spec.metadataPool) will be used as defaults. + items: + properties: + dataNonECPoolName: + description: |- + The data pool used to store ObjectStore data that cannot use erasure coding (ex: multi-part uploads). + If dataPoolName is not erasure coded, then there is no need for dataNonECPoolName. + type: string + dataPoolName: + description: The data pool used to store ObjectStore objects + data. + minLength: 1 + type: string + default: + description: |- + Sets given placement as default. Only one placement in the list can be marked as default. + Default is false. + type: boolean + metadataPoolName: + description: The metadata pool used to store ObjectStore + bucket index. + minLength: 1 + type: string + name: + description: Pool placement name. Name can be arbitrary. + Placement with name "default" will be used as default. + minLength: 1 + pattern: ^[a-zA-Z0-9._/-]+$ + type: string + storageClasses: + description: |- + StorageClasses can be selected by user to override dataPoolName during object creation. + Each placement has default STANDARD StorageClass pointing to dataPoolName. + This list allows defining additional StorageClasses on top of default STANDARD storage class. + items: + properties: + dataPoolName: + description: DataPoolName is the data pool used to + store ObjectStore objects data. + minLength: 1 + type: string + name: + description: |- + Name is the StorageClass name. Ceph allows arbitrary name for StorageClasses, + however most clients/libs insist on AWS names so it is recommended to use + one of the valid x-amz-storage-class values for better compatibility: + REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE + See AWS docs: https://aws.amazon.com/de/s3/storage-classes/ + minLength: 1 + pattern: ^[a-zA-Z0-9._/-]+$ + type: string + required: + - dataPoolName + - name + type: object + type: array + required: + - dataPoolName + - metadataPoolName + - name + type: object + type: array + preserveRadosNamespaceDataOnDelete: + description: Whether the RADOS namespaces should be preserved + on deletion of the object store + type: boolean + type: object + zone: + description: The multisite info + nullable: true + properties: + name: + description: RGW Zone the Object Store is in + type: string + required: + - name + type: object + type: object + status: + description: ObjectStoreStatus represents the status of a Ceph Object + Store resource + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + endpoints: + properties: + insecure: + items: + type: string + nullable: true + type: array + secure: + items: + type: string + nullable: true + type: array + type: object + info: + additionalProperties: + type: string + nullable: true + type: object + message: + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + description: ConditionType represent a resource's status + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephobjectstoreusers.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephObjectStoreUser + listKind: CephObjectStoreUserList + plural: cephobjectstoreusers + shortNames: + - rcou + - objectuser + singular: cephobjectstoreuser + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephObjectStoreUser represents a Ceph Object Store Gateway User + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ObjectStoreUserSpec represent the spec of an Objectstoreuser + properties: + capabilities: + description: Additional admin-level capabilities for the Ceph object + store user + nullable: true + properties: + amz-cache: + description: Add capabilities for user to send request to RGW + Cache API header. Documented in https://docs.ceph.com/en/quincy/radosgw/rgw-cache/#cache-api + enum: + - '*' + - read + - write + - read, write + type: string + bilog: + description: Add capabilities for user to change bucket index + logging. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + bucket: + description: Admin capabilities to read/write Ceph object store + buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + buckets: + description: Admin capabilities to read/write Ceph object store + buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + datalog: + description: Add capabilities for user to change data logging. + Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + info: + description: Admin capabilities to read/write information about + the user. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + mdlog: + description: Add capabilities for user to change metadata logging. + Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + metadata: + description: Admin capabilities to read/write Ceph object store + metadata. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + oidc-provider: + description: Add capabilities for user to change oidc provider. + Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + ratelimit: + description: Add capabilities for user to set rate limiter for + user and bucket. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + roles: + description: Admin capabilities to read/write roles for user. + Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + usage: + description: Admin capabilities to read/write Ceph object store + usage. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + user: + description: Admin capabilities to read/write Ceph object store + users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + user-policy: + description: Add capabilities for user to change user policies. + Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + users: + description: Admin capabilities to read/write Ceph object store + users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + zone: + description: Admin capabilities to read/write Ceph object store + zones. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities + enum: + - '*' + - read + - write + - read, write + type: string + type: object + clusterNamespace: + description: The namespace where the parent CephCluster and CephObjectStore + are found + type: string + displayName: + description: The display name for the ceph users + type: string + quotas: + description: ObjectUserQuotaSpec can be used to set quotas for the + object store user to limit their usage. See the [Ceph docs](https://docs.ceph.com/en/latest/radosgw/admin/?#quota-management) + for more + nullable: true + properties: + maxBuckets: + description: Maximum bucket limit for the ceph user + nullable: true + type: integer + maxObjects: + description: Maximum number of objects across all the user's buckets + format: int64 + nullable: true + type: integer + maxSize: + anyOf: + - type: integer + - type: string + description: |- + Maximum size limit of all objects across all the user's buckets + See https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Quantity for more info. + nullable: true + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + store: + description: The store the user will be created in + type: string + type: object + status: + description: ObjectStoreUserStatus represents the status Ceph Object Store + Gateway User + properties: + info: + additionalProperties: + type: string + nullable: true + type: object + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephobjectzonegroups.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephObjectZoneGroup + listKind: CephObjectZoneGroupList + plural: cephobjectzonegroups + singular: cephobjectzonegroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephObjectZoneGroup represents a Ceph Object Store Gateway Zone + Group + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ObjectZoneGroupSpec represent the spec of an ObjectZoneGroup + properties: + realm: + description: The display name for the ceph users + type: string + required: + - realm + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephobjectzones.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephObjectZone + listKind: CephObjectZoneList + plural: cephobjectzones + singular: cephobjectzone + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephObjectZone represents a Ceph Object Store Gateway Zone + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ObjectZoneSpec represent the spec of an ObjectZone + properties: + customEndpoints: + description: |- + If this zone cannot be accessed from other peer Ceph clusters via the ClusterIP Service + endpoint created by Rook, you must set this to the externally reachable endpoint(s). You may + include the port in the definition. For example: "https://my-object-store.my-domain.net:443". + In many cases, you should set this to the endpoint of the ingress resource that makes the + CephObjectStore associated with this CephObjectStoreZone reachable to peer clusters. + The list can have one or more endpoints pointing to different RGW servers in the zone. + + If a CephObjectStore endpoint is omitted from this list, that object store's gateways will + not receive multisite replication data + (see CephObjectStore.spec.gateway.disableMultisiteSyncTraffic). + items: + type: string + nullable: true + type: array + dataPool: + description: The data pool settings + nullable: true + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in + the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the + snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a + given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to + set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of + an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + metadataPool: + description: The metadata pool settings + nullable: true + properties: + application: + description: The application name to set on the pool. Only expected + to be set for rgw pools. + type: string + compressionMode: + description: |- + DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" + The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) + Do NOT set a default value for kubebuilder as this will override the Parameters + enum: + - none + - passive + - aggressive + - force + - "" + nullable: true + type: string + crushRoot: + description: The root of the crush hierarchy utilized by the pool + nullable: true + type: string + deviceClass: + description: The device class the OSD should set to for use in + the pool + nullable: true + type: string + enableCrushUpdates: + description: Allow rook operator to change the pool CRUSH tunables + once the pool is created + type: boolean + enableRBDStats: + description: EnableRBDStats is used to enable gathering of statistics + for all RBD images in the pool + type: boolean + erasureCoded: + description: The erasure code settings + properties: + algorithm: + description: The algorithm for erasure coding + type: string + codingChunks: + description: |- + Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + This is the number of OSDs that can be lost simultaneously before data cannot be recovered. + minimum: 0 + type: integer + dataChunks: + description: |- + Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). + The number of chunks required to recover an object when any single OSD is lost is the same + as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. + minimum: 0 + type: integer + required: + - codingChunks + - dataChunks + type: object + failureDomain: + description: 'The failure domain: osd/host/(region or zone if + available) - technically also any type in the crush map' + type: string + mirroring: + description: The mirroring settings + properties: + enabled: + description: Enabled whether this pool is mirrored or not + type: boolean + mode: + description: 'Mode is the mirroring mode: either pool or image' + type: string + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret + names to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + snapshotSchedules: + description: SnapshotSchedules is the scheduling of snapshot + for mirrored images/pools + items: + description: SnapshotScheduleSpec represents the snapshot + scheduling settings of a mirrored pool + properties: + interval: + description: Interval represent the periodicity of the + snapshot. + type: string + path: + description: Path is the path to snapshot, only valid + for CephFS + type: string + startTime: + description: StartTime indicates when to start the snapshot + type: string + type: object + type: array + type: object + parameters: + additionalProperties: + type: string + description: Parameters is a list of properties to enable on a + given pool + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + quotas: + description: The quota settings + nullable: true + properties: + maxBytes: + description: |- + MaxBytes represents the quota in bytes + Deprecated in favor of MaxSize + format: int64 + type: integer + maxObjects: + description: MaxObjects represents the quota in objects + format: int64 + type: integer + maxSize: + description: MaxSize represents the quota in bytes as a string + pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ + type: string + type: object + replicated: + description: The replication settings + properties: + hybridStorage: + description: HybridStorage represents hybrid storage tier + settings + nullable: true + properties: + primaryDeviceClass: + description: PrimaryDeviceClass represents high performance + tier (for example SSD or NVME) for Primary OSD + minLength: 1 + type: string + secondaryDeviceClass: + description: SecondaryDeviceClass represents low performance + tier (for example HDDs) for remaining OSDs + minLength: 1 + type: string + required: + - primaryDeviceClass + - secondaryDeviceClass + type: object + replicasPerFailureDomain: + description: ReplicasPerFailureDomain the number of replica + in the specified failure domain + minimum: 1 + type: integer + requireSafeReplicaSize: + description: RequireSafeReplicaSize if false allows you to + set replica 1 + type: boolean + size: + description: Size - Number of copies per object in a replicated + storage pool, including the object itself (required for + replicated pool type) + minimum: 0 + type: integer + subFailureDomain: + description: SubFailureDomain the name of the sub-failure + domain + type: string + targetSizeRatio: + description: TargetSizeRatio gives a hint (%) to Ceph in terms + of expected consumption of the total cluster capacity + type: number + required: + - size + type: object + statusCheck: + description: The mirroring statusCheck + properties: + mirror: + description: HealthCheckSpec represents the health check of + an object store bucket + nullable: true + properties: + disabled: + type: boolean + interval: + description: Interval is the internal in second or minute + for the health check to run like 60s for 60 seconds + type: string + timeout: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + preservePoolsOnDelete: + default: true + description: Preserve pools on object zone deletion + type: boolean + sharedPools: + description: The pool information when configuring RADOS namespaces + in existing pools. + nullable: true + properties: + dataPoolName: + description: The data pool used for creating RADOS namespaces + in the object store + type: string + x-kubernetes-validations: + - message: object store shared data pool is immutable + rule: self == oldSelf + metadataPoolName: + description: The metadata pool used for creating RADOS namespaces + in the object store + type: string + x-kubernetes-validations: + - message: object store shared metadata pool is immutable + rule: self == oldSelf + poolPlacements: + description: |- + PoolPlacements control which Pools are associated with a particular RGW bucket. + Once PoolPlacements are defined, RGW client will be able to associate pool + with ObjectStore bucket by providing "" during s3 bucket creation + or "X-Storage-Policy" header during swift container creation. + See: https://docs.ceph.com/en/latest/radosgw/placement/#placement-targets + PoolPlacement with name: "default" will be used as a default pool if no option + is provided during bucket creation. + If default placement is not provided, spec.sharedPools.dataPoolName and spec.sharedPools.MetadataPoolName will be used as default pools. + If spec.sharedPools are also empty, then RGW pools (spec.dataPool and spec.metadataPool) will be used as defaults. + items: + properties: + dataNonECPoolName: + description: |- + The data pool used to store ObjectStore data that cannot use erasure coding (ex: multi-part uploads). + If dataPoolName is not erasure coded, then there is no need for dataNonECPoolName. + type: string + dataPoolName: + description: The data pool used to store ObjectStore objects + data. + minLength: 1 + type: string + default: + description: |- + Sets given placement as default. Only one placement in the list can be marked as default. + Default is false. + type: boolean + metadataPoolName: + description: The metadata pool used to store ObjectStore + bucket index. + minLength: 1 + type: string + name: + description: Pool placement name. Name can be arbitrary. + Placement with name "default" will be used as default. + minLength: 1 + pattern: ^[a-zA-Z0-9._/-]+$ + type: string + storageClasses: + description: |- + StorageClasses can be selected by user to override dataPoolName during object creation. + Each placement has default STANDARD StorageClass pointing to dataPoolName. + This list allows defining additional StorageClasses on top of default STANDARD storage class. + items: + properties: + dataPoolName: + description: DataPoolName is the data pool used to + store ObjectStore objects data. + minLength: 1 + type: string + name: + description: |- + Name is the StorageClass name. Ceph allows arbitrary name for StorageClasses, + however most clients/libs insist on AWS names so it is recommended to use + one of the valid x-amz-storage-class values for better compatibility: + REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE + See AWS docs: https://aws.amazon.com/de/s3/storage-classes/ + minLength: 1 + pattern: ^[a-zA-Z0-9._/-]+$ + type: string + required: + - dataPoolName + - name + type: object + type: array + required: + - dataPoolName + - metadataPoolName + - name + type: object + type: array + preserveRadosNamespaceDataOnDelete: + description: Whether the RADOS namespaces should be preserved + on deletion of the object store + type: boolean + type: object + zoneGroup: + description: The display name for the ceph users + type: string + required: + - zoneGroup + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + helm.sh/resource-policy: keep + name: cephrbdmirrors.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: CephRBDMirror + listKind: CephRBDMirrorList + plural: cephrbdmirrors + singular: cephrbdmirror + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CephRBDMirror represents a Ceph RBD Mirror + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RBDMirroringSpec represents the specification of an RBD mirror + daemon + properties: + annotations: + additionalProperties: + type: string + description: The annotations-related configuration to add/set on each + Pod related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + count: + description: Count represents the number of rbd mirror instance to + run + minimum: 1 + type: integer + labels: + additionalProperties: + type: string + description: The labels-related configuration to add/set on each Pod + related object. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + peers: + description: Peers represents the peers spec + nullable: true + properties: + secretNames: + description: SecretNames represents the Kubernetes Secret names + to add rbd-mirror or cephfs-mirror peers + items: + type: string + type: array + type: object + placement: + nullable: true + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + priorityClassName: + description: PriorityClassName sets priority class on the rbd mirror + pods + type: string + resources: + description: The resource requirements for the rbd mirror pods + nullable: true + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - count + type: object + status: + description: Status represents the status of an object + properties: + conditions: + items: + description: Condition represents a status condition on any Rook-Ceph + Custom Resource. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is a reason for a condition + type: string + status: + type: string + type: + description: ConditionType represent a resource's status + type: string + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + phase: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + name: objectbucketclaims.objectbucket.io +spec: + group: objectbucket.io + names: + kind: ObjectBucketClaim + listKind: ObjectBucketClaimList + plural: objectbucketclaims + shortNames: + - obc + - obcs + singular: objectbucketclaim + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + additionalConfig: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + bucketName: + type: string + generateBucketName: + type: string + objectBucketName: + type: string + storageClassName: + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + name: objectbuckets.objectbucket.io +spec: + group: objectbucket.io + names: + kind: ObjectBucket + listKind: ObjectBucketList + plural: objectbuckets + shortNames: + - ob + - obs + singular: objectbucket + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + additionalState: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + authentication: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + nullable: true + type: object + claimRef: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + endpoint: + nullable: true + properties: + additionalConfig: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + bucketHost: + type: string + bucketName: + type: string + bucketPort: + format: int32 + type: integer + region: + type: string + subRegion: + type: string + type: object + reclaimPolicy: + type: string + storageClassName: + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: driver-ceph + app.kubernetes.io/name: cosi-driver-ceph + app.kubernetes.io/part-of: container-object-storage-interface + name: objectstorage-provisioner + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-cmd-reporter + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + operator: rook + storage-backend: ceph + name: rook-ceph-default + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-mgr + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-osd + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-ceph-purge-osd + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-rgw + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-cephfs-plugin-sa + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-cephfs-provisioner-sa + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-rbd-plugin-sa + namespace: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-rbd-provisioner-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cephfs-external-provisioner-cfg + namespace: rook-ceph +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: rbd-external-provisioner-cfg + namespace: rook-ceph +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: rook-ceph-cmd-reporter + namespace: rook-ceph +rules: +- apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - get + - list + - watch + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: rook-ceph-mgr + namespace: rook-ceph +rules: +- apiGroups: + - "" + resources: + - pods + - services + - pods/log + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - ceph.rook.io + resources: + - cephclients + - cephclusters + - cephblockpools + - cephfilesystems + - cephnfses + - cephobjectstores + - cephobjectstoreusers + - cephobjectrealms + - cephobjectzonegroups + - cephobjectzones + - cephbuckettopics + - cephbucketnotifications + - cephrbdmirrors + - cephfilesystemmirrors + - cephfilesystemsubvolumegroups + - cephblockpoolradosnamespaces + - cephcosidrivers + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - apps + resources: + - deployments/scale + - deployments + verbs: + - patch + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: rook-ceph-osd + namespace: rook-ceph +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - ceph.rook.io + resources: + - cephclusters + - cephclusters/finalizers + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: rook-ceph-purge-osd + namespace: rook-ceph +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - update + - delete + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-system + namespace: rook-ceph +rules: +- apiGroups: + - "" + resources: + - pods + - configmaps + - services + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - statefulsets + - deployments + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - delete +- apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - get + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cephfs-csi-nodeplugin +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cephfs-external-provisioner-runner +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch + - create + - update + - patch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch +- apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - patch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - watch + - update + - patch + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - watch + - patch + - update + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotcontents + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotcontents/status + verbs: + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: driver-ceph + app.kubernetes.io/name: cosi-driver-ceph + app.kubernetes.io/part-of: container-object-storage-interface + name: objectstorage-provisioner-role +rules: +- apiGroups: + - objectstorage.k8s.io + resources: + - buckets + - bucketaccesses + - bucketclaims + - bucketaccessclasses + - buckets/status + - bucketaccesses/status + - bucketclaims/status + - bucketaccessclasses/status + verbs: + - get + - list + - watch + - update + - create + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - secrets + - events + verbs: + - get + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rbd-csi-nodeplugin +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rbd-external-provisioner-runner +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch + - create + - update + - patch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - patch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - watch + - update + - patch + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - watch + - patch + - update + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotcontents + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - groupsnapshot.storage.k8s.io + resources: + - volumegroupsnapshotcontents/status + verbs: + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-cluster-mgmt +rules: +- apiGroups: + - "" + - apps + - extensions + resources: + - secrets + - pods + - pods/log + - services + - configmaps + - deployments + - daemonsets + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-global +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/proxy + - secrets + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + - persistentvolumes + - persistentvolumeclaims + - endpoints + - services + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection +- apiGroups: + - ceph.rook.io + resources: + - cephclients + - cephclusters + - cephblockpools + - cephfilesystems + - cephnfses + - cephobjectstores + - cephobjectstoreusers + - cephobjectrealms + - cephobjectzonegroups + - cephobjectzones + - cephbuckettopics + - cephbucketnotifications + - cephrbdmirrors + - cephfilesystemmirrors + - cephfilesystemsubvolumegroups + - cephblockpoolradosnamespaces + - cephcosidrivers + verbs: + - get + - list + - watch + - update +- apiGroups: + - ceph.rook.io + resources: + - cephclients/status + - cephclusters/status + - cephblockpools/status + - cephfilesystems/status + - cephnfses/status + - cephobjectstores/status + - cephobjectstoreusers/status + - cephobjectrealms/status + - cephobjectzonegroups/status + - cephobjectzones/status + - cephbuckettopics/status + - cephbucketnotifications/status + - cephrbdmirrors/status + - cephfilesystemmirrors/status + - cephfilesystemsubvolumegroups/status + - cephblockpoolradosnamespaces/status + verbs: + - update +- apiGroups: + - ceph.rook.io + resources: + - cephclients/finalizers + - cephclusters/finalizers + - cephblockpools/finalizers + - cephfilesystems/finalizers + - cephnfses/finalizers + - cephobjectstores/finalizers + - cephobjectstoreusers/finalizers + - cephobjectrealms/finalizers + - cephobjectzonegroups/finalizers + - cephobjectzones/finalizers + - cephbuckettopics/finalizers + - cephbucketnotifications/finalizers + - cephrbdmirrors/finalizers + - cephfilesystemmirrors/finalizers + - cephfilesystemsubvolumegroups/finalizers + - cephblockpoolradosnamespaces/finalizers + verbs: + - update +- apiGroups: + - policy + - apps + - extensions + resources: + - poddisruptionbudgets + - deployments + - replicasets + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - healthchecking.openshift.io + resources: + - machinedisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - machine.openshift.io + resources: + - machines + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - create + - delete + - get + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-mgr-cluster +rules: +- apiGroups: + - "" + resources: + - configmaps + - nodes + - nodes/proxy + - persistentvolumes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list + - get + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rook-ceph-mgr-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-object-bucket +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get +- apiGroups: + - objectbucket.io + resources: + - objectbucketclaims + verbs: + - list + - watch + - get + - update +- apiGroups: + - objectbucket.io + resources: + - objectbuckets + verbs: + - list + - watch + - get + - create + - update + - delete +- apiGroups: + - objectbucket.io + resources: + - objectbucketclaims/status + - objectbuckets/status + verbs: + - update +- apiGroups: + - objectbucket.io + resources: + - objectbucketclaims/finalizers + - objectbuckets/finalizers + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rook-ceph-osd +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-system +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - csiaddons.openshift.io + resources: + - networkfences + verbs: + - create + - get + - update + - delete + - watch + - list + - deletecollection +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get +- apiGroups: + - csi.ceph.io + resources: + - cephconnections + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - csi.ceph.io + resources: + - clientprofiles + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - csi.ceph.io + resources: + - operatorconfigs + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - csi.ceph.io + resources: + - drivers + verbs: + - create + - delete + - get + - list + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cephfs-csi-provisioner-role-cfg + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cephfs-external-provisioner-cfg +subjects: +- kind: ServiceAccount + name: rook-csi-cephfs-provisioner-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rbd-csi-provisioner-role-cfg + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rbd-external-provisioner-cfg +subjects: +- kind: ServiceAccount + name: rook-csi-rbd-provisioner-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-cluster-mgmt + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-cluster-mgmt +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-cmd-reporter + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-cmd-reporter +subjects: +- kind: ServiceAccount + name: rook-ceph-cmd-reporter + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-mgr + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-mgr +subjects: +- kind: ServiceAccount + name: rook-ceph-mgr + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-mgr-system + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-mgr-system +subjects: +- kind: ServiceAccount + name: rook-ceph-mgr + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-osd + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-osd +subjects: +- kind: ServiceAccount + name: rook-ceph-osd + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-purge-osd + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-purge-osd +subjects: +- kind: ServiceAccount + name: rook-ceph-purge-osd + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-system + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-system +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cephfs-csi-nodeplugin-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cephfs-csi-nodeplugin +subjects: +- kind: ServiceAccount + name: rook-csi-cephfs-plugin-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cephfs-csi-provisioner-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cephfs-external-provisioner-runner +subjects: +- kind: ServiceAccount + name: rook-csi-cephfs-provisioner-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: driver-ceph + app.kubernetes.io/name: cosi-driver-ceph + app.kubernetes.io/part-of: container-object-storage-interface + name: objectstorage-provisioner-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: objectstorage-provisioner-role +subjects: +- kind: ServiceAccount + name: objectstorage-provisioner + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbd-csi-nodeplugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rbd-csi-nodeplugin +subjects: +- kind: ServiceAccount + name: rook-csi-rbd-plugin-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbd-csi-provisioner-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rbd-external-provisioner-runner +subjects: +- kind: ServiceAccount + name: rook-csi-rbd-provisioner-sa + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-global +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-global +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rook-ceph-mgr-cluster +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-mgr-cluster +subjects: +- kind: ServiceAccount + name: rook-ceph-mgr + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rook-ceph-object-bucket +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-object-bucket +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rook-ceph-osd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-osd +subjects: +- kind: ServiceAccount + name: rook-ceph-osd + namespace: rook-ceph +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-system +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph +--- +apiVersion: v1 +data: + CSI_CEPHFS_ATTACH_REQUIRED: "true" + CSI_CEPHFS_FSGROUPPOLICY: File + CSI_CEPHFS_KERNEL_MOUNT_OPTIONS: ms_mode=prefer-crc + CSI_CEPHFS_PLUGIN_RESOURCE: | + - name : driver-registrar + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + - name : csi-cephfsplugin + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + - name : liveness-prometheus + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + CSI_CEPHFS_PROVISIONER_RESOURCE: | + - name : csi-provisioner + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-resizer + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-attacher + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-snapshotter + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-cephfsplugin + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + - name : liveness-prometheus + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + CSI_DISABLE_HOLDER_PODS: "true" + CSI_ENABLE_CEPHFS_SNAPSHOTTER: "true" + CSI_ENABLE_CSIADDONS: "false" + CSI_ENABLE_ENCRYPTION: "false" + CSI_ENABLE_HOST_NETWORK: "true" + CSI_ENABLE_LIVENESS: "true" + CSI_ENABLE_METADATA: "false" + CSI_ENABLE_NFS_SNAPSHOTTER: "true" + CSI_ENABLE_OMAP_GENERATOR: "false" + CSI_ENABLE_RBD_SNAPSHOTTER: "true" + CSI_ENABLE_TOPOLOGY: "false" + CSI_ENABLE_VOLUME_GROUP_SNAPSHOT: "false" + CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true" + CSI_GRPC_TIMEOUT_SECONDS: "150" + CSI_NFS_ATTACH_REQUIRED: "true" + CSI_NFS_FSGROUPPOLICY: File + CSI_NFS_PLUGIN_RESOURCE: | + - name : driver-registrar + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + - name : csi-nfsplugin + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + CSI_NFS_PROVISIONER_RESOURCE: | + - name : csi-provisioner + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-nfsplugin + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + - name : csi-attacher + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false" + CSI_PLUGIN_PRIORITY_CLASSNAME: system-node-critical + CSI_PROVISIONER_PRIORITY_CLASSNAME: system-cluster-critical + CSI_PROVISIONER_REPLICAS: "2" + CSI_RBD_ATTACH_REQUIRED: "true" + CSI_RBD_FSGROUPPOLICY: File + CSI_RBD_PLUGIN_RESOURCE: | + - name : driver-registrar + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + - name : csi-rbdplugin + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + - name : liveness-prometheus + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + CSI_RBD_PROVISIONER_RESOURCE: | + - name : csi-provisioner + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-resizer + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-attacher + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-snapshotter + resource: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 256Mi + - name : csi-rbdplugin + resource: + requests: + memory: 512Mi + limits: + memory: 1Gi + - name : csi-omap-generator + resource: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 1Gi + - name : liveness-prometheus + resource: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 256Mi + ROOK_CEPH_ALLOW_LOOP_DEVICES: "false" + ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15" + ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.6.1 + ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.12.3 + ROOK_CSI_DISABLE_DRIVER: "false" + ROOK_CSI_ENABLE_CEPHFS: "true" + ROOK_CSI_ENABLE_NFS: "false" + ROOK_CSI_ENABLE_RBD: "true" + ROOK_CSI_IMAGE_PULL_POLICY: IfNotPresent + ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1 + ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 + ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v1.11.1 + ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 + ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.9.1 + ROOK_ENABLE_DISCOVERY_DAEMON: "true" + ROOK_LOG_LEVEL: INFO + ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true" +kind: ConfigMap +metadata: + name: rook-ceph-operator-config + namespace: rook-ceph +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/created-by: helm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + operator: rook + storage-backend: ceph + name: rook-ceph-operator + namespace: rook-ceph +spec: + replicas: 1 + selector: + matchLabels: + app: rook-ceph-operator + strategy: + type: Recreate + template: + metadata: + labels: + app: rook-ceph-operator + helm.sh/chart: rook-ceph-v1.15.7 + spec: + containers: + - args: + - ceph + - operator + env: + - name: ROOK_CURRENT_NAMESPACE_ONLY + value: "false" + - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED + value: "false" + - name: ROOK_DISABLE_DEVICE_HOTPLUG + value: "false" + - name: ROOK_DISCOVER_DEVICES_INTERVAL + value: 60m + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: docker.io/rook/ceph:v1.15.7 + imagePullPolicy: IfNotPresent + name: rook-ceph-operator + resources: + requests: + cpu: 200m + memory: 128Mi + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 2016 + runAsNonRoot: true + runAsUser: 2016 + volumeMounts: + - mountPath: /var/lib/rook + name: rook-config + - mountPath: /etc/ceph + name: default-config-dir + serviceAccountName: rook-ceph-system + tolerations: + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 5 + volumes: + - emptyDir: {} + name: rook-config + - emptyDir: {} + name: default-config-dir diff --git a/deploy/components/sabnzbd/sabnzbd.gen.yaml b/deploy/components/sabnzbd/sabnzbd.gen.yaml index e7e8f276..1eeaec2d 100644 --- a/deploy/components/sabnzbd/sabnzbd.gen.yaml +++ b/deploy/components/sabnzbd/sabnzbd.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.10 + lbipam.cilium.io/ips: 192.168.2.10 labels: app.kubernetes.io/instance: sabnzbd app.kubernetes.io/managed-by: Helm @@ -27,12 +27,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: sabnzbd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sabnzbd - helm.sh/chart: app-template-3.5.1 - name: sabnzbd-config + name: sabnzbd namespace: default spec: accessModes: @@ -40,6 +35,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -101,6 +97,7 @@ spec: name: config - mountPath: /downloads name: downloads + subPath: downloads dnsPolicy: ClusterFirst enableServiceLinks: false hostIPC: false @@ -110,11 +107,10 @@ spec: volumes: - name: config persistentVolumeClaim: - claimName: sabnzbd-config - - hostPath: - path: /media/downloads - type: Directory - name: downloads + claimName: sabnzbd + - name: downloads + persistentVolumeClaim: + claimName: media --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/deploy/components/samba/samba.gen.yaml b/deploy/components/samba/samba.gen.yaml index a66a1675..01f79acc 100644 --- a/deploy/components/samba/samba.gen.yaml +++ b/deploy/components/samba/samba.gen.yaml @@ -89,10 +89,11 @@ spec: volumeMounts: - mountPath: /config name: config - - mountPath: /downloads - name: downloads - mountPath: /media name: media + - mountPath: /downloads + name: media + subPath: downloads - mountPath: /temp name: temp dnsPolicy: ClusterFirstWithHostNet @@ -106,15 +107,8 @@ spec: - configMap: name: samba-config name: config - - hostPath: - path: /media/downloads - type: Directory - name: downloads - - hostPath: - path: /media - type: Directory - name: media - - hostPath: - path: /tmp - type: Directory + - name: media + persistentVolumeClaim: + claimName: media + - emptyDir: {} name: temp diff --git a/deploy/components/sonarr/sonarr.gen.yaml b/deploy/components/sonarr/sonarr.gen.yaml index e8feed48..7c1ab277 100644 --- a/deploy/components/sonarr/sonarr.gen.yaml +++ b/deploy/components/sonarr/sonarr.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.4 + lbipam.cilium.io/ips: 192.168.2.4 labels: app.kubernetes.io/instance: sonarr app.kubernetes.io/managed-by: Helm @@ -27,12 +27,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: sonarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr - helm.sh/chart: app-template-3.5.1 - name: sonarr-config + name: sonarr-cache namespace: default spec: accessModes: @@ -40,6 +35,20 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: sonarr-data + namespace: default +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment @@ -95,12 +104,15 @@ spec: timeoutSeconds: 10 name: main volumeMounts: + - mountPath: /config/MediaCover + name: cache - mountPath: /config name: config - - mountPath: /downloads - name: downloads - mountPath: /media name: media + - mountPath: /downloads + name: media + subPath: downloads dnsPolicy: ClusterFirst enableServiceLinks: false hostIPC: false @@ -108,16 +120,15 @@ spec: hostPID: false serviceAccountName: default volumes: + - name: cache + persistentVolumeClaim: + claimName: sonarr-cache - name: config persistentVolumeClaim: - claimName: sonarr-config - - hostPath: - path: /media/downloads - name: downloads - - hostPath: - path: /media - type: Directory - name: media + claimName: sonarr-data + - name: media + persistentVolumeClaim: + claimName: media --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/deploy/components/stirlingpdf/stirlingpdf.gen.yaml b/deploy/components/stirlingpdf/stirlingpdf.gen.yaml index bcd49abc..4ac6996c 100644 --- a/deploy/components/stirlingpdf/stirlingpdf.gen.yaml +++ b/deploy/components/stirlingpdf/stirlingpdf.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.14 + lbipam.cilium.io/ips: 192.168.2.14 labels: app.kubernetes.io/instance: stirlingpdf app.kubernetes.io/managed-by: Helm diff --git a/deploy/components/unifi/unifi.gen.yaml b/deploy/components/unifi/unifi.gen.yaml index 8de0ff06..43103a3c 100644 --- a/deploy/components/unifi/unifi.gen.yaml +++ b/deploy/components/unifi/unifi.gen.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - metallb.universe.tf/loadBalancerIPs: 192.168.2.2 + lbipam.cilium.io/ips: 192.168.2.2 labels: app.kubernetes.io/instance: unifi app.kubernetes.io/managed-by: Helm @@ -47,11 +47,6 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - labels: - app.kubernetes.io/instance: unifi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: unifi - helm.sh/chart: app-template-3.5.1 name: unifi-data namespace: default spec: @@ -60,6 +55,7 @@ spec: resources: requests: storage: 1Gi + storageClassName: ceph-block --- apiVersion: apps/v1 kind: Deployment diff --git a/deploy/gitops/metallb.kustomization.gen.yaml b/deploy/gitops/cilium.kustomization.gen.yaml similarity index 83% rename from deploy/gitops/metallb.kustomization.gen.yaml rename to deploy/gitops/cilium.kustomization.gen.yaml index 79dd577a..b6e18db6 100644 --- a/deploy/gitops/metallb.kustomization.gen.yaml +++ b/deploy/gitops/cilium.kustomization.gen.yaml @@ -1,11 +1,11 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: metallb + name: cilium namespace: flux-system spec: interval: 10m - path: components/metallb + path: components/cilium prune: true sourceRef: kind: OCIRepository diff --git a/deploy/gitops/coredns.kustomization.gen.yaml b/deploy/gitops/coredns.kustomization.gen.yaml new file mode 100644 index 00000000..a0e79018 --- /dev/null +++ b/deploy/gitops/coredns.kustomization.gen.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: coredns + namespace: flux-system +spec: + interval: 10m + path: components/coredns + prune: true + sourceRef: + kind: OCIRepository + name: default + targetNamespace: kube-system diff --git a/deploy/gitops/media.kustomization.gen.yaml b/deploy/gitops/media.kustomization.gen.yaml new file mode 100644 index 00000000..685e631b --- /dev/null +++ b/deploy/gitops/media.kustomization.gen.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: media + namespace: flux-system +spec: + interval: 10m + path: components/media + prune: true + sourceRef: + kind: OCIRepository + name: default + targetNamespace: default diff --git a/deploy/gitops/metrics-server.kustomization.gen.yaml b/deploy/gitops/metrics-server.kustomization.gen.yaml new file mode 100644 index 00000000..75492045 --- /dev/null +++ b/deploy/gitops/metrics-server.kustomization.gen.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: metrics-server + namespace: flux-system +spec: + interval: 10m + path: components/metrics-server + prune: true + sourceRef: + kind: OCIRepository + name: default + targetNamespace: kube-system diff --git a/deploy/gitops/rook-ceph-cluster.kustomization.gen.yaml b/deploy/gitops/rook-ceph-cluster.kustomization.gen.yaml new file mode 100644 index 00000000..92344d71 --- /dev/null +++ b/deploy/gitops/rook-ceph-cluster.kustomization.gen.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: rook-ceph-cluster + namespace: flux-system +spec: + interval: 10m + path: components/rook-ceph-cluster + prune: true + sourceRef: + kind: OCIRepository + name: default + targetNamespace: rook-ceph diff --git a/deploy/gitops/rook-ceph-operator.kustomization.gen.yaml b/deploy/gitops/rook-ceph-operator.kustomization.gen.yaml new file mode 100644 index 00000000..add53243 --- /dev/null +++ b/deploy/gitops/rook-ceph-operator.kustomization.gen.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: rook-ceph-operator + namespace: flux-system +spec: + interval: 10m + path: components/rook-ceph-operator + prune: true + sourceRef: + kind: OCIRepository + name: default + targetNamespace: rook-ceph diff --git a/platform/cilium.cue b/platform/cilium.cue new file mode 100644 index 00000000..108febaf --- /dev/null +++ b/platform/cilium.cue @@ -0,0 +1,8 @@ +package holos + +Platform: Components: { + cilium: { + name: "cilium" + path: "components/cilium" + } +} diff --git a/platform/coredns.cue b/platform/coredns.cue new file mode 100644 index 00000000..caae3e65 --- /dev/null +++ b/platform/coredns.cue @@ -0,0 +1,8 @@ +package holos + +Platform: Components: { + coredns: { + name: "coredns" + path: "components/coredns" + } +} diff --git a/platform/media-pvc.cue b/platform/media-pvc.cue new file mode 100644 index 00000000..4576607d --- /dev/null +++ b/platform/media-pvc.cue @@ -0,0 +1,8 @@ +package holos + +Platform: Components: { + media: { + name: "media" + path: "components/media-pvc" + } +} diff --git a/platform/metallb.cue b/platform/metallb.cue deleted file mode 100644 index b1f54fc1..00000000 --- a/platform/metallb.cue +++ /dev/null @@ -1,8 +0,0 @@ -package holos - -Platform: Components: { - metallb: { - name: "metallb" - path: "components/metallb" - } -} diff --git a/platform/metrics-server.cue b/platform/metrics-server.cue new file mode 100644 index 00000000..81845cd2 --- /dev/null +++ b/platform/metrics-server.cue @@ -0,0 +1,8 @@ +package holos + +Platform: Components: { + "metrics-server": { + name: "metrics-server" + path: "components/metrics-server" + } +} diff --git a/platform/rook-ceph.cue b/platform/rook-ceph.cue new file mode 100644 index 00000000..7772ace0 --- /dev/null +++ b/platform/rook-ceph.cue @@ -0,0 +1,12 @@ +package holos + +Platform: Components: { + "rook-ceph-operator": { + name: "rook-ceph-operator" + path: "components/rook-ceph-operator" + } + "rook-ceph-cluster": { + name: "rook-ceph-cluster" + path: "components/rook-ceph-cluster" + } +} diff --git a/resources-extra.cue b/resources-extra.cue index 8cf1f1f2..16bc15de 100644 --- a/resources-extra.cue +++ b/resources-extra.cue @@ -1,6 +1,7 @@ package holos import ( + corev1 "k8s.io/api/core/v1" bgpadv "metallb.io/bgpadvertisement/v1beta1" bgppeer "metallb.io/bgppeer/v1beta2" css "external-secrets.io/clustersecretstore/v1beta1" @@ -11,11 +12,12 @@ import ( ) #Resources: { - BGPAdvertisement?: [_]: bgpadv.#BGPAdvertisement - BGPPeer?: [_]: bgppeer.#BGPPeer - ClusterSecretStore?: [_]: css.#ClusterSecretStore - DNSEndpoint?: [_]: ed.#DNSEndpoint - IPAddressPool?: [_]: ipaddresspool.#IPAddressPool - Kustomization?: [_]: ks.#Kustomization - OCIRepository?: [_]: ocirepository.#OCIRepository + BGPAdvertisement?: [_]: bgpadv.#BGPAdvertisement + BGPPeer?: [_]: bgppeer.#BGPPeer + ClusterSecretStore?: [_]: css.#ClusterSecretStore + DNSEndpoint?: [_]: ed.#DNSEndpoint + IPAddressPool?: [_]: ipaddresspool.#IPAddressPool + Kustomization?: [_]: ks.#Kustomization + OCIRepository?: [_]: ocirepository.#OCIRepository + PersistentVolumeClaim?: [_]: corev1.#PersistentVolumeClaim } diff --git a/talos/clusterconfig/.gitignore b/talos/clusterconfig/.gitignore new file mode 100644 index 00000000..3be75ef4 --- /dev/null +++ b/talos/clusterconfig/.gitignore @@ -0,0 +1,2 @@ +k8s-controller.yaml +talosconfig diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml new file mode 100644 index 00000000..6c19ab4f --- /dev/null +++ b/talos/talconfig.yaml @@ -0,0 +1,171 @@ +clusterName: k8s +endpoint: https://k8s.lan:6443 + +# renovate: depName=ghcr.io/siderolabs/installer datasource=docker +talosVersion: v1.9.0 +# renovate: depName=ghcr.io/siderolabs/kubelet datasource=docker +kubernetesVersion: v1.32.0 + +additionalApiServerCertSans: &sans + - k8s.lan + - &talosControlplaneVip 192.168.1.50 + - 127.0.0.1 # Kubeprism +additionalMachineCertSans: *sans + +cniConfig: + name: none + +nodes: + - hostname: controller + ipAddress: 192.168.1.51, 192.168.1.52, 192.168.1.53 + controlPlane: true + ignoreHostname: true + networkInterfaces: + - interface: eno1 + dhcp: true + vip: + ip: *talosControlplaneVip + installDiskSelector: + model: "CT500P3PSSD8" + +controlPlane: + schematic: + customization: + extraKernelArgs: + - apparmor=0 + - init_on_alloc=0 + - init_on_free=0 + - mitigations=off + - security=none + - net.ifnames=1 + systemExtensions: + officialExtensions: + - siderolabs/amd-ucode + - siderolabs/amdgpu + + patches: + # Configure containerd + - |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + + # Disable search domain everywhere + - |- + machine: + network: + disableSearchDomain: true + + # Enable cluster discovery + - |- + cluster: + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: true + + # Disable Host DNS + - |- + machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: false + + # Configure kubelet + - |- + machine: + kubelet: + extraConfig: + maxPods: 150 + nodeIP: + validSubnets: + - 192.168.1.0/24 + + # Tuning + - |- + machine: + sysctls: + fs.inotify.max_user_watches: 1048576 + fs.inotify.max_user_instances: 8192 + net.core.default_qdisc: fq + net.core.rmem_max: 67108864 + net.core.wmem_max: 67108864 + net.ipv4.tcp_congestion_control: bbr + net.ipv4.tcp_mtu_probing: 1 + net.ipv4.tcp_ecn: 0 + net.ipv4.tcp_fastopen: 3 + net.ipv4.tcp_rmem: 4096 87380 33554432 + net.ipv4.tcp_wmem: 4096 65536 33554432 + net.ipv4.tcp_window_scaling: 1 + # vm.nr_hugepages: 1024 + + # Enable KubePrism + - |- + machine: + features: + kubePrism: + enabled: true + port: 7445 + + # Configure cluster + - |- + cluster: + allowSchedulingOnMasters: true + coreDNS: + disabled: true + proxy: + disabled: true + scheduler: + config: + apiVersion: kubescheduler.config.k8s.io/v1 + kind: KubeSchedulerConfiguration + profiles: + - schedulerName: default-scheduler + pluginConfig: + - name: PodTopologySpread + args: + defaultingType: List + defaultConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + + # Configure static host entries + - |- + machine: + network: + extraHostEntries: + - ip: 192.168.1.50 + aliases: + - k8s.lan + + # Disable default API server admission plugins. + - |- + - op: remove + path: /cluster/apiServer/admissionControl + + # Enable K8s Talos API Access + - |- + machine: + features: + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade diff --git a/talos/talsecret.sops.yaml b/talos/talsecret.sops.yaml new file mode 100644 index 00000000..90d82f13 --- /dev/null +++ b/talos/talsecret.sops.yaml @@ -0,0 +1,43 @@ +cluster: + id: ENC[AES256_GCM,data:VnC7jh2vNj2S+zQiMhLfo6RC3I+wW8rY9rCh5UzIPrGePfV5SoluR0dBTUY=,iv:/UZy4nh4xLzn08aPJ9cOYfH1PI+pI+d5U5rIU8y2OpY=,tag:SqH/++CdL7MfF96LmjdHzw==,type:str] + secret: ENC[AES256_GCM,data:TJlGom8hKEqqasxVSP2CVpre1Zn7ifNwn4/9qx/QK/YnS+Xq1mLamZ+21wc=,iv:CldIAuoiYMIhsPiAjuWT0el93KIjGlQCo3QrBJc9+5Q=,tag:LuZz1GRctnQAgDO7Cf0EPw==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:3EpLW2NthFTtCO8uUKxBKz1UMwH2Tv0=,iv:MyVbTbsyKjuzer+GYt/wH3/KGYbL0eninpHljsGm2uU=,tag:XGYsxN4gMkjpPcdYpVDF9A==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:LKs9oEMBBfQ/ExZakMM+v8d+zh+7qbP8jCcCSE075ukx4SPb04FBpNF0xsw=,iv:4lsn4740onH0rQgAOksVeSZHH0SPTntoXDXlc0lEML4=,tag:W3/UM3JxAef0jcNZQB2Kgg==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:RNpahcU+E6SLJ2klKl2d2IK7GiAZsS8=,iv:83l5QLHQmakcn5kK3vdozghYEmNdH4LRF4AgDUvKbBw=,tag:s/ynUAbr8jn5vf343ZZ7Ag==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:qbQvuyEOBGzmINMhBtMc5L3Jx8jNPHNhZlrli/NKXyogAv1jyCUla0ElMEsyMpf47+AVI7ReLtQ/CBrFH3jJXJTlYom+n0ED1QXZ7cUnxWBPMh2joxCIjrClt1xrVadx9A4IaHpmQDZlEqUzkQd3QJDPJXpJfhPO7BwNfVXaZh99gW41LeclMOEdldFC467xO2WJpwL3kBwAG16wK73tRRujBmUwnZ3XPIF3qVBf4bY66viXjGtzsHmn20iqn3knRNUxi1vixt+sZv7DqKJ6FRZnyrpdGJKBt2bux+uRdFygvDNVV95mthpy7P1bL31WbGSKQnHsJJZ7smEu6Xu/ynG6qpOljkRzvkIfgIaIvLzXmHgn0a0PI0OlcnJ5CIBPBQ9nngKKPXFoNCyDK548udgW8BRlUYzH1sepda+6CuR2hDtz1i+Ce4hJgUO8Df16bT1ASY+PB3VJv/wJz4DjYtcAYWTOc3bgXYbdXxhes9fo/9FevKWGLx+5fUo2wXfMZhN8FMAU9tHbLlIYrdDn37iqf3BVAugBrGaj75njI0FHQRGWIYd+xT6OTb8yRDRkkR6WLgGR5P8Tin3Ia+QowJSYqrsoIbWic9YuFKj2wgILiHTIJqSsIfkUDHtt0+QyjVfDvk53uDWWbJt+hvaJA6cH1ze5nCVnaTZriK8wQrl+Ya58juTIHENi5MoQnXGsUQfqIJ5tNEQXzjtqNG1OzOCkWH0BnWUf+S2llFDFnCibu/ft7XIozxTbTRCxEuojHJK0XuKo/emkuT/mIyAFW4/hCF1bJ2usvCUKUxVsJywyIq3pm2sXPzC6s4jF0t6g2BTxtZGXte6csK9pMxKxejdWNoYsFmzcC28qAKhQuP+7YxMZSEBsFA2AKvrYm5BQkNG8fJd9fOAJxfOeKknm/2qMVO1hNoL8jFIzXbc+EAyqOEYRu88RT47HGv9dq5uArynTcn9g5mGNtCotTg10EuIs8QxX9W9H2NOlf/2lFJ0g17AfQOo4JIcjdA/53T6wJxqgdw==,iv:AtMLWvlID/A69fysN+nd6wOeUE9gM+GpHgb+5lQBaG4=,tag:XjuSgs1/tVxJQ3jeFLH2Kg==,type:str] + key: ENC[AES256_GCM,data:wt6j+s7hT2/W9Fu/PR81+8J+xKlxoUvd8sCeku8YI7v6nvkNyrqrCgXedgFNEUc2gZzTSmePZZRKm4uz4Ftc6l+uhzvn3CRRfImG3l3pBymgI0w95sD6TqGHZopERLeuMsWR1p91/rzFwafGAgyBH7HCtveikvIAZ5Mfr9XFr5bHiaU8oUVbb4uLfLPJlMDd+P1ATykQV6pgeZOIqeDrpSkmMBMf0awBgPjMHerZ+p2MFVGDhPQbAXcBGIp6XOy0L+Ltbn/UjA79149USF9P7P5bkZSO0Qr5IC/nirpxxNjfTG4GhdzBGf5n39R8HJTbB+8vbdUQxVqPQQNEHD3AGpnaVJruImMVVCINfVCZDv8jzUYngpj9k/OpK9OyJIRYobJ4oyp+5X15KxfS29Bizw==,iv:6BpYTKR4afE8Ca66aijx4y2nBOnry0WFcGCwF/SsOc0=,tag:mD+2Ht/0LThmmlA4VhaUvw==,type:str] + k8s: + crt: ENC[AES256_GCM,data:Jf9Sp37RlFKj12avbwBTNF/XvLFrvjBYg6YfyOJJfQRDz3QxiRoqvPDT7AGT9cslpTy6P1rsCTu+MUddqRzef6foY3FLd1AhTyb8IyFJr1Dnw3I0EsgpskG1yQfCbKtZLRjhe5sjPXPPW7RPKHfbjGs07+qxhH50qOhAP/LS4EHKlx7Y08pgbWolrSYjRuXxU5lAxtwdorNyNlJVb15xI5A38DDeqedhL+XL/gkeQsBM3JQVeePeP3pOE/ajbaoYs8cZ7E7SKHdTS/YZGbA3VkvkibPrZL4ttFXYnemjKuB6J0GoZGRYzyZirNviIlYwgGvfU55Kfh5pYzW/q+YHHI4PiIQnD5pM5bGArqu9YsHkIg59x8ZMJzeWmMQDcLcr1vvm0ETe52aqS7JZozj/LS7YLEYXvOHxpZcYF+l0r5kjmpFEXGQuxw4oYL/zi/NlcOyc69/QZ3h5xOyjPCpA0QIAD/meJIWsgB8JmHu3qjA7N5QN8XveL8rcvaF+5E3scx1gUDqo6g/J7FcKezAk87RV3zVVnPNCciUqgkqtrRG3SJzpmU5DjPcm5hy0f8Ddk5oEE+KIWWKlrM0xIWheYpjyV00OLch9mpoShlqF4Ok/VImz8bs3RkZvhyDwvDd+coA6ST+gVeSwxUIcN7RHmfa0/uO5MK7Qfz93sTDB6p3WNQt1XXY6LCZHiFDlxuNB06Cp0jVTbsySPbK1lb9KOOgrBxnugIlFD+MKXCtR+HAesAd/Wh1hKaQoQlrUGdFwN5YdKERE3jcfQZTPmVsAxHhMydxFtiuPzv9pFNcJujDzJ3jANTJrfnNoEb0qbJYXnHiJmSMD0TPNWtWz0rZmaQ+zIEovhTDvhmNIcWtIQtCjW4fzefsSLXEDDVwoIpMBI1fa7LYUk7RnvQsquNE6bMuM+iizjWb2oriAdURpoukRChZiNqD6WPOxn+S7E0LMT9TbJcReAuQMi6aTImAmiUC3H0tXx5TTcDZj2+cxo3Cpb+DwFCGOuaCOxuiRhBdaBkmjDUGzy/Nhx4ZKjaRYiI1YkQqZcsTTAy9Xkw==,iv:t9GD6nyzVYnvogzXTWAFpLGEY3wwsZD9tGLotEDTc7Q=,tag:UnzmscPqy3SkBVV8fONK4A==,type:str] + key: ENC[AES256_GCM,data:lW3p5c0M4gjvkDsqLEQ3OmGMpD9AVC4aKRP6mutb4vw8wveaSk0VlPbLl/6jGS+L7DcNwCNrkRGO7tS5EVncB1d1v+OzCD688DwoecWi4jxcRboi63ensOS4q+O/gmxIDWLPkbKa0x0TPIc/phfFqINU1uuVrSQfz948nxYPr8PBgb0r1p+ImtMj2bc/DTIkwnGjZ+ezQUUBPdhV9f/LNYO5Aw6OnRRXpuKhdqNQ7ZuV/t6ZHWUOROGL14Frk5Uw3RjFmvGNBSe66Bm7rRDDKx4C6pNPRKOrmlkCBe3Drn+jUz0klBmJKj0kMvuYn+poN0ziZxwTMBiu7ZmL7ld2LKpCM5BAo6rkDrMaH6ub49BlcRBsrluGEiouF9Jjy30uZp3rbbo0ukU6BuB7j/vVjw==,iv:f7ggI0zDqHjlShsmvt4pyCVPx8YYVBZEzb/zICo0w74=,tag:gGCc81HyWicwQooK/CBh9A==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:+k7k9VEy4foKUlKvW007vO1O1p5bgLjVxWDBi0/0fknj5qdDy0OyoJvDJxPdfn8zEqtUEJzgV4QaFfm069pwS3j62F5b5R8CVZC0KAJcpLCtx6paWJbNeWSIQT3/01xx3Ke4JdTUo2gkJHAY6ntklNrdquNChvq4oMsv77QsC7S9ArDyesXdKSznsN/9RNZvG30jBlngOdCG4CG4LOnQd+NNSCEppTE4pLQTUcYDPlkH2hWjUIH++o4lAGgp+1HZvijBxXticv+T33ShGwzYwqunb4z7L23Hx3EiWzXpfp2KXJmLZ3t2nGT83WA77ElBj1NPphx/2Kn80MVwF/KIEH/6VZNqG1Qu2tj6dw1+cg5KPZLmdleqstIcyYQyyLF2SKQVEE7+QW6JoJoQ4ow9A3jnScv2dMGAEqBG5Li2dGbs7w8l7W+PMihFFPbHt50u3XngX0HYv0BnSf1EMErpGd8HLbRaFDau9q4E+K1Kl3xvTeWyyUnKTf026DDhsPktgUdQziYgjaPvtUiqO9gbLyCZn0/C84K67yvXhmngfzkP6wTeRHy7n3JBZCmOD5qQHrV8VRVCmeexmImfqLdLXmVB+x8Mgj9fN6OO7Vc3KzBifQxw0DNacPXMwt1dz2WVtiFPTMtvv/HR7VGpeHoD2pHIJGx7ZlMaANjSS4k/B+WCL0KsD46fDM+Cm8JJadb3uS8rkxWEhdznBon2xutjpBVQXmZImjohAaKgA+81sjMaWdDeF4jw5mTaJRK2fQEiViZlaUbKXeQ1FzmePb20/QDRex0Mg5BUebXy+uWzhzy+sGJzorndxiI+KW3vnBnxiXxA6hkAq4z6vosbIRIUeViIc9233xTTGEE5dCCysWGAcLyIjbSWsFJLgMx6xcQwAoJc6bOhTg8Vhmb/vrul5jSEYpi93xmV7Z6FpATkhFwQu4gdPMdN6KzrWyZ6IvNz,iv:ZEDuV6pD++0xZvGKBDHRcuAbVUPhzoZeEA8g3h+dkQw=,tag:nDLh6AfLR4e9N+QQZ3htJQ==,type:str] + key: ENC[AES256_GCM,data:/MDAOVGw+5dPHGw9t9XcHpBEI0zzZejNfR4er44dnTImxnL6sSoUzO9nekCJEhhE9ECpNNzgNjL8pkzJ2I7EIyWvVAxfT1UGk1DhKY16w7SGddwlO2r55gEb62zJM9qMZ90aJkMvpm1gnrXap8K+6dyEETyvVSbbGmoJoMlt+H5fU0SRgu7Tz3Ij5kYZaiPAZSf0+B9AiVRycp3j3vjqSdZnnf0qO/wrEoN+6Xx44AV06r5HeVY4HtClnY2vQlL8yex9ZmDT4SZSuXZWrmaLgwdrJ/x2PtE10/ikVjD+/Ud4GQ0Xuushy15gb7NeM27lqBLK34IjsrRxiDnBsJ6yHOLqZrB9Dq4FS34eaj0c1IkGtEQfzkqCAE1OPP33cNNwbuRDmBKTKDj73Jor6L+H1Q==,iv:4Dckd6OdIsq9Fql1Xj66j5eFOV6Zsde1cb5cbaWsN44=,tag:1DI9GrDv57CpqoMLOWwLvw==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:dN69uM4aPJpLEFhdDDwSGDVVuoFQZ+xr8N0IPn98Ug0DiPaJkwMnglnOxppLHftWuozeSoYjbi0Ux6U6xgd0gbyUqI2MDlrEMIjr/KxNW5UgyzO2rBC14nainZBl6oAEpkGqn9FLbnF0gVpoOG4j1viknNkLIKzoWLmCkdzp6GUDsPzcL+qB936IaAKR8HNB8AHUiEaVOPw4LFXLNHet/sqQAFGALz3k5j2i+ccoxFhQBd1/05rzSNJc+kvVurO9vHMbJ9EFLWZgiiJyiPnIu9nnJnBKppEzV/nAVfuM2C/lK9d0HA+9WcQmLj4dl4DbPYXDe3esXbNiPiIIC7h4Q8wHHt+LNAKRLl2NVLOH1X6SQUOD8nrZXvgFNWuPn90kbXDpWPF+q5XRuf09xyIx1y35dQK0JzQpHnnKrJ5PC3GXb1o+wp7Gf3UhkfWogEJlqqGTqcM9ZBdBM0gR7Il/Cc6EB4Jm0ACD/HBHwKhcBH2YepglCmYvIq6t7JvDLUTmX1DDvfxd/8ZwZNlfxB62nW9KYDF6/z5Mi9dQLZDn6k7c3PwjC6k4v20tn2rk/XYTco2tWuZlw0sLylGQ9ZNRRvD3IZzz1cI6N7jcC68rjMH647rxvOKWlTrMWMIgOqoVkoDUGV6+Fm6wQ+qAOMQAXk4R2azcbkqSwC+5FeSG08A7yeP7A5oxmQMckHHQmByk8MG7ubgto2b4S67cnKynzfawJRChxH1+HGQE2xw6jQ8RaR9JxndiRhu5v/B7+gmWjWs7zhT0G5QZ135ymI0VjszyLSqXVioUNpC9/w8+KzeH5QvWAECHePVNTNURp8W+6wZucHSsTO/D3LsNmWJ4TZMeB/L/fRJMCLWdzpMqoyA4WBJiDC+8LHF/q2db0jrKUEEPUQRKqtrp64V63T99r1ESbTKtnrgMMCQuFcitw/DD2t9wCnWFZLfRQFInx7OC4fuauq8l6OwYP7pHNg8mKph1e0qcCsVQ99mSco4ju9zWPpvB/Lha3diUqImle0EKMj5VYLxNTA5USAEXug5/HShNS3Su2wiGLapiV9GdnFN9FKjuGWL9yWihScU3S9yDm85tJoAWlVZPRcbi1Ec3rgCkwmy9dsMZCK6/+4a6Xxfp3AqOINTGP79Egho4GHTTRlj/5pHLeacPHNiBbbPXwmVxV93uWSgSSodyLrAwySXuODYsogGi8AvdJFmMIYKx2opOUc5ZoZpWa5nZEkgBogfvvtvlNZyF/wK4i6B9hQdz5PXU4UEznKB18WRoBiUap4LxaEm9UAKPd51dWeAhm9TtIWoLnnFmby+SGary2SaxGoYu8ZcYkf2Fm3UD2W7UARfi4Riq48l0PW3x3SUhymRlSsouhamvXlq7yZZ7d5V6zlWjOc8DtZ/TV5fXFxugFQVUWFOrtr9I/27OTvO9dT4Zi+iTxQ7IbJagr787gL58uI4i87sWY+BU0FfpG1Xft6haXAUi5LgeY52xtjqgFNpV/pX5S+BZOFazYm9QSappLDVSHE70PojWUz2iZol5WGa4P1jfb0RClHEeJGgegmyOgYlAOmhrRyGBFaxiFifpQ8BpvBTSMaY/ifgfz10CEVKDHiXPTMR0P/hc1DiRNktLrmC3JE27zajR5LsOHHAXqg8Lnri612ZvqKKF978RL0oAWN+wu0ZE85Sxv+cCifpwCzMPjsNb+g3Sl/bnZ2RK1YtoX1TG46lxR5ekoGouMRphv7hcFpNWzzuxohGK4HO3EBxvKCilk4NITjkx8jXBLyUjP5Z8B/f3Oat6jX6djm6bLA0awpF9aL5/DEqtPhRmndf+0pbaXioUx32zemNNZx6pCBpmirQmJTBnDF36P6zCp2fEL9I6/Teg5oFxPZFcqBoGB44sHXvBIagFPZwq6JN69aX7EZnyTBWvD36FPDxjI1hoylGqGT3nVnVwkUVdQnJToSh30AccmOR46751AqOirDjjyzFr71kaKCJnvGM3qOmfi71IxHVp+46lNbKa+yjUdTyDqmpgDSFLYzHZWa3reh0PTJx95liMFMtXUdZM67CYuBINx/hceeiFWakCYnD5EAwiXABNvS/TE/Nb85HXFcwos7Zy/eXOQuha53HbyKv8dWX3udyrY4/NDpeQc4Cu5yB2N9WWIqxAw9QiBolREpgxrTuqPgVrskneSUXvF0LV1+sfzPjR8kSWITMdTUAZq1IqyB1oAt/A6SI6Pl3AwpPrTJGHQFt+Mv0cQzgP0Y0lm/lyHcdBk4F6SjTogkRxFKNFFqJPzlqihadPy1DYtfmiiwOdbpM/XBT+x9RPtIsZaDG+uNbRp4BUkdNudtKYJvttevyH69j/rzobDmRJJeDLvMuZwZoKVpQaHzC596kUoU74F5nErvvM5JCY6s9zhw2WEmMQddHoJE6NO/4wz8wj0UqBE8n4161CL+laNZVgHaApg1bduG+uXpHofyTVo4n2lOjGT1vsmzLEBBuHq3j3DHEgnfo++K6xaFLbe5weIpLfzTaMYE+l49T7TqIxQiH2KFJBJTjRkOJD9eQ8frxqgDLJb4NRxChuarYTyn/dqBof6hZHD5TvPARr/ONc520aZl7dsKTFsWwNf6NFcPANuR54RsCghUbRcud3CKVZeoBmMgkpsZimVhEDSn4/HBpHGOx442Keqzh0P4L+mkKkaPisbVlmnrwJHzCC8y9hKsX9C2TNGcF1U4YeVOa0Xyg00SmGOrhpD6h6V4j/lXPQWppbbJHbuuUBwtbq4ekwYJtkOsGIcKz0dhYYFGy7A9bfuRSxdLeJpI14aLDM7h7hJ3uqw0JQiUFx3OWC4EBb9WGkIZ/y2T6XPcr3dBOOvq8BtruDqW3g7ZXAArgdaK7phEQZilgEoX8eG8eT7xDXEgTTztkQe8Z98fGiBb9BRuVJWYCh2YX7++MEAJZ4J/MlNoHbcmHGAt7226sxB+HH3g8ozHa1aFm7FoHjYpf1pAiuHilgUaY2Vgh8REtoznP5cotnzwuoRj82ZNcVKLpCebAKk5A7gU73PU9Fjcjx+B+2Wl6fBu9LW7attbs62Q3sgmRuef46ojZRo4q97QUeF0LGuwckrNBiPPKIgZ7dLJrWkKx6n/rkF6r6igQVUqeBHAqnn0uX509ZTglOspalwC2yGBWGGBTNDmpRBDGNCZSo5VupvE/CwE0JvP+zC2gJR2OYZwcyctg1F8KkyNKAgBgNRoxl3TN6YtUk91pGqQZN2DTa6/mGxaawBl33Y6tr+lc4nSll1ilfXDkI33C8wlO4AsA2Xowfft8P3VckjeE5OURT7cPC9lZ91dlE+/AXDbE8B7GsyNKejb19qfIyeP/5izVDLtN987NF3X9RybYQ6hSM59nK+8swYgUOQ+4yjVt3BWQRyQTpr+hIO2yepPskBC2HRBTOUQFjSjQJQQYG8G2ZYVdFvS1oLN9beVGG1cOZJHV6NYhwGua3dGXk2OShxKyh0MVedTROncL5lk9BFbHUOUyDZrvKQszDUWjvrrhAPzC2KqD17TTlJGH77w5CwKFUXPh6htQce/xcXNMUzj3LZnLRhrqkMZTlmTT3NJynzi8f+vwFZPLuhlNcF1+3R34oZF7N7OCHEV3v89QPMlqfHevz0gYBlT9FxSTsuj3H9kJlRHNCBFtwHlcxW6eUven6RA/VTg/A4f0BvpGC0gZyc/zZHk5S/P67zrdCWyqHZdFb2viOgAEBtR3nKp7uSTNJJ1c6hb6Zd37QAPbUWFceeSpQTZOvbNh/wzkNbJpQOMNx1rp43pWnVIX2/2UoV3Vc8Jvjcg0hvwRcRpRwGlQJmtaQmBMrtvrmbw9qQfoJ6/8d4vdes2UlUhJkjmXC143roWpw9W2rSiO6dnDG4JOU2HiK0IFb+Oef88uBzEr4+/5bkA0hWQ5UA6oqZNM/p9oEkbdAKnbVKNR41RZVW1ngUuRNXDCO7QBCumaZrDJJSXxPOytpiRr30lxYDbaAoV1ymuk7jst6Trr0HLx7cbLOyPVjhHpx2AKjvywtNDQtu9OWDK8JkZbqIOCDTxeu5zx4zNxCY7Wv+5A0gELKzkoKrDXG9ocKwxoHfSaXeTtQeP1rX1cC+NNJJKrgA2JnnojnjlthsPuBclBb6KQb7ynz9qHfuhdv+XLoZEKMqH4OUL6AGzR7OcjZmBagS3pOU0OlSsjNmt9SMoXa4T2rg5GrlkvDCXzWLuZLtMaLAmpOVdJGy5yNHiWZQTbskHq73A1kVfaLkXCMKDh4MEum7c//tw6Dgu3D+T7Z0eBhCtkaNa+HWK1EKQT6D+5VmWzukiViWWhGiZyazPxsjBxgiq1pwF2uKIcJiRy5dCtKvNASXqpDocAjgYwk1VC+CqDn3AapvkSIa+nak3pFaY6QqWmQmGI3P/jviHx8p/Ay2k3m/ZTmpzYx+8wiUEqMq9NCqAnktjCQ4Op1HHqsxjOfiSFwRuWynRrFmARSbTkmWOA7wLYbWRgeN8jLYY/LSqC5XrxHjfaukoylelHyYAi2Su6ElVXI2z3AVOf7dyKfkPaeBXJRwoKWqw9V52pks4YWuzBR8GO26rS7QshzeoEezaLnjB9i/7M43EBNDwmNw4vE6rcs3LEj1reXz24n1dZvXf8ZTYD011TFcOoq/JNgD2g0zQoQdhID6nuYs0STFwNmKkhWqMUcw9ALhXfQd9Y/B0Jt1/kc5ZXHb53tkFknHP2B2OJ/m/GFHbSCSWBImSRtx6VU+bCNAaHaEf+Gy+cNZBw86qDqun8O1mZ56ni2j5TCCYLeji0vGHMJM+PoyvGWJ6Ky/YQgbv9T/IqYWbYWCRUdLxHFBnzG80zZ5NnamkC/5p/y/IHHAj5kwfj1rrbl240RG3jAezOfFTHCqxvz2xlSA2erxrNWe0Tw19y9Pjwey2QwqXGyjpOO+xi9uoMD4jFKKgUPBTizTCQd9vh5JY2OkItsIrOyaoGfz536/tEAZet8VdIwt1t6oCbvcUuCxMG10sMtWoEbChrhn9suJIvbIJkfW1iFs1MTqTfBIQKsPN8DzVGijk5rQMl1S+ChK60tbd8uBySbIWDVrAfWaUaXKy6wks2dWXjUxNbmcDU9/twHAr610FXIJoW282ZLb56AgZt8r/WbB2zj0qlzPV99r/EuufvR34y/ZG31AVY1SDY2YX6UH7vHaEp8HocfzNKLdSomnAmwQNFqUMDvCWtk0net782Ui18F/mA3C6Kl5HPBq6/xHIMKF2ygKuRMoRn6p12kDMaLvRoiruVrzWQrfA9Xr6Q25mIBLn00kfJ2f2s9AjAXzpG+yqszDLfCAEBaYX7Vh1tLAAy84Ishqorho8biso2g88oH7PqOzOjQAbV9N+ETimwnsm/i9Y8hXWF5Lvdf6+59RraNJeR2VrdMDT4UwRs3JvHJtlW8c4+FpXpkFTrSffEAfzI/woxzChQzTxiuUSc7zXK/2HUjcXITjMVad3A3ek5OguIs/zkkBr/2YLs2iYRqgn6sAHg51APmi7TVMlP6BJ/MsqqC3/n7A89t3aBsjkq/wgCkISZLK69ZSEya5XMj0t5NKsq02HhTdqQjZGShFMFrUxdV60Ji0nZNo21zU9n2kGE7blrmwQ3lcpHDCKxRGmxK4Mjvo446VR8ZVu84xzGwUVB6Ge3Z888yg07QMFlhNnfAbESuTXj6dhW4V544M9BkVQEuPE+0J+lcz8nMP3aQ00XqVfdeTHxSTnGZs2e2jrSHT2zp3wkiMRIqPhWMXnQUEYpgneUnUAwAI6pJHw==,iv:okkzvYPUgRzfSBThRujTmvilij3G9PKtYHBRshNades=,tag:z+9n7BLJaxQZ7adqXNydAg==,type:str] + os: + crt: ENC[AES256_GCM,data:k7bR2Ki/8fyiC77bvtjhaDn4bMq+vvMUWF1MpHrUtBUM1Yay1wWHjR7bRwglF1nv4KvE5kXPc3jLxK7ZRnzkB4fAGLXXEZF2JwvwTPnc7j9EE8Ys8ZR4xCyBcO6/rFpgwcGhncknKNw+iu7/Xldza/MpxuT90ysdoAUgInp9mR6Q4k/ELK6Rebu8b1Kh1Ptnc0cpryZducxgMV78a0KR5R6pzvmMnHz20IpFeh1xccZEsDwc5xzXFOd8+q1AmiHJe0lQOA+d+oBAAYdf9bWx5pmH0tmKEAw3JrbeNmIqQHzi4ckuoKTZB3lBT0Md06zp59k042j6saIp+Kj4rtHziesk3AxMz2b10WCDWlnSIZTfMoQK9qZui/7d/Wr3jrzW/5Icn+83R13n83w8MeVxrstWMK9ufdJ3xYWBqyjm8BLwgMxWt75GMO3ez6r+VGV8OI1iacXv59NE5Xpax3jsXGeFghSTGnl5ySsy4Kz1RMw+8J9bAB6dalFa8MKMtfNSvyZKhBiAlLyRGTU533CppB6b7aLA/hGT1e5ZBYkfvoMlv8ybeK/Ys+JCXhuL4nTf/+7iDLFd4lanHK8Z+MOaqM2+TYu0CF8UooNPe1d71krokOJbYs0SHOD/MjvIDgO+wW/fNoT7QixGwTwU/dUN69EcxWZ2LJLHFbuloR8RxNiqjySXVa2Fmhy7GhN20JQja395q6ini77IdtiCCei1GLAKII0UQjhVq8cB8x7B3I24SuUV3S6+z4GCgXHIsOyerNP0GQuEyvVeKt80dwDjVipf5NBmmQWlE/CdmuqBOqkhzQaAGzxlfZDhkw7ha25fVjCXMu0UQhDM3NeybzTLxd8yafWYdbPkJrfNHLMVkIDzsRr+,iv:sodrOpHOuhz2gBMpuD/mc97BwODeQg6prgUGfTuRjMo=,tag:ALxwuxkva4MLn2y2sxSRNA==,type:str] + key: ENC[AES256_GCM,data:mUd3xPkd0oN7ntPw95n4SBsXnXqTeh30191SYMb3CvGJTB0buRJZLw+JW58tPJB/CaxyfCCEcVAta4cpM/vVG7ctcGVOzsVVyuY1afWocr3FnuShbRZFNMUzVKTxrQTasnOIVd/SUVYPx3EtYID2iML72zdMYRvb1sp/bT1+u2kfKt1PAwT+ioO6ifJ6x1KYjD7NSNvDjSfXxCFJrCrmpuBjT4zWH1Nlu5owet0MjC90pJ2P,iv:2bHmuddn0hp1UYq5sSopEq1aA2/1SeAjoZCiMvZESl0=,tag:rgQcvKmpHXZpfg3tkuDahA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kky7jzc2x626xp4sfvpz7acytczqgdn7h2jxjqkjxzfd4kndcdxs8zr6ka + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVlBGdlovVmxHWEdqYVBC + TVRUM1l4WUZRbDdxV2hNQWNQNi9uYkUwSW53CnZvcTQ1QVc4UTl3MFNrT0RxREgr + cU5OcW1YdWdDT1pZQlppUzJpZndZNDQKLS0tIEM3UzlOODJLMk9HaXNnM0EzWm5a + VUEzd3RsMjBoaXVoNW41YkV0NW00N0EKQp/ZTzDzYndl8Gd+wB9o1DKeS6ze4KlE + 8jissOpvKaZqPvSwC86gziheOKVmsxDCNkJn6IUzyfP9BHdML+PjQg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-18T22:58:11Z" + mac: ENC[AES256_GCM,data:9WvJK+Q5ADoSu371+qx3GiQzHzwatljnZl6L6qBl2JbItOakfWu8Et1GuXxfBb+6Z68jCzFOzdGohiZBVxv6C92H7vyeZDtsQ7iL2knNHeT0mFgJ3ySOVN0LJgwUF7+Yck4OeYma25DvZH5k54l8x6xFqeIXgKdtO3cFlY7s9YU=,iv:r8Ij9l+GAu+Xw2BeVmCIbYrI9hodlkm7ie4lNDgLh40=,tag:sQzJduhwHrLqMoY0QWz6jQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2