diff --git a/website/docs/references/cli-reference/gitops.md b/website/docs/references/cli-reference/gitops.md index 10ffe3c5d5..b1cd5c991e 100644 --- a/website/docs/references/cli-reference/gitops.md +++ b/website/docs/references/cli-reference/gitops.md @@ -24,17 +24,19 @@ Command line utility for managing Kubernetes applications via GitOps. ### Options ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - -h, --help help for gitops - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + -h, --help help for gitops + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops add](gitops_add.md) - Add a new Weave GitOps resource +* [gitops beta](gitops_beta.md) - This component contains unstable or still-in-development functionality * [gitops check](gitops_check.md) - Validates flux compatibility * [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell * [gitops delete](gitops_delete.md) - Delete one or many Weave GitOps resources @@ -43,4 +45,4 @@ Command line utility for managing Kubernetes applications via GitOps. * [gitops upgrade](gitops_upgrade.md) - Upgrade to Weave GitOps Enterprise * [gitops version](gitops_version.md) - Display gitops version -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_add.md b/website/docs/references/cli-reference/gitops_add.md index a6349bf7b4..5d76689faf 100644 --- a/website/docs/references/cli-reference/gitops_add.md +++ b/website/docs/references/cli-reference/gitops_add.md @@ -19,11 +19,12 @@ gitops add cluster ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO @@ -33,4 +34,4 @@ gitops add cluster * [gitops add profile](gitops_add_profile.md) - Add a profile to a cluster * [gitops add terraform](gitops_add_terraform.md) - Add a new Terraform resource using a TF template -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_add_cluster.md b/website/docs/references/cli-reference/gitops_add_cluster.md index c796ef4cbc..3abc7a3fba 100644 --- a/website/docs/references/cli-reference/gitops_add_cluster.md +++ b/website/docs/references/cli-reference/gitops_add_cluster.md @@ -13,7 +13,7 @@ gitops add cluster [flags] # Add a new cluster using a CAPI template gitops add cluster --from-template --set key=val -# View a CAPI template populated with parameter values +# View a CAPI template populated with parameter values # without creating a pull request for it gitops add cluster --from-template --set key=val --dry-run @@ -43,15 +43,16 @@ gitops add cluster --from-template \ ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops add](gitops_add.md) - Add a new Weave GitOps resource -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_add_profile.md b/website/docs/references/cli-reference/gitops_add_profile.md index 88f7d765a2..2c5a25c772 100644 --- a/website/docs/references/cli-reference/gitops_add_profile.md +++ b/website/docs/references/cli-reference/gitops_add_profile.md @@ -34,15 +34,16 @@ gitops add profile [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops add](gitops_add.md) - Add a new Weave GitOps resource -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_add_terraform.md b/website/docs/references/cli-reference/gitops_add_terraform.md index dc8b3aa707..96c035f913 100644 --- a/website/docs/references/cli-reference/gitops_add_terraform.md +++ b/website/docs/references/cli-reference/gitops_add_terraform.md @@ -32,15 +32,16 @@ gitops add terraform --from-template --set key=val ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops add](gitops_add.md) - Add a new Weave GitOps resource -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_beta.md b/website/docs/references/cli-reference/gitops_beta.md new file mode 100644 index 0000000000..86bd720497 --- /dev/null +++ b/website/docs/references/cli-reference/gitops_beta.md @@ -0,0 +1,27 @@ +## gitops beta + +This component contains unstable or still-in-development functionality + +### Options + +``` + -h, --help help for beta +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops beta run](gitops_beta_run.md) - Set up an interactive sync between your cluster and your local file system + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_beta_run.md b/website/docs/references/cli-reference/gitops_beta_run.md new file mode 100644 index 0000000000..636be16a28 --- /dev/null +++ b/website/docs/references/cli-reference/gitops_beta_run.md @@ -0,0 +1,65 @@ +## gitops beta run + +Set up an interactive sync between your cluster and your local file system + +### Synopsis + +This will set up a sync between the cluster in your kubeconfig and the path that you specify on your local filesystem. If you do not have Flux installed on the cluster then this will add it to the cluster automatically. This is a requirement so we can sync the files successfully from your local system onto the cluster. Flux will take care of producing the objects for you. + +``` +gitops beta run [flags] +``` + +### Examples + +``` + +# Run the sync on the current working directory +gitops beta run . [flags] + +# Run the sync against the dev overlay path +gitops beta run ./deploy/overlays/dev + +# Run the sync on the dev directory and forward the port. +# Listen on port 8080 on localhost, forwarding to 5000 in a pod of the service app. +gitops beta run ./dev --port-forward port=8080:5000,resource=svc/app + +# Run the sync on the dev directory with a specified root dir. +gitops beta run ./clusters/default/dev --root-dir ./clusters/default + +# Run the sync on the podinfo demo. +git clone https://github.com/stefanprodan/podinfo +cd podinfo +gitops beta run ./deploy/overlays/dev --timeout 3m --port-forward namespace=dev,resource=svc/backend,port=9898:9898 +``` + +### Options + +``` + --allow-k8s-context string The name of the KubeConfig context to explicitly allow. + --components strings The Flux components to install. (default [source-controller,kustomize-controller,helm-controller,notification-controller]) + --components-extra strings Additional Flux components to install. + --context string The name of the kubeconfig context to use + --dashboard-port string GitOps Dashboard port (default "9001") + --flux-version string The version of Flux to install. (default "0.31.0") + -h, --help help for run + --port-forward string Forward the port from a cluster's resource to your local machine i.e. 'port=8080:8080,resource=svc/app'. + --root-dir string Specify the root directory to watch for changes. If not specified, the root of Git repository will be used. + --timeout duration The timeout for operations during GitOps Run. (default 30s) +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops beta](gitops_beta.md) - This component contains unstable or still-in-development functionality + diff --git a/website/docs/references/cli-reference/gitops_check.md b/website/docs/references/cli-reference/gitops_check.md index 6e398e3f75..7ee5cbee9a 100644 --- a/website/docs/references/cli-reference/gitops_check.md +++ b/website/docs/references/cli-reference/gitops_check.md @@ -24,15 +24,16 @@ gitops check ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops](gitops.md) - Weave GitOps -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_completion.md b/website/docs/references/cli-reference/gitops_completion.md index 5413017070..67800ae343 100644 --- a/website/docs/references/cli-reference/gitops_completion.md +++ b/website/docs/references/cli-reference/gitops_completion.md @@ -17,11 +17,12 @@ See each sub-command's help for details on how to use the generated script. ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO @@ -32,4 +33,4 @@ See each sub-command's help for details on how to use the generated script. * [gitops completion powershell](gitops_completion_powershell.md) - Generate the autocompletion script for powershell * [gitops completion zsh](gitops_completion_zsh.md) - Generate the autocompletion script for zsh -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_completion_bash.md b/website/docs/references/cli-reference/gitops_completion_bash.md index 90b78dba13..43ccb611e4 100644 --- a/website/docs/references/cli-reference/gitops_completion_bash.md +++ b/website/docs/references/cli-reference/gitops_completion_bash.md @@ -40,15 +40,16 @@ gitops completion bash ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_completion_fish.md b/website/docs/references/cli-reference/gitops_completion_fish.md index 7e4792fb1c..a5b04cc534 100644 --- a/website/docs/references/cli-reference/gitops_completion_fish.md +++ b/website/docs/references/cli-reference/gitops_completion_fish.md @@ -31,15 +31,16 @@ gitops completion fish [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_completion_powershell.md b/website/docs/references/cli-reference/gitops_completion_powershell.md index be0af8bdfa..73209f97b6 100644 --- a/website/docs/references/cli-reference/gitops_completion_powershell.md +++ b/website/docs/references/cli-reference/gitops_completion_powershell.md @@ -28,15 +28,16 @@ gitops completion powershell [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_completion_zsh.md b/website/docs/references/cli-reference/gitops_completion_zsh.md index 1c286ba009..3182e0e014 100644 --- a/website/docs/references/cli-reference/gitops_completion_zsh.md +++ b/website/docs/references/cli-reference/gitops_completion_zsh.md @@ -38,15 +38,16 @@ gitops completion zsh [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_delete.md b/website/docs/references/cli-reference/gitops_delete.md index a5050147ae..4c769eaa38 100644 --- a/website/docs/references/cli-reference/gitops_delete.md +++ b/website/docs/references/cli-reference/gitops_delete.md @@ -19,11 +19,12 @@ gitops delete cluster ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO @@ -31,4 +32,4 @@ gitops delete cluster * [gitops](gitops.md) - Weave GitOps * [gitops delete cluster](gitops_delete_cluster.md) - Delete a cluster given its name -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_delete_cluster.md b/website/docs/references/cli-reference/gitops_delete_cluster.md index 4f12950c31..c78e27f328 100644 --- a/website/docs/references/cli-reference/gitops_delete_cluster.md +++ b/website/docs/references/cli-reference/gitops_delete_cluster.md @@ -30,15 +30,16 @@ gitops delete cluster ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops delete](gitops_delete.md) - Delete one or many Weave GitOps resources -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get.md b/website/docs/references/cli-reference/gitops_get.md index 644bd1ef69..589b50d36a 100644 --- a/website/docs/references/cli-reference/gitops_get.md +++ b/website/docs/references/cli-reference/gitops_get.md @@ -25,19 +25,21 @@ gitops get clusters ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops](gitops.md) - Weave GitOps +* [gitops get bcrypt-hash](gitops_get_bcrypt-hash.md) - Generates a hashed secret * [gitops get cluster](gitops_get_cluster.md) - Display one or many CAPI clusters * [gitops get credential](gitops_get_credential.md) - Get CAPI credentials * [gitops get profile](gitops_get_profile.md) - Show information about available profiles * [gitops get template](gitops_get_template.md) - Display one or many CAPI templates -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_bcrypt-hash.md b/website/docs/references/cli-reference/gitops_get_bcrypt-hash.md new file mode 100644 index 0000000000..4a56eb62b4 --- /dev/null +++ b/website/docs/references/cli-reference/gitops_get_bcrypt-hash.md @@ -0,0 +1,39 @@ +## gitops get bcrypt-hash + +Generates a hashed secret + +``` +gitops get bcrypt-hash [flags] +``` + +### Examples + +``` + +# PASSWORD="" +# echo $PASSWORD | gitops get bcrypt-hash + +``` + +### Options + +``` + -h, --help help for bcrypt-hash +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_cluster.md b/website/docs/references/cli-reference/gitops_get_cluster.md index f467a7b82f..4e360d8a67 100644 --- a/website/docs/references/cli-reference/gitops_get_cluster.md +++ b/website/docs/references/cli-reference/gitops_get_cluster.md @@ -23,22 +23,23 @@ gitops get cluster --kubeconfig ### Options ``` - -h, --help help for cluster - --kubeconfig Returns the Kubeconfig of the workload cluster + -h, --help help for cluster + --print-kubeconfig Returns the Kubeconfig of the workload cluster ``` ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops get](gitops_get.md) - Display one or many Weave GitOps resources -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_credential.md b/website/docs/references/cli-reference/gitops_get_credential.md index ffa96c8c7c..9afbce6c9f 100644 --- a/website/docs/references/cli-reference/gitops_get_credential.md +++ b/website/docs/references/cli-reference/gitops_get_credential.md @@ -24,15 +24,16 @@ gitops get credentials ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops get](gitops_get.md) - Display one or many Weave GitOps resources -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_profile.md b/website/docs/references/cli-reference/gitops_get_profile.md index cb5f39885b..ce8e096609 100644 --- a/website/docs/references/cli-reference/gitops_get_profile.md +++ b/website/docs/references/cli-reference/gitops_get_profile.md @@ -24,15 +24,16 @@ gitops get profile [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops get](gitops_get.md) - Display one or many Weave GitOps resources -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_template.md b/website/docs/references/cli-reference/gitops_get_template.md index 5dbec4ebac..5fe315f61e 100644 --- a/website/docs/references/cli-reference/gitops_get_template.md +++ b/website/docs/references/cli-reference/gitops_get_template.md @@ -33,11 +33,12 @@ gitops get template --list-parameters ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO @@ -45,4 +46,4 @@ gitops get template --list-parameters * [gitops get](gitops_get.md) - Display one or many Weave GitOps resources * [gitops get template terraform](gitops_get_template_terraform.md) - Display one or many Terraform templates -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_get_template_terraform.md b/website/docs/references/cli-reference/gitops_get_template_terraform.md index b03e292afd..3b8894319c 100644 --- a/website/docs/references/cli-reference/gitops_get_template_terraform.md +++ b/website/docs/references/cli-reference/gitops_get_template_terraform.md @@ -28,15 +28,16 @@ gitops get template terraform --list-parameters ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops get template](gitops_get_template.md) - Display one or many CAPI templates -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_update.md b/website/docs/references/cli-reference/gitops_update.md index d9f1e2bc7e..5ce97448ed 100644 --- a/website/docs/references/cli-reference/gitops_update.md +++ b/website/docs/references/cli-reference/gitops_update.md @@ -20,11 +20,12 @@ Update a Weave GitOps resource ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO @@ -32,4 +33,4 @@ Update a Weave GitOps resource * [gitops](gitops.md) - Weave GitOps * [gitops update profile](gitops_update_profile.md) - Update a profile installation -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_update_profile.md b/website/docs/references/cli-reference/gitops_update_profile.md index df9b5f48a9..816080c680 100644 --- a/website/docs/references/cli-reference/gitops_update_profile.md +++ b/website/docs/references/cli-reference/gitops_update_profile.md @@ -34,15 +34,16 @@ gitops update profile [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops update](gitops_update.md) - Update a Weave GitOps resource -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_upgrade.md b/website/docs/references/cli-reference/gitops_upgrade.md index e8c76d7379..555c7faa7e 100644 --- a/website/docs/references/cli-reference/gitops_upgrade.md +++ b/website/docs/references/cli-reference/gitops_upgrade.md @@ -34,15 +34,16 @@ gitops upgrade [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops](gitops.md) - Weave GitOps -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/docs/references/cli-reference/gitops_version.md b/website/docs/references/cli-reference/gitops_version.md index 42eb8a1a45..28b8d7c504 100644 --- a/website/docs/references/cli-reference/gitops_version.md +++ b/website/docs/references/cli-reference/gitops_version.md @@ -15,15 +15,16 @@ gitops version [flags] ### Options inherited from parent commands ``` - -e, --endpoint string The Weave GitOps Enterprise HTTP API endpoint - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --namespace string The namespace scope for this operation (default "flux-system") - -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable - -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable ``` ### SEE ALSO * [gitops](gitops.md) - Weave GitOps -###### Auto generated by spf13/cobra on 21-Jun-2022 +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/_components/CurlCodeBlock.jsx b/website/versioned_docs/version-0.9.1/_components/CurlCodeBlock.jsx new file mode 100644 index 0000000000..b27993ae63 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/_components/CurlCodeBlock.jsx @@ -0,0 +1,24 @@ +import React from "react"; + +import CodeBlock from "@theme/CodeBlock"; +import BrowserOnly from "@docusaurus/BrowserOnly"; + +export default function CurlCodeBlock({ localPath, hostedPath, content }) { + return ( + <> + + {() => ( + + curl -o {localPath} {window.location.protocol} + //{window.location.host} + {hostedPath} + + )} + + + + {content} + + + ); +} diff --git a/website/versioned_docs/version-0.9.1/_components/TierLabel.jsx b/website/versioned_docs/version-0.9.1/_components/TierLabel.jsx new file mode 100644 index 0000000000..66b0bae5cb --- /dev/null +++ b/website/versioned_docs/version-0.9.1/_components/TierLabel.jsx @@ -0,0 +1,32 @@ +import React from "react"; +import Link from "@docusaurus/Link"; +import useGlobalData from "@docusaurus/useGlobalData"; + +const containerStyle = { + fontSize: 16, + marginLeft: 4, + fontVariant: "all-small-caps", +}; + +// This determines the current version of the docs you're looking at +// E.g. /docs/next or /docs/0.2.5 +const getCurrentVersionPath = () => { + const { "docusaurus-plugin-content-docs": data } = useGlobalData(); + const currentVersion = data?.default?.versions?.find( + (v) => v.name === "current" + ); + // Fallback to /docs just in case. Not sure if this is async etc. + return currentVersion?.path || "/docs"; +}; + +export default function TierLabel({ tiers }) { + return ( + + {tiers} + + ); +} diff --git a/website/versioned_docs/version-0.9.1/assets/example-enterprise-helm.yaml b/website/versioned_docs/version-0.9.1/assets/example-enterprise-helm.yaml new file mode 100644 index 0000000000..87d77c910e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/assets/example-enterprise-helm.yaml @@ -0,0 +1,43 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: weave-gitops-enterprise-charts + namespace: flux-system +spec: + interval: 10m + secretRef: + name: weave-gitops-enterprise-credentials + url: https://charts.dev.wkp.weave.works/releases/charts-v3 +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: weave-gitops-enterprise + namespace: flux-system +spec: + chart: + spec: + chart: mccp + sourceRef: + kind: HelmRepository + name: weave-gitops-enterprise-charts + namespace: flux-system + version: 0.8.1-rc.3 + interval: 1m + values: + # -- Configure TLS settings if needed + # tls: + # -- Can be disabled if TLS is handled by a user-provided ingress controller + # enabled: true + # -- optionally specify a TLS secret + # secretName: null + config: + capi: + repositoryURL: https://github.com/$GITHUB_USER/fleet-infra + # -- Can be changed depending on your git repo structure + # repositoryPath: ./clusters/management/clusters + # repositoryClustersPath: ./cluster + git: + type: github + # -- Change if using on-prem github/gitlab + # hostname: https://github.com diff --git a/website/versioned_docs/version-0.9.1/cluster-management/_category_.json b/website/versioned_docs/version-0.9.1/cluster-management/_category_.json new file mode 100644 index 0000000000..43536069cc --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Cluster management", + "position": 5 +} diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs-configmap.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs-configmap.yaml new file mode 100644 index 0000000000..4293707dca --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs-configmap.yaml @@ -0,0 +1,2441 @@ +apiVersion: v1 +data: + calico.yaml: "---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap + is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: + v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha + is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n + \ calico_backend: \"vxlan\"\n # On Azure, the underlying network has an MTU of + 1400, even though the network interface will have an MTU of 1500.\n # We set + this value to 1350 for “physical network MTU size minus 50” since we use VXLAN, + which uses a 50-byte header.\n # If enabling Wireguard, this value should be + changed to 1340 (Wireguard uses a 60-byte header).\n # https://docs.projectcalico.org/networking/mtu#determine-mtu-size\n + \ veth_mtu: \"1350\"\n \n # The CNI network configuration to install on each + node. The special\n # values in this config will be automatically populated.\n + \ cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": + \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n + \ \"log_level\": \"info\",\n \"log_file_path\": \"/var/log/calico/cni/cni.log\",\n + \ \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n + \ \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": + \"calico-ipam\"\n },\n \"policy\": {\n \"type\": + \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": + \"__KUBECONFIG_FILEPATH__\"\n }\n },\n {\n \"type\": + \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": + true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": + {\"bandwidth\": true}\n }\n ]\n }\n\n---\n# Source: calico/templates/kdd-crds.yaml\n\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: bgpconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BGPConfiguration\n listKind: BGPConfigurationList\n plural: + bgpconfigurations\n singular: bgpconfiguration\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n description: + BGPConfiguration contains the configuration for any BGP routing.\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BGPConfigurationSpec contains the + values of the BGP configuration.\n properties:\n asNumber:\n + \ description: 'ASNumber is the default AS number used by a node. + [Default:\n 64512]'\n format: int32\n type: + integer\n communities:\n description: Communities + is a list of BGP community values and their\n arbitrary names + for tagging routes.\n items:\n description: + Community contains standard or large community value\n and + its name.\n properties:\n name:\n description: + Name given to community value.\n type: string\n value:\n + \ description: Value must be of format `aa:nn` or `aa:nn:mm`.\n + \ For standard community use `aa:nn` format, where `aa` + and\n `nn` are 16 bit number. For large community use + `aa:nn:mm`\n format, where `aa`, `nn` and `mm` are 32 + bit number. Where,\n `aa` is an AS Number, `nn` and `mm` + are per-AS identifier.\n pattern: ^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$\n + \ type: string\n type: object\n type: + array\n listenPort:\n description: ListenPort + is the port where BGP protocol should listen.\n Defaults to + 179\n maximum: 65535\n minimum: 1\n type: + integer\n logSeverityScreen:\n description: 'LogSeverityScreen + is the log severity above which logs\n are sent to the stdout. + [Default: INFO]'\n type: string\n nodeToNodeMeshEnabled:\n + \ description: 'NodeToNodeMeshEnabled sets whether full node to + node\n BGP mesh is enabled. [Default: true]'\n type: + boolean\n prefixAdvertisements:\n description: + PrefixAdvertisements contains per-prefix advertisement\n configuration.\n + \ items:\n description: PrefixAdvertisement + configures advertisement properties\n for the specified CIDR.\n + \ properties:\n cidr:\n description: + CIDR for which properties should be advertised.\n type: + string\n communities:\n description: + Communities can be list of either community names\n already + defined in `Specs.Communities` or community value\n of + format `aa:nn` or `aa:nn:mm`. For standard community use\n `aa:nn` + format, where `aa` and `nn` are 16 bit number. For\n large + community use `aa:nn:mm` format, where `aa`, `nn` and\n `mm` + are 32 bit number. Where,`aa` is an AS Number, `nn` and\n `mm` + are per-AS identifier.\n items:\n type: + string\n type: array\n type: object\n + \ type: array\n serviceClusterIPs:\n description: + ServiceClusterIPs are the CIDR blocks from which service\n cluster + IPs are allocated. If specified, Calico will advertise these\n blocks, + as well as any cluster IPs within them.\n items:\n description: + ServiceClusterIPBlock represents a single allowed ClusterIP\n CIDR + block.\n properties:\n cidr:\n type: + string\n type: object\n type: array\n serviceExternalIPs:\n + \ description: ServiceExternalIPs are the CIDR blocks for Kubernetes\n + \ Service External IPs. Kubernetes Service ExternalIPs will + only be\n advertised if they are within one of these blocks.\n + \ items:\n description: ServiceExternalIPBlock + represents a single allowed\n External IP CIDR block.\n properties:\n + \ cidr:\n type: string\n type: + object\n type: array\n serviceLoadBalancerIPs:\n + \ description: ServiceLoadBalancerIPs are the CIDR blocks for + Kubernetes\n Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress\n + \ IPs will only be advertised if they are within one of these + blocks.\n items:\n description: ServiceLoadBalancerIPBlock + represents a single allowed\n LoadBalancer IP CIDR block.\n + \ properties:\n cidr:\n type: + string\n type: object\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: bgppeers.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BGPPeer\n listKind: BGPPeerList\n plural: bgppeers\n + \ singular: bgppeer\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BGPPeerSpec contains the specification + for a BGPPeer resource.\n properties:\n asNumber:\n + \ description: The AS Number of the peer.\n format: + int32\n type: integer\n keepOriginalNextHop:\n + \ description: Option to keep the original nexthop field when + routes\n are sent to a BGP Peer. Setting \"true\" configures + the selected BGP\n Peers node to use the \"next hop keep;\" + instead of \"next hop self;\"(default)\n in the specific branch + of the Node on \"bird.cfg\".\n type: boolean\n maxRestartTime:\n + \ description: Time to allow for software restart. When specified, + this\n is configured as the graceful restart timeout. When + not specified,\n the BIRD default of 120s is used.\n type: + string\n node:\n description: The node name identifying + the Calico node instance that\n is targeted by this peer. If + this is not set, and no nodeSelector\n is specified, then this + BGP peer selects all nodes in the cluster.\n type: string\n nodeSelector:\n + \ description: Selector for the nodes that should have this peering. + \ When\n this is set, the Node field must be empty.\n type: + string\n password:\n description: Optional BGP + password for the peerings generated by this\n BGPPeer resource.\n + \ properties:\n secretKeyRef:\n description: + Selects a key of a secret in the node pod's namespace.\n properties:\n + \ key:\n description: The key of + the secret to select from. Must be\n a valid secret + key.\n type: string\n name:\n + \ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\n + \ TODO: Add other useful fields. apiVersion, kind, uid?'\n + \ type: string\n optional:\n description: + Specify whether the Secret or its key must be\n defined\n + \ type: boolean\n required:\n - + key\n type: object\n type: object\n peerIP:\n + \ description: The IP address of the peer followed by an optional + port\n number to peer with. If port number is given, format + should be `[]:port`\n or `:` for IPv4. If + optional port number is not set,\n and this peer IP and ASNumber + belongs to a calico/node with ListenPort\n set in BGPConfiguration, + then we use that port to peer.\n type: string\n peerSelector:\n + \ description: Selector for the remote nodes to peer with. When + this\n is set, the PeerIP and ASNumber fields must be empty. + \ For each\n peering between the local node and selected remote + nodes, we configure\n an IPv4 peering if both ends have NodeBGPSpec.IPv4Address + specified,\n and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address + specified. The\n remote AS number comes from the remote node’s + NodeBGPSpec.ASNumber,\n or the global default if that is not + set.\n type: string\n sourceAddress:\n description: + Specifies whether and how to configure a source address\n for + the peerings generated by this BGPPeer resource. Default value\n \"UseNodeIP\" + means to configure the node IP as the source address. \"None\"\n means + not to configure a source address.\n type: string\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: blockaffinities.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BlockAffinity\n listKind: BlockAffinityList\n plural: + blockaffinities\n singular: blockaffinity\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BlockAffinitySpec contains the specification + for a BlockAffinity\n resource.\n properties:\n cidr:\n + \ type: string\n deleted:\n description: + Deleted indicates that this block affinity is being deleted.\n This + field is a string for compatibility with older releases that\n mistakenly + treat this field as a string.\n type: string\n node:\n + \ type: string\n state:\n type: + string\n required:\n - cidr\n - deleted\n + \ - node\n - state\n type: object\n + \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n + \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: clusterinformations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: ClusterInformation\n listKind: ClusterInformationList\n + \ plural: clusterinformations\n singular: clusterinformation\n scope: Cluster\n + \ versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: + ClusterInformation contains the cluster specific information.\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: ClusterInformationSpec contains + the values of describing\n the cluster.\n properties:\n + \ calicoVersion:\n description: CalicoVersion is + the version of Calico that the cluster\n is running\n type: + string\n clusterGUID:\n description: ClusterGUID + is the GUID of the cluster\n type: string\n clusterType:\n + \ description: ClusterType describes the type of the cluster\n + \ type: string\n datastoreReady:\n description: + DatastoreReady is used during significant datastore migrations\n to + signal to components such as Felix that it should wait before\n accessing + the datastore.\n type: boolean\n variant:\n description: + Variant declares which variant of Calico should be active.\n type: + string\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: felixconfigurations.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: FelixConfiguration\n listKind: + FelixConfigurationList\n plural: felixconfigurations\n singular: felixconfiguration\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ description: Felix Configuration contains the configuration for Felix.\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: FelixConfigurationSpec contains + the values of the Felix configuration.\n properties:\n allowIPIPPacketsFromWorkloads:\n + \ description: 'AllowIPIPPacketsFromWorkloads controls whether + Felix\n will add a rule to drop IPIP encapsulated traffic from + workloads\n [Default: false]'\n type: boolean\n + \ allowVXLANPacketsFromWorkloads:\n description: + 'AllowVXLANPacketsFromWorkloads controls whether Felix\n will + add a rule to drop VXLAN encapsulated traffic from workloads\n [Default: + false]'\n type: boolean\n awsSrcDstCheck:\n description: + 'Set source-destination-check on AWS EC2 instances. Accepted\n value + must be one of \"DoNothing\", \"Enabled\" or \"Disabled\". [Default:\n DoNothing]'\n + \ enum:\n - DoNothing\n - + Enable\n - Disable\n type: string\n bpfConnectTimeLoadBalancingEnabled:\n + \ description: 'BPFConnectTimeLoadBalancingEnabled when in BPF + mode,\n controls whether Felix installs the connection-time load + balancer. The\n connect-time load balancer is required for the + host to be able to\n reach Kubernetes services and it improves + the performance of pod-to-service\n connections. The only reason + to disable it is for debugging purposes. [Default:\n true]'\n + \ type: boolean\n bpfDataIfacePattern:\n description: + 'BPFDataIfacePattern is a regular expression that controls\n which + interfaces Felix should attach BPF programs to in order to\n catch + traffic to/from the network. This needs to match the interfaces\n that + Calico workload traffic flows over as well as any interfaces\n that + handle incoming traffic to nodeports and services from outside\n the + cluster. It should not match the workload interfaces (usually\n named + cali...). [Default: ^(en.*|eth.*|tunl0$)]'\n type: string\n bpfDisableUnprivileged:\n + \ description: 'BPFDisableUnprivileged, if enabled, Felix sets + the kernel.unprivileged_bpf_disabled\n sysctl to disable unprivileged + use of BPF. This ensures that unprivileged\n users cannot access + Calico''s BPF maps and cannot insert their own\n BPF programs + to interfere with Calico''s. [Default: true]'\n type: boolean\n + \ bpfEnabled:\n description: 'BPFEnabled, if enabled + Felix will use the BPF dataplane.\n [Default: false]'\n type: + boolean\n bpfExtToServiceConnmark:\n description: + 'BPFExtToServiceConnmark in BPF mode, control a 32bit\n mark + that is set on connections from an external client to a local\n service. + This mark allows us to control how packets of that connection\n are + routed within the host and how is routing intepreted by RPF\n check. + [Default: 0]'\n type: integer\n bpfExternalServiceMode:\n + \ description: 'BPFExternalServiceMode in BPF mode, controls how + connections\n from outside the cluster to services (node ports + and cluster IPs)\n are forwarded to remote workloads. If set + to \"Tunnel\" then both\n request and response traffic is tunneled + to the remote node. If\n set to \"DSR\", the request traffic + is tunneled but the response traffic\n is sent directly from + the remote node. In \"DSR\" mode, the remote\n node appears + to use the IP of the ingress node; this requires a\n permissive + L2 network. [Default: Tunnel]'\n type: string\n bpfKubeProxyEndpointSlicesEnabled:\n + \ description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, + controls\n whether Felix's embedded kube-proxy accepts EndpointSlices + or not.\n type: boolean\n bpfKubeProxyIptablesCleanupEnabled:\n + \ description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled + in BPF\n mode, Felix will proactively clean up the upstream Kubernetes + kube-proxy''s\n iptables chains. Should only be enabled if kube-proxy + is not running. [Default:\n true]'\n type: + boolean\n bpfKubeProxyMinSyncPeriod:\n description: + 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the\n minimum + time between updates to the dataplane for Felix''s embedded\n kube-proxy. + \ Lower values give reduced set-up latency. Higher values\n reduce + Felix CPU usage by batching up more work. [Default: 1s]'\n type: + string\n bpfLogLevel:\n description: 'BPFLogLevel + controls the log level of the BPF programs\n when in BPF dataplane + mode. One of \"Off\", \"Info\", or \"Debug\". The\n logs are + emitted to the BPF trace pipe, accessible with the command\n `tc + exec bpf debug`. [Default: Off].'\n type: string\n chainInsertMode:\n + \ description: 'ChainInsertMode controls whether Felix hooks the + kernel’s\n top-level iptables chains by inserting a rule at the + top of the\n chain or by appending a rule at the bottom. insert + is the safe default\n since it prevents Calico’s rules from being + bypassed. If you switch\n to append mode, be sure that the other + rules in the chains signal\n acceptance by falling through to + the Calico rules, otherwise the\n Calico policy will be bypassed. + [Default: insert]'\n type: string\n dataplaneDriver:\n + \ type: string\n debugDisableLogDropping:\n type: + boolean\n debugMemoryProfilePath:\n type: string\n + \ debugSimulateCalcGraphHangAfter:\n type: string\n + \ debugSimulateDataplaneHangAfter:\n type: string\n + \ defaultEndpointToHostAction:\n description: 'DefaultEndpointToHostAction + controls what happens to\n traffic that goes from a workload + endpoint to the host itself (after\n the traffic hits the endpoint + egress policy). By default Calico\n blocks traffic from workload + endpoints to the host itself with an\n iptables “DROP” action. + If you want to allow some or all traffic\n from endpoint to host, + set this parameter to RETURN or ACCEPT. Use\n RETURN if you have + your own rules in the iptables “INPUT” chain;\n Calico will insert + its rules at the top of that chain, then “RETURN”\n packets to + the “INPUT” chain once it has completed processing workload\n endpoint + egress policy. Use ACCEPT to unconditionally accept packets\n from + workloads after processing workload endpoint egress policy.\n [Default: + Drop]'\n type: string\n deviceRouteProtocol:\n + \ description: This defines the route protocol added to programmed + device\n routes, by default this will be RTPROT_BOOT when left + blank.\n type: integer\n deviceRouteSourceAddress:\n + \ description: This is the source address to use on programmed + device\n routes. By default the source address is left blank, + leaving the\n kernel to choose the source address used.\n type: + string\n disableConntrackInvalidCheck:\n type: + boolean\n endpointReportingDelay:\n type: string\n + \ endpointReportingEnabled:\n type: boolean\n externalNodesList:\n + \ description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes\n + \ which may source tunnel traffic and have the tunneled traffic + be\n accepted at calico nodes.\n items:\n + \ type: string\n type: array\n failsafeInboundHostPorts:\n + \ description: 'FailsafeInboundHostPorts is a list of UDP/TCP + ports\n and CIDRs that Felix will allow incoming traffic to + host endpoints\n on irrespective of the security policy. This + is useful to avoid\n accidentally cutting off a host with incorrect + configuration. For\n back-compatibility, if the protocol is + not specified, it defaults\n to \"tcp\". If a CIDR is not specified, + it will allow traffic from\n all addresses. To disable all + inbound host ports, use the value\n none. The default value + allows ssh access and DHCP. [Default: tcp:22,\n udp:68, tcp:179, + tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'\n items:\n + \ description: ProtoPort is combination of protocol, port, and + CIDR.\n Protocol and port must be specified.\n properties:\n + \ net:\n type: string\n port:\n + \ type: integer\n protocol:\n type: + string\n required:\n - port\n - + protocol\n type: object\n type: array\n failsafeOutboundHostPorts:\n + \ description: 'FailsafeOutboundHostPorts is a list of UDP/TCP + ports\n and CIDRs that Felix will allow outgoing traffic from + host endpoints\n to irrespective of the security policy. This + is useful to avoid\n accidentally cutting off a host with incorrect + configuration. For\n back-compatibility, if the protocol is + not specified, it defaults\n to \"tcp\". If a CIDR is not specified, + it will allow traffic from\n all addresses. To disable all + outbound host ports, use the value\n none. The default value + opens etcd''s standard ports to ensure that\n Felix does not + get cut off from etcd as well as allowing DHCP and\n DNS. [Default: + tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,\n tcp:6667, + udp:53, udp:67]'\n items:\n description: ProtoPort + is combination of protocol, port, and CIDR.\n Protocol and + port must be specified.\n properties:\n net:\n + \ type: string\n port:\n type: + integer\n protocol:\n type: string\n + \ required:\n - port\n - + protocol\n type: object\n type: array\n featureDetectOverride:\n + \ description: FeatureDetectOverride is used to override the feature\n + \ detection. Values are specified in a comma separated list + with no\n spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\".\n + \ \"true\" or \"false\" will force the feature, empty or omitted + values\n are auto-detected.\n type: string\n + \ genericXDPEnabled:\n description: 'GenericXDPEnabled + enables Generic XDP so network cards\n that don''t support XDP + offload or driver modes can use XDP. This\n is not recommended + since it doesn''t provide better performance\n than iptables. + [Default: false]'\n type: boolean\n healthEnabled:\n + \ type: boolean\n healthHost:\n type: + string\n healthPort:\n type: integer\n interfaceExclude:\n + \ description: 'InterfaceExclude is a comma-separated list of + interfaces\n that Felix should exclude when monitoring for host + endpoints. The\n default value ensures that Felix ignores Kubernetes'' + IPVS dummy\n interface, which is used internally by kube-proxy. + If you want to\n exclude multiple interface names using a single + value, the list\n supports regular expressions. For regular expressions + you must wrap\n the value with ''/''. For example having values + ''/^kube/,veth1''\n will exclude all interfaces that begin with + ''kube'' and also the\n interface ''veth1''. [Default: kube-ipvs0]'\n + \ type: string\n interfacePrefix:\n description: + 'InterfacePrefix is the interface name prefix that identifies\n workload + endpoints and so distinguishes them from host endpoint\n interfaces. + Note: in environments other than bare metal, the orchestrators\n configure + this appropriately. For example our Kubernetes and Docker\n integrations + set the ‘cali’ value, and our OpenStack integration\n sets the + ‘tap’ value. [Default: cali]'\n type: string\n interfaceRefreshInterval:\n + \ description: InterfaceRefreshInterval is the period at which + Felix\n rescans local interfaces to verify their state. The + rescan can be\n disabled by setting the interval to 0.\n type: + string\n ipipEnabled:\n type: boolean\n ipipMTU:\n + \ description: 'IPIPMTU is the MTU to set on the tunnel device. + See\n Configuring MTU [Default: 1440]'\n type: + integer\n ipsetsRefreshInterval:\n description: + 'IpsetsRefreshInterval is the period at which Felix re-checks\n all + iptables state to ensure that no other process has accidentally\n broken + Calico’s rules. Set to 0 to disable iptables refresh. [Default:\n 90s]'\n + \ type: string\n iptablesBackend:\n description: + IptablesBackend specifies which backend of iptables will\n be + used. The default is legacy.\n type: string\n iptablesFilterAllowAction:\n + \ type: string\n iptablesLockFilePath:\n description: + 'IptablesLockFilePath is the location of the iptables\n lock + file. You may need to change this if the lock file is not in\n its + standard location (for example if you have mapped it into Felix’s\n container + at a different path). [Default: /run/xtables.lock]'\n type: string\n + \ iptablesLockProbeInterval:\n description: 'IptablesLockProbeInterval + is the time that Felix will\n wait between attempts to acquire + the iptables lock if it is not\n available. Lower values make + Felix more responsive when the lock\n is contended, but use more + CPU. [Default: 50ms]'\n type: string\n iptablesLockTimeout:\n + \ description: 'IptablesLockTimeout is the time that Felix will + wait\n for the iptables lock, or 0, to disable. To use this feature, + Felix\n must share the iptables lock file with all other processes + that\n also take the lock. When running Felix inside a container, + this\n requires the /run directory of the host to be mounted + into the calico/node\n or calico/felix container. [Default: 0s + disabled]'\n type: string\n iptablesMangleAllowAction:\n + \ type: string\n iptablesMarkMask:\n description: + 'IptablesMarkMask is the mask that Felix selects its\n IPTables + Mark bits from. Should be a 32 bit hexadecimal number with\n at + least 8 bits set, none of which clash with any other mark bits\n in + use on the system. [Default: 0xff000000]'\n format: int32\n type: + integer\n iptablesNATOutgoingInterfaceFilter:\n type: + string\n iptablesPostWriteCheckInterval:\n description: + 'IptablesPostWriteCheckInterval is the period after Felix\n has + done a write to the dataplane that it schedules an extra read\n back + in order to check the write was not clobbered by another process.\n This + should only occur if another application on the system doesn’t\n respect + the iptables lock. [Default: 1s]'\n type: string\n iptablesRefreshInterval:\n + \ description: 'IptablesRefreshInterval is the period at which + Felix\n re-checks the IP sets in the dataplane to ensure that + no other process\n has accidentally broken Calico''s rules. + Set to 0 to disable IP\n sets refresh. Note: the default for + this value is lower than the\n other refresh intervals as a + workaround for a Linux kernel bug that\n was fixed in kernel + version 4.11. If you are using v4.11 or greater\n you may want + to set this to, a higher value to reduce Felix CPU\n usage. + [Default: 10s]'\n type: string\n ipv6Support:\n + \ type: boolean\n kubeNodePortRanges:\n description: + 'KubeNodePortRanges holds list of port ranges used for\n service + node ports. Only used if felix detects kube-proxy running\n in + ipvs mode. Felix uses these ranges to separate host and workload\n traffic. + [Default: 30000:32767].'\n items:\n anyOf:\n + \ - type: integer\n - type: string\n + \ pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n logFilePath:\n description: + 'LogFilePath is the full path to the Felix log. Set to\n none + to disable file logging. [Default: /var/log/calico/felix.log]'\n type: + string\n logPrefix:\n description: 'LogPrefix + is the log prefix that Felix uses when rendering\n LOG rules. + [Default: calico-packet]'\n type: string\n logSeverityFile:\n + \ description: 'LogSeverityFile is the log severity above which + logs\n are sent to the log file. [Default: Info]'\n type: + string\n logSeverityScreen:\n description: 'LogSeverityScreen + is the log severity above which logs\n are sent to the stdout. + [Default: Info]'\n type: string\n logSeveritySys:\n + \ description: 'LogSeveritySys is the log severity above which + logs\n are sent to the syslog. Set to None for no logging to + syslog. [Default:\n Info]'\n type: string\n + \ maxIpsetSize:\n type: integer\n metadataAddr:\n + \ description: 'MetadataAddr is the IP address or domain name + of the\n server that can answer VM queries for cloud-init metadata. + In OpenStack,\n this corresponds to the machine running nova-api + (or in Ubuntu,\n nova-api-metadata). A value of none (case insensitive) + means that\n Felix should not set up any NAT rule for the metadata + path. [Default:\n 127.0.0.1]'\n type: string\n + \ metadataPort:\n description: 'MetadataPort is + the port of the metadata server. This,\n combined with global.MetadataAddr + (if not ‘None’), is used to set\n up a NAT rule, from 169.254.169.254:80 + to MetadataAddr:MetadataPort.\n In most cases this should not + need to be changed [Default: 8775].'\n type: integer\n mtuIfacePattern:\n + \ description: MTUIfacePattern is a regular expression that controls\n + \ which interfaces Felix should scan in order to calculate the + host's\n MTU. This should not match workload interfaces (usually + named cali...).\n type: string\n natOutgoingAddress:\n + \ description: NATOutgoingAddress specifies an address to use + when performing\n source NAT for traffic in a natOutgoing pool + that is leaving the\n network. By default the address used + is an address on the interface\n the traffic is leaving on + (ie it uses the iptables MASQUERADE target)\n type: string\n + \ natPortRange:\n anyOf:\n - + type: integer\n - type: string\n description: + NATPortRange specifies the range of ports that is used\n for + port mapping when doing outgoing NAT. When unset the default\n behavior + of the network stack is used.\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n netlinkTimeout:\n type: string\n openstackRegion:\n + \ description: 'OpenstackRegion is the name of the region that + a particular\n Felix belongs to. In a multi-region Calico/OpenStack + deployment,\n this must be configured somehow for each Felix + (here in the datamodel,\n or in felix.cfg or the environment + on each compute node), and must\n match the [calico] openstack_region + value configured in neutron.conf\n on each node. [Default: Empty]'\n + \ type: string\n policySyncPathPrefix:\n description: + 'PolicySyncPathPrefix is used to by Felix to communicate\n policy + changes to external services, like Application layer policy.\n [Default: + Empty]'\n type: string\n prometheusGoMetricsEnabled:\n + \ description: 'PrometheusGoMetricsEnabled disables Go runtime + metrics\n collection, which the Prometheus client does by default, + when set\n to false. This reduces the number of metrics reported, + reducing\n Prometheus load. [Default: true]'\n type: + boolean\n prometheusMetricsEnabled:\n description: + 'PrometheusMetricsEnabled enables the Prometheus metrics\n server + in Felix if set to true. [Default: false]'\n type: boolean\n + \ prometheusMetricsHost:\n description: 'PrometheusMetricsHost + is the host that the Prometheus\n metrics server should bind + to. [Default: empty]'\n type: string\n prometheusMetricsPort:\n + \ description: 'PrometheusMetricsPort is the TCP port that the + Prometheus\n metrics server should bind to. [Default: 9091]'\n + \ type: integer\n prometheusProcessMetricsEnabled:\n + \ description: 'PrometheusProcessMetricsEnabled disables process + metrics\n collection, which the Prometheus client does by default, + when set\n to false. This reduces the number of metrics reported, + reducing\n Prometheus load. [Default: true]'\n type: + boolean\n removeExternalRoutes:\n description: + Whether or not to remove device routes that have not\n been + programmed by Felix. Disabling this will allow external applications\n to + also add device routes. This is enabled by default which means\n we + will remove externally added routes.\n type: boolean\n reportingInterval:\n + \ description: 'ReportingInterval is the interval at which Felix + reports\n its status into the datastore or 0 to disable. Must + be non-zero\n in OpenStack deployments. [Default: 30s]'\n type: + string\n reportingTTL:\n description: 'ReportingTTL + is the time-to-live setting for process-wide\n status reports. + [Default: 90s]'\n type: string\n routeRefreshInterval:\n + \ description: 'RouterefreshInterval is the period at which Felix + re-checks\n the routes in the dataplane to ensure that no other + process has\n accidentally broken Calico’s rules. Set to 0 to + disable route refresh.\n [Default: 90s]'\n type: + string\n routeSource:\n description: 'RouteSource + configures where Felix gets its routing\n information. - WorkloadIPs: + use workload endpoints to construct\n routes. - CalicoIPAM: the + default - use IPAM data to construct routes.'\n type: string\n + \ routeTableRange:\n description: Calico programs + additional Linux route tables for various\n purposes. RouteTableRange + specifies the indices of the route tables\n that Calico should + use.\n properties:\n max:\n type: + integer\n min:\n type: integer\n required:\n + \ - max\n - min\n type: + object\n serviceLoopPrevention:\n description: + 'When service IP advertisement is enabled, prevent routing\n loops + to service IPs that are not in use, by dropping or rejecting\n packets + that do not get DNAT''d by kube-proxy. Unless set to \"Disabled\",\n in + which case such routing loops continue to be allowed. [Default:\n Drop]'\n + \ type: string\n sidecarAccelerationEnabled:\n + \ description: 'SidecarAccelerationEnabled enables experimental + sidecar\n acceleration [Default: false]'\n type: + boolean\n usageReportingEnabled:\n description: + 'UsageReportingEnabled reports anonymous Calico version\n number + and cluster size to projectcalico.org. Logs warnings returned\n by + the usage server. For example, if a significant security vulnerability\n has + been discovered in the version of Calico being used. [Default:\n true]'\n + \ type: boolean\n usageReportingInitialDelay:\n + \ description: 'UsageReportingInitialDelay controls the minimum + delay\n before Felix makes a report. [Default: 300s]'\n type: + string\n usageReportingInterval:\n description: + 'UsageReportingInterval controls the interval at which\n Felix + makes reports. [Default: 86400s]'\n type: string\n useInternalDataplaneDriver:\n + \ type: boolean\n vxlanEnabled:\n type: + boolean\n vxlanMTU:\n description: 'VXLANMTU is + the MTU to set on the tunnel device. See\n Configuring MTU [Default: + 1440]'\n type: integer\n vxlanPort:\n type: + integer\n vxlanVNI:\n type: integer\n wireguardEnabled:\n + \ description: 'WireguardEnabled controls whether Wireguard is + enabled.\n [Default: false]'\n type: boolean\n + \ wireguardInterfaceName:\n description: 'WireguardInterfaceName + specifies the name to use for\n the Wireguard interface. [Default: + wg.calico]'\n type: string\n wireguardListeningPort:\n + \ description: 'WireguardListeningPort controls the listening + port used\n by Wireguard. [Default: 51820]'\n type: + integer\n wireguardMTU:\n description: 'WireguardMTU + controls the MTU on the Wireguard interface.\n See Configuring + MTU [Default: 1420]'\n type: integer\n wireguardRoutingRulePriority:\n + \ description: 'WireguardRoutingRulePriority controls the priority + value\n to use for the Wireguard routing rule. [Default: 99]'\n + \ type: integer\n xdpEnabled:\n description: + 'XDPEnabled enables XDP acceleration for suitable untracked\n incoming + deny rules. [Default: true]'\n type: boolean\n xdpRefreshInterval:\n + \ description: 'XDPRefreshInterval is the period at which Felix + re-checks\n all XDP state to ensure that no other process has + accidentally broken\n Calico''s BPF maps or attached programs. + Set to 0 to disable XDP\n refresh. [Default: 90s]'\n type: + string\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: GlobalNetworkPolicy\n listKind: + GlobalNetworkPolicyList\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n properties:\n applyOnForward:\n + \ description: ApplyOnForward indicates to apply the rules in + this policy\n on forward traffic.\n type: + boolean\n doNotTrack:\n description: DoNotTrack + indicates whether packets matched by the rules\n in this policy + should go through the data plane's connection tracking,\n such + as Linux conntrack. If True, the rules in this policy are\n applied + before any data plane connection tracking, and packets allowed\n by + this policy are marked as not to be tracked.\n type: boolean\n + \ egress:\n description: The ordered set of egress + rules. Each rule contains\n a set of packet match criteria + and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n ingress:\n description: The ordered set + of ingress rules. Each rule contains\n a set of packet match + criteria and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n namespaceSelector:\n description: NamespaceSelector + is an optional field for an expression\n used to select a pod + based on namespaces.\n type: string\n order:\n + \ description: Order is an optional field that specifies the order + in\n which the policy is applied. Policies with higher \"order\" + are applied\n after those with lower order. If the order is + omitted, it may be\n considered to be \"infinite\" - i.e. the + policy will be applied last. Policies\n with identical order + will be applied in alphanumerical order based\n on the Policy + \"Name\".\n type: number\n preDNAT:\n description: + PreDNAT indicates to apply the rules in this policy before\n any + DNAT.\n type: boolean\n selector:\n description: + \"The selector is an expression used to pick pick out\n the endpoints + that the policy should be applied to. \\n Selector\n expressions + follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n \\ + -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel != \\\"string_literal\\\"\n + \ \\ -> not equal; also matches if label is not present \\tlabel + in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", ... } -> true if the + value of label X is\n one of \\\"a\\\", \\\"b\\\", \\\"c\\\" + \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... } -> + \ true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" + \\thas(label_name) -> True if that label is present \\t! expr\n -> + negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || + expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or + the empty selector -> matches all endpoints. \\n Label names are\n allowed + to contain alphanumerics, -, _ and /. String literals are\n more + permissive but they do not support escape characters. \\n Examples\n (with + made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == + \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n + \ \\\"dev\\\" \\t! has(label_name)\"\n type: + string\n serviceAccountSelector:\n description: + ServiceAccountSelector is an optional field for an expression\n used + to select a pod based on service accounts.\n type: string\n types:\n + \ description: \"Types indicates whether this policy applies to + ingress,\n or to egress, or to both. When not explicitly specified + (and so\n the value on creation is empty or nil), Calico defaults + Types according\n to what Ingress and Egress rules are present + in the policy. The\n default is: \\n - [ PolicyTypeIngress ], + if there are no Egress rules\n (including the case where there + are also no Ingress rules) \\n\n - [ PolicyTypeEgress ], if + there are Egress rules but no Ingress\n rules \\n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are\n both Ingress and Egress rules. + \\n When the policy is read back again,\n Types will always be + one of these values, never empty or nil.\"\n items:\n description: + PolicyType enumerates the possible values of the PolicySpec\n Types + field.\n type: string\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: globalnetworksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: GlobalNetworkSet\n listKind: GlobalNetworkSetList\n plural: + globalnetworksets\n singular: globalnetworkset\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n description: + GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs\n that + share labels to allow rules to refer to them via selectors. The labels\n of + GlobalNetworkSet are not namespaced.\n properties:\n apiVersion:\n + \ description: 'APIVersion defines the versioned schema of this representation\n + \ of an object. Servers should convert recognized schemas to the latest\n + \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: GlobalNetworkSetSpec contains the + specification for a NetworkSet\n resource.\n properties:\n + \ nets:\n description: The list of IP networks + that belong to this set.\n items:\n type: + string\n type: array\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: hostendpoints.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: HostEndpoint\n listKind: HostEndpointList\n plural: + hostendpoints\n singular: hostendpoint\n scope: Cluster\n versions:\n - + name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n + \ description: 'APIVersion defines the versioned schema of this representation\n + \ of an object. Servers should convert recognized schemas to the latest\n + \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: HostEndpointSpec contains the specification + for a HostEndpoint\n resource.\n properties:\n expectedIPs:\n + \ description: \"The expected IP addresses (IPv4 and IPv6) of + the endpoint.\n If \\\"InterfaceName\\\" is not present, Calico + will look for an interface\n matching any of the IPs in the list + and apply policy to that. Note:\n \\tWhen using the selector + match criteria in an ingress or egress\n security Policy \\tor + Profile, Calico converts the selector into\n a set of IP addresses. + For host \\tendpoints, the ExpectedIPs field\n is used for that + purpose. (If only the interface \\tname is specified,\n Calico + does not learn the IPs of the interface for use in match\n \\tcriteria.)\"\n + \ items:\n type: string\n type: + array\n interfaceName:\n description: \"Either + \\\"*\\\", or the name of a specific Linux interface\n to apply + policy to; or empty. \\\"*\\\" indicates that this HostEndpoint\n governs + all traffic to, from or through the default network namespace\n of + the host named by the \\\"Node\\\" field; entering and leaving that\n namespace + via any interface, including those from/to non-host-networked\n local + workloads. \\n If InterfaceName is not \\\"*\\\", this HostEndpoint\n only + governs traffic that enters or leaves the host through the\n specific + interface named by InterfaceName, or - when InterfaceName\n is + empty - through the specific interface that has one of the IPs\n in + ExpectedIPs. Therefore, when InterfaceName is empty, at least\n one + expected IP must be specified. Only external interfaces (such\n as + “eth0”) are supported here; it isn't possible for a HostEndpoint\n to + protect traffic through a specific local workload interface.\n \\n + Note: Only some kinds of policy are implemented for \\\"*\\\" HostEndpoints;\n + \ initially just pre-DNAT policy. Please check Calico documentation\n + \ for the latest position.\"\n type: string\n + \ node:\n description: The node name identifying + the Calico node instance.\n type: string\n ports:\n + \ description: Ports contains the endpoint's named ports, which + may\n be referenced in security policy rules.\n items:\n + \ properties:\n name:\n type: + string\n port:\n type: integer\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n required:\n - name\n - + port\n - protocol\n type: object\n type: + array\n profiles:\n description: A list of identifiers + of security Profile objects that\n apply to this endpoint. + Each profile is applied in the order that\n they appear in + this list. Profile rules are applied after the selector-based\n security + policy.\n items:\n type: string\n type: + array\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: ipamblocks.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: IPAMBlock\n listKind: IPAMBlockList\n + \ plural: ipamblocks\n singular: ipamblock\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMBlockSpec contains the specification + for an IPAMBlock\n resource.\n properties:\n affinity:\n + \ type: string\n allocations:\n items:\n + \ type: integer\n # TODO: This nullable is + manually added in. We should update controller-gen\n # to handle + []*int properly itself.\n nullable: true\n type: + array\n attributes:\n items:\n properties:\n + \ handle_id:\n type: string\n secondary:\n + \ additionalProperties:\n type: + string\n type: object\n type: object\n + \ type: array\n cidr:\n type: + string\n deleted:\n type: boolean\n strictAffinity:\n + \ type: boolean\n unallocated:\n items:\n + \ type: integer\n type: array\n required:\n + \ - allocations\n - attributes\n - + cidr\n - strictAffinity\n - unallocated\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: ipamconfigs.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPAMConfig\n listKind: IPAMConfigList\n plural: ipamconfigs\n + \ singular: ipamconfig\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMConfigSpec contains the specification + for an IPAMConfig\n resource.\n properties:\n autoAllocateBlocks:\n + \ type: boolean\n maxBlocksPerHost:\n description: + MaxBlocksPerHost, if non-zero, is the max number of blocks\n that + can be affine to each host.\n type: integer\n strictAffinity:\n + \ type: boolean\n required:\n - autoAllocateBlocks\n + \ - strictAffinity\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: ipamhandles.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPAMHandle\n listKind: IPAMHandleList\n plural: ipamhandles\n + \ singular: ipamhandle\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMHandleSpec contains the specification + for an IPAMHandle\n resource.\n properties:\n block:\n + \ additionalProperties:\n type: integer\n type: + object\n deleted:\n type: boolean\n handleID:\n + \ type: string\n required:\n - block\n + \ - handleID\n type: object\n type: object\n + \ served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: ippools.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPPool\n listKind: IPPoolList\n plural: ippools\n singular: + ippool\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPPoolSpec contains the specification + for an IPPool resource.\n properties:\n blockSize:\n + \ description: The block size to use for IP address assignments + from\n this pool. Defaults to 26 for IPv4 and 112 for IPv6.\n + \ type: integer\n cidr:\n description: + The pool CIDR.\n type: string\n disabled:\n description: + When disabled is true, Calico IPAM will not assign addresses\n from + this pool.\n type: boolean\n ipip:\n description: + 'Deprecated: this field is only used for APIv1 backwards\n compatibility. + Setting this field is not allowed, this field is\n for internal + use only.'\n properties:\n enabled:\n description: + When enabled is true, ipip tunneling will be used\n to + deliver packets to destinations within this pool.\n type: + boolean\n mode:\n description: The IPIP + mode. This can be one of \"always\" or \"cross-subnet\". A\n mode + of \"always\" will also use IPIP tunneling for routing to\n destination + IP addresses within this pool. A mode of \"cross-subnet\"\n will + only use IPIP tunneling when the destination node is on\n a + different subnet to the originating node. The default value\n (if + not specified) is \"always\".\n type: string\n type: + object\n ipipMode:\n description: Contains configuration + for IPIP tunneling for this pool.\n If not specified, then + this is defaulted to \"Never\" (i.e. IPIP tunneling\n is disabled).\n + \ type: string\n nat-outgoing:\n description: + 'Deprecated: this field is only used for APIv1 backwards\n compatibility. + Setting this field is not allowed, this field is\n for internal + use only.'\n type: boolean\n natOutgoing:\n description: + When nat-outgoing is true, packets sent from Calico networked\n containers + in this pool to destinations outside of this pool will\n be + masqueraded.\n type: boolean\n nodeSelector:\n + \ description: Allows IPPool to allocate for a specific node by + label\n selector.\n type: string\n vxlanMode:\n + \ description: Contains configuration for VXLAN tunneling for + this pool.\n If not specified, then this is defaulted to \"Never\" + (i.e. VXLAN\n tunneling is disabled).\n type: + string\n required:\n - cidr\n type: object\n + \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n + \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: kubecontrollersconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: KubeControllersConfiguration\n listKind: KubeControllersConfigurationList\n + \ plural: kubecontrollersconfigurations\n singular: kubecontrollersconfiguration\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: KubeControllersConfigurationSpec + contains the values of the\n Kubernetes controllers configuration.\n + \ properties:\n controllers:\n description: + Controllers enables and configures individual Kubernetes\n controllers\n + \ properties:\n namespace:\n description: + Namespace enables and configures the namespace controller.\n Enabled + by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to perform + reconciliation\n with the Calico datastore. [Default: + 5m]'\n type: string\n type: object\n + \ node:\n description: Node enables and + configures the node controller.\n Enabled by default, set + to nil to disable.\n properties:\n hostEndpoint:\n + \ description: HostEndpoint controls syncing nodes to + host endpoints.\n Disabled by default, set to nil to + disable.\n properties:\n autoCreate:\n + \ description: 'AutoCreate enables automatic creation + of\n host endpoints for every node. [Default: Disabled]'\n + \ type: string\n type: object\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ syncLabels:\n description: 'SyncLabels + controls whether to copy Kubernetes\n node labels to + Calico nodes. [Default: Enabled]'\n type: string\n type: + object\n policy:\n description: Policy + enables and configures the policy controller.\n Enabled + by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to perform + reconciliation\n with the Calico datastore. [Default: + 5m]'\n type: string\n type: object\n + \ serviceAccount:\n description: ServiceAccount + enables and configures the service\n account controller. + Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ type: object\n workloadEndpoint:\n description: + WorkloadEndpoint enables and configures the workload\n endpoint + controller. Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ type: object\n type: object\n etcdV3CompactionPeriod:\n + \ description: 'EtcdV3CompactionPeriod is the period between etcdv3\n + \ compaction requests. Set to 0 to disable. [Default: 10m]'\n + \ type: string\n healthChecks:\n description: + 'HealthChecks enables or disables support for health\n checks + [Default: Enabled]'\n type: string\n logSeverityScreen:\n + \ description: 'LogSeverityScreen is the log severity above which + logs\n are sent to the stdout. [Default: Info]'\n type: + string\n prometheusMetricsPort:\n description: + 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics + server should bind to. Set to 0 to disable. [Default: 9094]'\n type: + integer\n required:\n - controllers\n type: + object\n status:\n description: KubeControllersConfigurationStatus + represents the status\n of the configuration. It's useful for admins + to be able to see the actual\n config that was applied, which can + be modified by environment variables\n on the kube-controllers + process.\n properties:\n environmentVars:\n additionalProperties:\n + \ type: string\n description: EnvironmentVars + contains the environment variables on\n the kube-controllers + that influenced the RunningConfig.\n type: object\n runningConfig:\n + \ description: RunningConfig contains the effective config that + is running\n in the kube-controllers pod, after merging the + API resource with\n any environment variables.\n properties:\n + \ controllers:\n description: Controllers + enables and configures individual Kubernetes\n controllers\n + \ properties:\n namespace:\n description: + Namespace enables and configures the namespace\n controller. + Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform\n reconciliation + with the Calico datastore. [Default:\n 5m]'\n type: + string\n type: object\n node:\n + \ description: Node enables and configures the node controller.\n + \ Enabled by default, set to nil to disable.\n properties:\n + \ hostEndpoint:\n description: + HostEndpoint controls syncing nodes to host\n endpoints. + Disabled by default, set to nil to disable.\n properties:\n + \ autoCreate:\n description: + 'AutoCreate enables automatic creation\n of host + endpoints for every node. [Default: Disabled]'\n type: + string\n type: object\n leakGracePeriod:\n + \ description: 'LeakGracePeriod is the period used + by the\n controller to determine if an IP address + has been leaked.\n Set to 0 to disable IP garbage + collection. [Default:\n 15m]'\n type: + string\n reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform\n reconciliation + with the Calico datastore. [Default:\n 5m]'\n type: + string\n syncLabels:\n description: + 'SyncLabels controls whether to copy Kubernetes\n node + labels to Calico nodes. [Default: Enabled]'\n type: + string\n type: object\n policy:\n + \ description: Policy enables and configures the policy + controller.\n Enabled by default, set to nil to disable.\n + \ properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n serviceAccount:\n + \ description: ServiceAccount enables and configures the + service\n account controller. Enabled by default, set + to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n workloadEndpoint:\n + \ description: WorkloadEndpoint enables and configures + the workload\n endpoint controller. Enabled by default, + set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n type: object\n + \ etcdV3CompactionPeriod:\n description: + 'EtcdV3CompactionPeriod is the period between etcdv3\n compaction + requests. Set to 0 to disable. [Default: 10m]'\n type: string\n + \ healthChecks:\n description: 'HealthChecks + enables or disables support for health\n checks [Default: + Enabled]'\n type: string\n logSeverityScreen:\n + \ description: 'LogSeverityScreen is the log severity above + which\n logs are sent to the stdout. [Default: Info]'\n type: + string\n prometheusMetricsPort:\n description: + 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics + server should bind to. Set to 0 to disable. [Default:\n 9094]'\n + \ type: integer\n required:\n - + controllers\n type: object\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: networkpolicies.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: + networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n properties:\n egress:\n description: + The ordered set of egress rules. Each rule contains\n a set + of packet match criteria and a corresponding action to apply.\n items:\n + \ description: \"A Rule encapsulates a set of match criteria + and an\n action. Both selector-based security Policy and security + Profiles\n reference rules - separated out as a list of rules + for both ingress\n and egress packet matching. \\n Each positive + match criteria has\n a negated version, prefixed with ”Not”. + All the match criteria\n within a rule must be satisfied for + a packet to match. A single\n rule can contain the positive + and negative version of a match\n and both must be satisfied + for the rule to match.\"\n properties:\n action:\n + \ type: string\n destination:\n description: + Destination contains the match criteria that apply\n to + destination entity.\n properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n ingress:\n description: The ordered set + of ingress rules. Each rule contains\n a set of packet match + criteria and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n order:\n description: Order is an optional + field that specifies the order in\n which the policy is applied. + Policies with higher \"order\" are applied\n after those with + lower order. If the order is omitted, it may be\n considered + to be \"infinite\" - i.e. the policy will be applied last. Policies\n with + identical order will be applied in alphanumerical order based\n on + the Policy \"Name\".\n type: number\n selector:\n + \ description: \"The selector is an expression used to pick pick + out\n the endpoints that the policy should be applied to. \\n + Selector\n expressions follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n + \ \\ -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel + != \\\"string_literal\\\"\n \\ -> not equal; also matches if + label is not present \\tlabel in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", + ... } -> true if the value of label X is\n one of \\\"a\\\", + \\\"b\\\", \\\"c\\\" \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... + } -> true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" + \\thas(label_name) -> True if that label is present \\t! expr\n -> + negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || + expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or + the empty selector -> matches all endpoints. \\n Label names are\n allowed + to contain alphanumerics, -, _ and /. String literals are\n more + permissive but they do not support escape characters. \\n Examples\n (with + made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == + \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n + \ \\\"dev\\\" \\t! has(label_name)\"\n type: + string\n serviceAccountSelector:\n description: + ServiceAccountSelector is an optional field for an expression\n used + to select a pod based on service accounts.\n type: string\n types:\n + \ description: \"Types indicates whether this policy applies to + ingress,\n or to egress, or to both. When not explicitly specified + (and so\n the value on creation is empty or nil), Calico defaults + Types according\n to what Ingress and Egress are present in the + policy. The default\n is: \\n - [ PolicyTypeIngress ], if there + are no Egress rules (including\n the case where there are also + no Ingress rules) \\n - [ PolicyTypeEgress\n ], if there are + Egress rules but no Ingress rules \\n - [ PolicyTypeIngress,\n PolicyTypeEgress + ], if there are both Ingress and Egress rules.\n \\n When the + policy is read back again, Types will always be one\n of these + values, never empty or nil.\"\n items:\n description: + PolicyType enumerates the possible values of the PolicySpec\n Types + field.\n type: string\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: networksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: NetworkSet\n listKind: NetworkSetList\n plural: networksets\n + \ singular: networkset\n scope: Namespaced\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n description: NetworkSet is the Namespaced-equivalent + of the GlobalNetworkSet.\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: NetworkSetSpec contains the specification + for a NetworkSet\n resource.\n properties:\n nets:\n + \ description: The list of IP networks that belong to this set.\n + \ items:\n type: string\n type: + array\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n---\n# Source: calico/templates/calico-kube-controllers-rbac.yaml\n\n# + Include a clusterrole for the kube-controllers component,\n# and bind it to the + calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n + \ name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for + deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n + \ - watch\n - list\n - get\n # Pods are watched to check for existence + as part of IPAM controller.\n - apiGroups: [\"\"]\n resources:\n - pods\n + \ verbs:\n - get\n - list\n - watch\n # IPAM resources are manipulated + when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n + \ verbs:\n - get\n - list\n - create\n - update\n - + delete\n - watch\n # kube-controllers manages hostendpoints.\n - apiGroups: + [\"crd.projectcalico.org\"]\n resources:\n - hostendpoints\n verbs:\n + \ - get\n - list\n - create\n - update\n - delete\n # + Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - clusterinformations\n verbs:\n - get\n - + create\n - update\n # KubeControllersConfiguration is where it gets its + config\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - kubecontrollersconfigurations\n + \ verbs:\n # read its own config\n - get\n # create a default + if none exists\n - create\n # update status\n - update\n # + watch for changes\n - watch\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n + \ name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n + \ kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n - kind: ServiceAccount\n + \ name: calico-kube-controllers\n namespace: kube-system\n---\n\n---\n# Source: + calico/templates/calico-node-rbac.yaml\n# Include a clusterrole for the calico-node + DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: + rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The + CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n + \ resources:\n - pods\n - nodes\n - namespaces\n verbs:\n + \ - get\n # EndpointSlices are used for Service-based network policy rule\n + \ # enforcement.\n - apiGroups: [\"discovery.k8s.io\"]\n resources:\n - + endpointslices\n verbs:\n - watch\n - list\n - apiGroups: [\"\"]\n + \ resources:\n - endpoints\n - services\n verbs:\n # Used + to discover service IPs for advertisement.\n - watch\n - list\n # + Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm + needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n + \ verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n + \ verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - + patch\n # Calico stores some configuration information in node annotations.\n + \ - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: + [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n + \ - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: + [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n + \ verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n + \ - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - + patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - globalfelixconfigs\n - felixconfigurations\n - + bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n + \ - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n + \ - networkpolicies\n - networksets\n - clusterinformations\n - + hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n + \ - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: + [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n + \ - clusterinformations\n verbs:\n - create\n - update\n # Calico + stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n + \ - nodes\n verbs:\n - get\n - list\n - watch\n # These + permissions are only required for upgrade from v2.6, and can\n # be removed after + upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - + create\n - update\n # These permissions are required for Calico CNI to perform + IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n + \ - get\n - list\n - create\n - update\n - delete\n - + apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n + \ verbs:\n - get\n # Block affinities must also be watchable by confd + for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration + needs to get daemonsets. These permissions can be\n # removed if not upgrading + from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n + \ - daemonsets\n verbs:\n - get\n\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: + ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n + \ kind: ClusterRole\n name: calico-node\nsubjects:\n - kind: ServiceAccount\n + \ name: calico-node\n namespace: kube-system\n\n---\n# Source: calico/templates/calico-node.yaml\n# + This manifest installs the calico-node container, as well\n# as the CNI plugins + and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: + DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n + \ labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: + calico-node\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n + \ maxUnavailable: 1\n template:\n metadata:\n labels:\n k8s-app: + calico-node\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n + \ hostNetwork: true\n tolerations:\n # Make sure calico-node gets + scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n + \ # Mark the pod as a critical add-on for rescheduling.\n - key: + CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n + \ operator: Exists\n serviceAccountName: calico-node\n # Minimize + downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n + \ # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n + \ terminationGracePeriodSeconds: 0\n priorityClassName: system-node-critical\n + \ initContainers:\n # This container performs upgrade from host-local + IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, + or if you have already\n # upgraded to use calico-ipam.\n - name: + upgrade-ipam\n image: calico/cni:v3.20.0\n command: [\"/opt/cni/bin/calico-ipam\", + \"-upgrade\"]\n envFrom:\n - configMapRef:\n # + Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for + eBPF mode.\n name: kubernetes-services-endpoint\n optional: + true\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n + \ fieldRef:\n fieldPath: spec.nodeName\n - + name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: calico_backend\n + \ volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: + host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: + cni-bin-dir\n securityContext:\n privileged: true\n # + This container installs the CNI binaries\n # and CNI network config file + on each node.\n - name: install-cni\n image: calico/cni:v3.20.0\n + \ command: [\"/opt/cni/bin/install\"]\n envFrom:\n - + configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT + to be overridden for eBPF mode.\n name: kubernetes-services-endpoint\n + \ optional: true\n env:\n # Name of the CNI + config file to create.\n - name: CNI_CONF_NAME\n value: + \"10-calico.conflist\"\n # The CNI network config to install on each + node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: cni_network_config\n + \ # Set the hostname based on the k8s node name.\n - name: + KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: + spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: veth_mtu\n # Prevents the container + from sleeping forever.\n - name: SLEEP\n value: \"false\"\n + \ volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: + cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: + cni-net-dir\n securityContext:\n privileged: true\n # + Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n + \ # to communicate with Felix over the Policy Sync API.\n - name: + flexvol-driver\n image: calico/pod2daemon-flexvol:v3.20.0\n volumeMounts:\n + \ - name: flexvol-driver-host\n mountPath: /host/driver\n + \ securityContext:\n privileged: true\n containers:\n + \ # Runs calico-node container on each Kubernetes node. This\n # + container programs network policy and routes on each\n # host.\n - + name: calico-node\n image: calico/node:v3.20.0\n envFrom:\n + \ - configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and + KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.\n name: + kubernetes-services-endpoint\n optional: true\n env:\n + \ # Use Kubernetes API as the backing datastore.\n - name: + DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the + datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n + \ # Set based on the k8s node name.\n - name: NODENAME\n + \ valueFrom:\n fieldRef:\n fieldPath: + spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: calico_backend\n # Cluster type + to identify the deployment type\n - name: CLUSTER_TYPE\n value: + \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: + IP\n value: \"autodetect\"\n # Enable VXLAN\n - + name: CALICO_IPV4POOL_VXLAN\n value: \"Always\"\n # Set + MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: veth_mtu\n # Set MTU for the + VXLAN tunnel device.\n - name: FELIX_VXLANMTU\n valueFrom:\n + \ configMapKeyRef:\n name: calico-config\n key: + veth_mtu\n # Set MTU for the Wireguard tunnel device.\n - + name: FELIX_WIREGUARDMTU\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: veth_mtu\n # + The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # + chosen from this range. Changing this value after installation will have\n # + no effect. This should fall within `--cluster-cidr`.\n # - name: CALICO_IPV4POOL_CIDR\n + \ # value: \"192.168.0.0/16\"\n # Disable file logging + so `kubectl logs` works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: + \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n + \ - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n + \ # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n + \ value: \"false\"\n - name: FELIX_FEATUREDETECTOVERRIDE\n + \ value: \"ChecksumOffloadBroken=true\"\n - name: FELIX_HEALTHENABLED\n + \ value: \"true\"\n securityContext:\n privileged: + true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n + \ exec:\n command:\n - /bin/calico-node\n + \ - -felix-live\n periodSeconds: 10\n initialDelaySeconds: + 10\n failureThreshold: 6\n readinessProbe:\n exec:\n + \ command:\n - /bin/calico-node\n - + -felix-ready\n periodSeconds: 10\n volumeMounts:\n - + mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n readOnly: + false\n - mountPath: /lib/modules\n name: lib-modules\n + \ readOnly: true\n - mountPath: /run/xtables.lock\n name: + xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n + \ name: var-run-calico\n readOnly: false\n - + mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: + false\n - name: policysync\n mountPath: /var/run/nodeagent\n + \ # For eBPF mode, we need to be able to mount the BPF filesystem at + /sys/fs/bpf so we mount in the\n # parent directory.\n - + name: sysfs\n mountPath: /sys/fs/\n # Bidirectional + means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to + the host.\n # If the host is known to mount that filesystem already + then Bidirectional can be omitted.\n mountPropagation: Bidirectional\n + \ - name: cni-log-dir\n mountPath: /var/log/calico/cni\n + \ readOnly: true\n volumes:\n # Used by calico-node.\n + \ - name: lib-modules\n hostPath:\n path: /lib/modules\n + \ - name: var-run-calico\n hostPath:\n path: /var/run/calico\n + \ - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n + \ - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n + \ type: FileOrCreate\n - name: sysfs\n hostPath:\n path: + /sys/fs/\n type: DirectoryOrCreate\n # Used to install CNI.\n + \ - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n + \ - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n + \ # Used to access CNI logs.\n - name: cni-log-dir\n hostPath:\n + \ path: /var/log/calico/cni\n # Mount in the directory for host-local + IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, + and can be removed\n # if not using the upgrade-ipam init container.\n + \ - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n + \ # Used to create per-pod Unix Domain Sockets\n - name: policysync\n + \ hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n + \ # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n + \ hostPath:\n type: DirectoryOrCreate\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n---\n\napiVersion: + v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n---\n# + Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: + apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: + kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers + can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n + \ k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n + \ metadata:\n name: calico-kube-controllers\n namespace: kube-system\n + \ labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n + \ kubernetes.io/os: linux\n tolerations:\n # Mark the pod as + a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: + Exists\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n + \ serviceAccountName: calico-kube-controllers\n priorityClassName: system-cluster-critical\n + \ containers:\n - name: calico-kube-controllers\n image: calico/kube-controllers:v3.20.0\n + \ env:\n # Choose which controllers to run.\n - + name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n + \ value: kubernetes\n livenessProbe:\n exec:\n + \ command:\n - /usr/bin/check-status\n - + -l\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: + 6\n timeoutSeconds: 10\n readinessProbe:\n exec:\n + \ command:\n - /usr/bin/check-status\n - + -r\n periodSeconds: 10\n\n---\n\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n + \ name: calico-kube-controllers\n namespace: kube-system\n\n---\n\n# This manifest + creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler + to evict\n\napiVersion: policy/v1beta1\nkind: PodDisruptionBudget\nmetadata:\n + \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: + calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n + \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: calico-crs-configmap + namespace: default diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs.yaml new file mode 100644 index 0000000000..acfe874639 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/calico-crs.yaml @@ -0,0 +1,13 @@ +apiVersion: addons.cluster.x-k8s.io/v1alpha3 +kind: ClusterResourceSet +metadata: + name: calico-crs + namespace: default +spec: + clusterSelector: + matchLabels: + cni: calico + resources: + - kind: ConfigMap + name: calico-crs-configmap + diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml new file mode 100644 index 0000000000..3226b2682b --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml @@ -0,0 +1,37 @@ +apiVersion: capi.weave.works/v1alpha1 +kind: ClusterBootstrapConfig +metadata: + name: capi-gitops + namespace: default +spec: + clusterSelector: + matchLabels: + weave.works/capi: bootstrap + jobTemplate: + generateName: "run-gitops-{{ .ObjectMeta.Name }}" + spec: + containers: + - image: ghcr.io/fluxcd/flux-cli:v0.29.5 + name: flux-bootstrap + resources: {} + volumeMounts: + - name: kubeconfig + mountPath: "/etc/gitops" + readOnly: true + args: + [ + "bootstrap", + "github", + "--kubeconfig=/etc/gitops/value", + "--owner=$GITHUB_USER", + "--repository=fleet-infra", + "--path=./clusters/{{ .ObjectMeta.Name }}", + ] + envFrom: + - secretRef: + name: my-pat + restartPolicy: Never + volumes: + - name: kubeconfig + secret: + secretName: "{{ .ObjectMeta.Name }}-kubeconfig" diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/profiles/profile-repo.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/profiles/profile-repo.yaml new file mode 100644 index 0000000000..dfd989d091 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/profiles/profile-repo.yaml @@ -0,0 +1,10 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + creationTimestamp: null + name: weaveworks-charts + namespace: flux-system +spec: + interval: 1m + url: https://my-org.github.io/profiles +status: {} diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/rbac/wego-admin.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/rbac/wego-admin.yaml new file mode 100644 index 0000000000..01e20a007f --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/rbac/wego-admin.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wego-test-user-read-resources-cr +subjects: + - kind: User + name: wego-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: wego-admin-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wego-admin-cluster-role +rules: + - apiGroups: [""] + resources: ["secrets", "pods"] + verbs: ["get", "list"] + - apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list"] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: ["kustomizations"] + verbs: ["get", "list", "patch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "patch"] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["buckets", "helmcharts", "gitrepositories", "helmrepositories"] + verbs: ["get", "list", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] + - apiGroups: ["pac.weave.works"] + resources: ["policies"] + verbs: ["get", "list"] diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/.keep b/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/.keep new file mode 100644 index 0000000000..dc92bc0885 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/.keep @@ -0,0 +1 @@ +"# keep" \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/capd-template.yaml b/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/capd-template.yaml new file mode 100644 index 0000000000..253293fb97 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/assets/templates/capd-template.yaml @@ -0,0 +1,156 @@ +apiVersion: capi.weave.works/v1alpha1 +kind: CAPITemplate +metadata: + name: cluster-template-development + namespace: default +spec: + description: A simple CAPD template + params: + - name: CLUSTER_NAME + required: true + description: This is used for the cluster naming. + - name: NAMESPACE + description: Namespace to create the cluster in + - name: KUBERNETES_VERSION + description: Kubernetes version to use for the cluster + options: ["1.19.11", "1.21.1", "1.22.0", "1.23.3"] + - name: CONTROL_PLANE_MACHINE_COUNT + description: Number of control planes + options: ["1", "2", "3"] + - name: WORKER_MACHINE_COUNT + description: Number of control planes + resourcetemplates: + - apiVersion: gitops.weave.works/v1alpha1 + kind: GitopsCluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + labels: + weave.works/capi: bootstrap + spec: + capiClusterRef: + name: "${CLUSTER_NAME}" + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: Cluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + labels: + cni: calico + spec: + clusterNetwork: + pods: + cidrBlocks: + - 192.168.0.0/16 + serviceDomain: cluster.local + services: + cidrBlocks: + - 10.128.0.0/12 + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlane + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerCluster + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerCluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + metadata: + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + spec: + template: + spec: + extraMounts: + - containerPath: /var/run/docker.sock + hostPath: /var/run/docker.sock + - apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlane + metadata: + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + spec: + kubeadmConfigSpec: + clusterConfiguration: + apiServer: + certSANs: + - localhost + - 127.0.0.1 + - 0.0.0.0 + controllerManager: + extraArgs: + enable-hostpath-provisioner: "true" + initConfiguration: + nodeRegistration: + criSocket: /var/run/containerd/containerd.sock + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + joinConfiguration: + nodeRegistration: + criSocket: /var/run/containerd/containerd.sock + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + machineTemplate: + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + replicas: "${CONTROL_PLANE_MACHINE_COUNT}" + version: "${KUBERNETES_VERSION}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + template: + spec: {} + - apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 + kind: KubeadmConfigTemplate + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + template: + spec: + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: MachineDeployment + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + clusterName: "${CLUSTER_NAME}" + replicas: "${WORKER_MACHINE_COUNT}" + selector: + matchLabels: null + template: + spec: + bootstrap: + configRef: + apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 + kind: KubeadmConfigTemplate + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + clusterName: "${CLUSTER_NAME}" + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + version: "${KUBERNETES_VERSION}" diff --git a/website/versioned_docs/version-0.9.1/cluster-management/cluster-api-providers.mdx b/website/versioned_docs/version-0.9.1/cluster-management/cluster-api-providers.mdx new file mode 100644 index 0000000000..b11a6e5c08 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/cluster-api-providers.mdx @@ -0,0 +1,40 @@ +--- +title: Cluster API Providers +sidebar_position: 2 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +

+ {frontMatter.title} +

+ +## Creating leaf clusters + +To enable leaf cluster creation, Weave GitOps leverages the Cluster-API (CAPI) providers for [AWS](https://cluster-api-aws.sigs.k8s.io/getting-started.html) or [Docker](https://cluster-api.sigs.k8s.io/user/quick-start.html). +In this section we cover the steps to deploy the providers on a Kubernetes cluster that is running the Weave GitOps. + +CAPI provides declarative APIs, controllers, and tooling to manage the lifecycle of Kubernetes clusters, across +a large number of [infrastructure providers](https://cluster-api.sigs.k8s.io/reference/providers.html#infrastructure). +The CAPI custom resource definitions are platform independent as each provider implementation handles the creation of VMs, +VPCs, networks and other required infrastructure parts, enabling consistent and repeatable cluster deployments. +For more information on the CAPI project, refer to the [CAPI book](https://cluster-api.sigs.k8s.io/introduction.html). + +## Configure and deploy the CAPI providers + +In all cases, CAPI requires kubectl access to an existing Kubernetes cluster, so in our case we configure `kubectl` to use the management cluster. + +```bash +export KUBECONFIG=/path/to/kubeconfig +``` + +## AWS provider (CAPA) + +After having configured `kubectl`, to deploy the CAPA components, follow the steps at https://cluster-api-aws.sigs.k8s.io/getting-started.html#install-clusterctl + +## Docker provider (CAPD) + +The Docker infrastructure provider is a reference implementation and is a practical way of testing the Weave GitOps cluster creation feature. It is not intended for production clusters. As CAPD will start docker containers in the host nodes of the management cluster, note that if you are using it with a `kind` cluster you'll need to mount the docker socket as described in the [Install and/or configure a kubernetes cluster](https://cluster-api-aws.sigs.k8s.io/getting-started.html#install-andor-configure-a-kubernetes-cluster) kind section. + +Similar to the AWS provider case, configure `kubectl` to use the management cluster, and to deploy the CAPD components follow the steps at https://cluster-api-aws.sigs.k8s.io/getting-started.html#install-clusterctl. diff --git a/website/versioned_docs/version-0.9.1/cluster-management/deleting-a-cluster.mdx b/website/versioned_docs/version-0.9.1/cluster-management/deleting-a-cluster.mdx new file mode 100644 index 0000000000..31d8aed584 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/deleting-a-cluster.mdx @@ -0,0 +1,22 @@ +--- +title: Deleting a Cluster +hide_title: true +sidebar_position: 5 +--- + +import TierLabel from "../_components/TierLabel"; + +# Deleting a Cluster + +### How to: delete a cluster using UI + +- Select the cluster clusters you want to delete +- Press `CREATE A PR TO DELETE CLUSTERS` button +- Update the deletion PR values or leave the default values +- Press `Remove clusters` button +- Merge the create PR for clusters deletion + +### Notes + +A current limitation is the inability to apply an _empty_ repository to a cluster. If you have capi clusters and other manifests commited to this repository, and then _delete all of them_ so there are 0 manifests left, then the apply will fail and the resources will not be removed from the cluster. +A workaround is to add a dummy _ConfigMap_ back to the git repository after deleting everything else so that there is at least 1 manifest to apply. diff --git a/website/versioned_docs/version-0.9.1/cluster-management/getting-started.mdx b/website/versioned_docs/version-0.9.1/cluster-management/getting-started.mdx new file mode 100644 index 0000000000..b3915562b4 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/getting-started.mdx @@ -0,0 +1,229 @@ +--- +title: Getting started +sidebar_position: 1 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; +import CodeBlock from "@theme/CodeBlock"; +import BrowserOnly from "@docusaurus/BrowserOnly"; + +# Getting started + +## Creating your first CAPD Cluster + +If you've followed the [Upgrade steps](installation.mdx#weave-gitops-enterprise) in the [Installation guide](installation.mdx) you should have: + +1. Weave GitOps Enterprise installed +2. A CAPI provider installed (With support for `ClusterResourceSet`s enabled). + +Next up we'll add a template and use it to create a cluster. + +### Directory structure + +Let's setup a directory structure to manage our clusters + +```bash +mkdir -p clusters/bases \ + clusters/management/capi/templates \ + clusters/management/capi/bootstrap \ + clusters/management/capi/profiles +``` + +Now we should have: + +```bash +. +└── clusters + ├── bases + └── management + └── capi + ├── bootstrap + ├── profiles + └── templates +``` + +This assumes that we've configured flux to reconcile everything in `clusters/management` into our management cluster. + +To keep things organized we've created some subpaths for the different resources: + +- `bases` for any common resources between clusters like RBAC and policy. +- `templates` for `CAPITemplates` +- `bootstrap` for `ClusterBootstrapConfig`, `ClusterResourceSet` and the `ConfigMap` they reference +- `profiles` for the `HelmRepository` of the profiles for the newly created clusters + +Lets grab some sample resources to create our first cluster! + +### Add common RBAC to the repo + +When a cluster is provisioned, by default it will reconcile all the manifests in `./clusters/` and `./clusters/bases`. + +To display Applications and Sources in the UI we need to give the logged in user permissions to inspect the new cluster. + +Adding common rbac rules to `./clusters/bases/rbac` is an easy way to configure this! + +import WegoAdmin from "!!raw-loader!./assets/rbac/wego-admin.yaml"; + + + {() => ( + + curl -o clusters/bases/rbac/wego-admin.yaml {window.location.protocol}// + {window.location.host} + {require("./assets/rbac/wego-admin.yaml").default} + + )} + + + + {WegoAdmin} + + +### Add a template + +See [CAPI Templates](templates.mdx) page for more details on this topic. Once we load a template we can use it in the UI to create clusters! + +import CapdTemplate from "!!raw-loader!./assets/templates/capd-template.yaml"; + +Download the template below to your config repository path, then commit and push to your git origin. + + + {() => ( + + curl -o clusters/management/capi/templates/capd-template.yaml{" "} + {window.location.protocol}//{window.location.host} + {require("./assets/templates/capd-template.yaml").default} + + )} + + + + {CapdTemplate} + + +## Automatically install a CNI with `ClusterResourceSet`s + +We can use `ClusterResourceSet`s to automatically install CNI's on a new cluster, here we use calico as an example. + +### Add a CRS to install a CNI + +Create a calico configmap and a CRS as follows: + +import CalicoCRS from "!!raw-loader!./assets/bootstrap/calico-crs.yaml"; + + + {() => ( + + curl -o clusters/management/capi/bootstrap/calico-crs.yaml{" "} + {window.location.protocol}//{window.location.host} + {require("./assets/bootstrap/calico-crs.yaml").default} + {"\n"} + curl -o clusters/management/capi/bootstrap/calico-crs-configmap.yaml { + window.location.protocol + }//{window.location.host} + {require("./assets/bootstrap/calico-crs-configmap.yaml").default} + + )} + + + + {CalicoCRS} + + +The full [`calico-crs-configmap.yaml`](./assets/bootstrap/calico-crs-configmap.yaml) is a bit large to display inline here but make sure to download it to `clusters/management/capi/bootstrap/calico-crs-configmap.yaml` too, manually or with the above `curl` command. + +## Profiles and clusters + +WGE can automatically install profiles onto new clusters + +#### Add a helmrepo + +import ProfileRepo from "!!raw-loader!./assets/profiles/profile-repo.yaml"; + +A profile is an enhanced helm chart. When publishing profiles to helm repositories make sure to include the `weave.works/profile` in `Chart.yaml`. These annotated profiles will appear in WGE + +``` +annotations: + weave.works/profile: nginx-profile +``` + +Download the profile repository below to your config repository path then commit and push. Make sure to update the url to point to a Helm repository containing your profiles. + + + {() => ( + + curl -o clusters/management/capi/profiles/profile-repo.yaml{" "} + {window.location.protocol} + //{window.location.host} + {require("./assets/profiles/profile-repo.yaml").default} + + )} + + + + {ProfileRepo} + + +#### Add a cluster bootstrap config + +Create a cluster bootstrap config as follows: + +```bash + kubectl create secret generic my-pat --from-literal GITHUB_TOKEN=$GITHUB_TOKEN +``` + +import CapiGitopsCDC from "!!raw-loader!./assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml"; + +Download the config with + + + {() => ( + + curl -o + clusters/management/capi/bootstrap/capi-gitops-cluster-bootstrap-config.yaml{" "} + {window.location.protocol} + //{window.location.host} + { + require("./assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml") + .default + } + + )} + + +Then update the `GITOPS_REPO` variable to point to your cluster + + + {CapiGitopsCDC} + + +#### Add Monitoring Dashboards to your cluster + +In order to add dashboards to your cluster, you'll need to use metadata annotations following the below pattern. + +``` +apiVersion: gitops.weave.works/v1alpha1 +kind: GitopsCluster +metadata: + annotations: + metadata.weave.works/dashboard.grafana: https://grafana.com/ + metadata.weave.works/dashboard.prometheus: https://prometheus.io/ +``` + +## Test + +You should now be able to create a new cluster from your template and install profiles onto it with a single Pull Request via the WGE UI! diff --git a/website/versioned_docs/version-0.9.1/cluster-management/img/disconnect-cluster.png b/website/versioned_docs/version-0.9.1/cluster-management/img/disconnect-cluster.png new file mode 100644 index 0000000000..5a08b5afbc Binary files /dev/null and b/website/versioned_docs/version-0.9.1/cluster-management/img/disconnect-cluster.png differ diff --git a/website/versioned_docs/version-0.9.1/cluster-management/img/identity-selection.png b/website/versioned_docs/version-0.9.1/cluster-management/img/identity-selection.png new file mode 100644 index 0000000000..c1ca94f155 Binary files /dev/null and b/website/versioned_docs/version-0.9.1/cluster-management/img/identity-selection.png differ diff --git a/website/versioned_docs/version-0.9.1/cluster-management/img/profile-selection.png b/website/versioned_docs/version-0.9.1/cluster-management/img/profile-selection.png new file mode 100644 index 0000000000..11ef1b5911 Binary files /dev/null and b/website/versioned_docs/version-0.9.1/cluster-management/img/profile-selection.png differ diff --git a/website/versioned_docs/version-0.9.1/cluster-management/intro.mdx b/website/versioned_docs/version-0.9.1/cluster-management/intro.mdx new file mode 100644 index 0000000000..42c4430d56 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/intro.mdx @@ -0,0 +1,15 @@ +--- +title: Introduction +sidebar_position: 0 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +

+ {frontMatter.title} +

+ +## Cluster management + +Weave GitOps Enterprise (WGE) can provision Kubernetes clusters using any of the CAPI providers installed. The lifecycle management of these clusters is done declaratively via GitOps and WGE simplifies this process by providing both a Web UI and a CLI to interact with and manage these clusters. \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/cluster-management/managing-existing-clusters.mdx b/website/versioned_docs/version-0.9.1/cluster-management/managing-existing-clusters.mdx new file mode 100644 index 0000000000..8cdb1b59e3 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/managing-existing-clusters.mdx @@ -0,0 +1,275 @@ +--- +title: Managing existing clusters +hide_title: true +sidebar_position: 2 +--- + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +import TierLabel from "../_components/TierLabel"; + +# Managing existing clusters + +### Managing non-capi clusters {#how-to-connect-a-cluster} + +Any kubernetes cluster whether capi or not can be added to Weave Gitops Enterprise. The only thing we need is a secret containing a valid `kubeconfig`. + +import TOCInline from "@theme/TOCInline"; +; + + + + +If you already have a `kubeconfig` stored in a secret in your management cluster, continue below to create a `GitopsCluster`. + +If you have a kubeconfig, you can load in into the cluster like so: + +``` +kubectl create secret generic demo-01-kubeconfig \ +--from-file=value.yaml=./demo-01-kubeconfig +``` + + + + +### How to create a kubeconfig secret using a service account + +1. Create a new service account on the remote cluster: + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: demo-01 + namespace: default +``` + +2. Add RBAC permissions for the service account + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: impersonate-user-groups +subjects: + - kind: ServiceAccount + name: demo-02 + namespace: default +roleRef: + kind: ClusterRole + name: user-groups-impersonator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: user-groups-impersonator +rules: + - apiGroups: [""] + resources: ["users", "groups"] + verbs: ["impersonate"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] +``` + +This will allow WGE to introspect the cluster for available namespaces. + +Once we know what namespaces are available we can test whether the logged in user can access them via impersonation. + +3. Get the token of the service account + +First get the list of secrets of the service accounts by running the following command: + +```sh +kubectl get secrets --field-selector type=kubernetes.io/service-account-token +NAME TYPE DATA AGE +default-token-lsjz4 kubernetes.io/service-account-token 3 13d +demo-01-token-gqz7p kubernetes.io/service-account-token 3 99m +``` + +`demo-01-token-gqz7p` is the secret that holds the token for `demo-01` service account + +To get the token of the service account run the following command: + +```sh +TOKEN=$(kubectl get secret demo-01-token-gqz7p -o jsonpath={.data.token} | base64 -d) +``` + +4. Create a kubeconfig secret + +We'll use a helper script to generate the kubeconfig, save this into `static-kubeconfig.sh`: + +```bash title="static-kubeconfig.sh" +#!/bin/bash + +if [[ -z "$CLUSTER_NAME" ]]; then + echo "Ensure CLUSTER_NAME has been set" + exit 1 +fi + +if [[ -z "$CA_CERTIFICATE" ]]; then + echo "Ensure CA_CERTIFICATE has been set to the path of the CA certificate" + exit 1 +fi + +if [[ -z "$ENDPOINT" ]]; then + echo "Ensure ENDPOINT has been set" + exit 1 +fi + +if [[ -z "$TOKEN" ]]; then + echo "Ensure TOKEN has been set" + exit 1 +fi + +export CLUSTER_CA_CERTIFICATE=$(cat "$CA_CERTIFICATE" | base64) + +envsubst <Details->Endpoint->”Show cluster certificate”. You will need to copy the contents of the certificate into the `ca.crt` file used below. + +```sh +CLUSTER_NAME=demo-01 \ +CA_CERTIFICATE=ca.crt \ +ENDPOINT= \ +TOKEN= ./static-kubeconfig.sh > demo-01-kubeconfig +``` + +Replace the following: + +- CLUSTER_NAME: the name of your cluster i.e. `demo-01` +- ENDPOINT: the API server endpoint i.e. `34.218.72.31` +- CA_CERTIFICATE: path to the CA certificate file of the cluster +- TOKEN: the token of the service account retrieved in the previous step + +Finally create a secret for the generated kubeconfig: + +```sh +kubectl create secret generic demo-01-kubeconfig \ +--from-file=value.yaml=./demo-01-kubeconfig +``` + + + + +### Connect a cluster + +:::note Get started first! + +Make sure you've + +1. Added some common RBAC rules into the `clusters/bases` folder, as described in [Getting started](./getting-started.mdx). +2. Configured the cluster bootstrap controller as described in [Getting started](./getting-started.mdx). + +::: + +Create a `GitopsCluster` + +```yaml title="./clusters/management/clusters/demo-01.yaml" +apiVersion: gitops.weave.works/v1alpha1 +kind: GitopsCluster +metadata: + name: demo-01 + namespace: default + # Signals that this cluster should be bootstrapped. + labels: + weave.works/capi: bootstrap +spec: + secretRef: + name: demo-01-kubeconfig +``` + +When the `GitopsCluster` appears in the cluster, the Cluster Bootstrap Controller will install flux on it and by default start reconciling the `./clusters/demo-01` path in your management cluster's git repository. To inspect the Applications and Sources running on the new cluster we need to give permissions to the user accessing the UI. Common RBAC rules like this should be stored in `./clusters/bases`. Here we create a kustomziation to add these common resources onto our new cluster: + +```yaml title="./clusters/demo-01/clusters-bases-kustomization.yaml" +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + creationTimestamp: null + name: clusters-bases-kustomization + namespace: flux-system +spec: + interval: 10m0s + path: clusters/bases + prune: true + sourceRef: + kind: GitRepository + name: flux-system +``` + +Save these 2 files into your git repository. Commit and push. + +Once flux has reconciled the cluster you can inspect your flux resources via the UI! + +## Debugging + +### How to test a kubeconfig secret in a cluster + +To test a kubeconfig secret has been correctly setup apply the following manifest and check the logs after the job completes: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: kubectl +spec: + ttlSecondsAfterFinished: 30 + template: + spec: + containers: + - name: kubectl + image: bitnami/kubectl + args: + [ + "get", + "pods", + "-n", + "kube-system", + "--kubeconfig", + "/etc/kubeconfig/value.yaml", + ] + volumeMounts: + - name: kubeconfig + mountPath: "/etc/kubeconfig" + readOnly: true + restartPolicy: Never + volumes: + - name: kubeconfig + secret: + secretName: demo-01-kubeconfig + optional: false +``` + +In the manifest above `demo-01-kubeconfig`is the name of the secret that contains the kubeconfig for the remote cluster. + +--- + +# Background + +- [Authentication strategies](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) + - [X509 client certificates](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs): can be used across different namespaces + - [Service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens): limited to a single namespace +- [Kubernetes authentication 101 (CNCF blog post)](https://www.cncf.io/blog/2020/07/31/kubernetes-rbac-101-authentication/) +- [Kubernetes authentication (Magalix blog post)](https://www.magalix.com/blog/kubernetes-authentication) diff --git a/website/versioned_docs/version-0.9.1/cluster-management/profiles.mdx b/website/versioned_docs/version-0.9.1/cluster-management/profiles.mdx new file mode 100644 index 0000000000..52ee763079 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/profiles.mdx @@ -0,0 +1,90 @@ +--- +title: Profiles +sidebar_position: 6 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +# Profiles + +:::note BEFORE YOU START +The following instructions require you to make minor changes to the content of your own hosted Helm repository. +::: + +When provisioning new clusters it is often useful to install selected software packages to them as part of their bootstrap process. Weave GitOps Enterprise enables this by installing standard Helm charts to the newly provisioned clusters. This feature lowers the ongoing operational overhead and allows for the clusters to be immediately usable after being provisioned. To set this up you need to: + +1. Annotate a Helm chart to make it available for installation +2. Select which profiles you want installed when creating a cluster + +### 1. Annotate a Helm chart to make it available for installation + +In order for a chart to become available for installation, it needs to include a `weave.works/profile` annotation. For example: + +```yaml title="Chart.yaml" +annotations: + weave.works/profile: observability-profile +apiVersion: v1 +appVersion: 1.0.0 +description: Observability Helm chart for Kubernetes +home: https://github.com/weaveworks/observability-profile +kubeVersion: ">=1.19.0-0" +name: observability +sources: + - https://github.com/weaveworks/observability-profile +version: 1.0.0 +``` + +The annotation value is not important and can be left blank i.e. `""`. Helm charts with the `weave.works/profile` annotation are called _Profiles_. + +Annotations can also be used to determine the order in which profiles will be installed. + +``` +annotations: + weave.works/profile: observability-profile + weave.works/layer: layer-0 +``` + +``` +annotations: + weave.works/profile: podinfo-profile + weave.works/layer: layer-1 +``` + +The profiles will be sorted lexicographically by their layer and those at a higher layer will only be installed after lower layers have been successfully installed and started. + +In this example, `observability-profile` will be installed prior to `podinfo-profile`. In the corresponding HelmReleases, the dependencies can be observed under the `dependsOn` field. + +``` +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + labels: + weave.works/applied-layer: layer-0 + name: cluster-name-observability + namespace: wego-system +... +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + labels: + weave.works/applied-layer: layer-1 + name: cluster-name-podinfo + namespace: wego-system +spec: +... + dependsOn: + - name: cluster-name-observability +... +``` + +### 2. Select which profiles you want installed when creating a cluster + +Currenly WGE inspects the current namespace that it is deployed in (in the management cluster) for a `HelmRepository` object named `weaveworks-charts`. This Kubernetes object should be pointing to a Helm chart repository that includes the profiles that are available for installation. + +When creating a cluster from the UI using a CAPI template, these profiles should be available for selection in the `Profiles` section of the template. For example: + +![Profiles Selection](./img/profile-selection.png) + +As shown above, some profiles will be optional whereas some profiles will be required. This is determined when the template is authored and allows for operation teams to control which Helm packages should be installed on new clusters by default. diff --git a/website/versioned_docs/version-0.9.1/cluster-management/provider-identities.mdx b/website/versioned_docs/version-0.9.1/cluster-management/provider-identities.mdx new file mode 100644 index 0000000000..47f2d78539 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/provider-identities.mdx @@ -0,0 +1,82 @@ +--- +title: CAPI Provider Identities +hide_title: true +sidebar_position: 4 +--- + +import TierLabel from "../_components/TierLabel"; + +# CAPI Provider Identities + +## Multi-tenancy + +Some Cluster API providers allow you to choose the account or identity that the new cluster will be created with. This is often referred to as _Multi-tenancy_ in the CAPI world. Weave GitOps currently supports: + +- [**AWS** multi-tenancy](https://cluster-api-aws.sigs.k8s.io/topics/multitenancy.html) +- [**Azure** multi-tenancy](https://capz.sigs.k8s.io/topics/multitenancy.html) +- [**vSphere** multi-tenancy](https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/master/docs/identity_management.md) + +### Identities and templates + +Our _templates_ describe the properties of the cluster, how many nodes, what version of Kubernetes etc, while the _identity_ is which account will be used to create the cluster. So given in our cluster we have the template: + +```yaml +apiVersion: capi.weave.works/v1alpha1 +kind: CAPITemplate +metadata: + name: capa-cluster-template +spec: + resourcetemplates: + - apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 + kind: AWSCluster + metadata: + name: "${CLUSTER_NAME}" + spec: + region: "${AWS_REGION}" +``` + +and the identity + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3 +kind: AWSClusterStaticIdentity +metadata: + name: "test-account" +spec: + secretRef: + name: test-account-creds + namespace: capa-system + allowedNamespaces: + selector: + matchLabels: + cluster.x-k8s.io/ns: "testlabel" +``` + +We can select ask Weave GitOps to use the `test-account` when creating the cluster by using the _Infrastructure provider credentials_ dropdown on the _Create new cluster with template_ page: + +![Identity Selection](./img/identity-selection.png) + +The resulting definition will have the identity injected into the appropriate place in the template, for this example: + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 +kind: AWSCluster +metadata: + name: example-cluster +spec: + region: eu-north-1 + identityRef: + kind: AWSClusterStaticIdentity + name: test-account +``` + +### `identityRef`s + +The supported providers implement multi-tenancy by setting an `identityRef` on the the provider cluster object, e.g. `AWSCluster`, `AzureCluster` or `VSphereCluster`. + +Weave GitOps will search _all namespaces_ in the cluster for potential identities that can be used to create a cluster. The following identity `kind`s are currently supported and their corresponding Cluster kinds: + +- `AWSClusterStaticIdentity`: `AWSCluster` +- `AWSClusterRoleIdentity`: `AWSCluster` +- `AzureClusterIdentity`: `AzureCluster` +- `VSphereClusterIdentity`: `VSphereCluster` diff --git a/website/versioned_docs/version-0.9.1/cluster-management/templates.mdx b/website/versioned_docs/version-0.9.1/cluster-management/templates.mdx new file mode 100644 index 0000000000..7806148ec5 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/cluster-management/templates.mdx @@ -0,0 +1,77 @@ +--- +title: CAPI Templates +sidebar_position: 3 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +# CAPI Templates + +## How to: Add a CAPI Template + +CAPI Templates objects need to be wrapped with the `CAPITemplate` custom resource and then loaded into the management cluster. + +```yaml +apiVersion: capi.weave.works/v1alpha1 +kind: CAPITemplate +metadata: + name: cluster-template-development +spec: + description: This is the std. CAPD template + params: + - name: CLUSTER_NAME + description: This is used for the cluster naming. + resourcetemplates: + # Template objects go here + - apiVersion: cluster.x-k8s.io/v1alpha3 + kind: Cluster + metadata: + name: "${CLUSTER_NAME}" +``` + +### Resource templates - `spec.resourcetemplates` + +Add the list of objects to be rendered out to the `spec.resourcetemplates` section. + +Under each resource template, annotations can be added for easier UI navigation. Use `capi.weave.works/display-name` to describe the annotation. For example: + +```yaml +apiVersion: capi.weave.works/v1alpha1 +kind: Cluster +metadata: + name: "${CLUSTER_NAME}" + annotations: + capi.weave.works/display-name: ClusterName +``` + +This will result in showing `ClusterName` as the display name for the cluster name text field as opposed to the template parameter $CLUSTER_NAME, when the template is rendered in the UI. + +### Parameter metadata - `spec.params` + +You can provide additional metadata about the parameters to the templates in the `spec.params` section. + +- `name`: The variable name within the resource templates +- `descripton`: Description of the parameter. This will be rendered in the UI and CLI +- `options`: The list of possible values this parameter can be set to. + +### Loading the template into the cluster + +Load templates into the cluster by adding them to your flux managed git repository or by apply directly with +`kubectl apply -f capi-template.yaml` + +Weave GitOps will search for templates in the `default` namespace. This can be changed by configuring the `config.capi.namespace` value in the helm chart. + +## Full CAPD docker template example + +This example works with the CAPD provider, see [Cluster API Providers](cluster-api-providers.mdx). + +import CodeBlock from "@theme/CodeBlock"; +import CapdTemplate from "!!raw-loader!./assets/templates/capd-template.yaml"; + + + {CapdTemplate} + diff --git a/website/versioned_docs/version-0.9.1/configuration/_category_.json b/website/versioned_docs/version-0.9.1/configuration/_category_.json new file mode 100644 index 0000000000..918fb7cfe5 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Configuration", + "position": 3 +} diff --git a/website/versioned_docs/version-0.9.1/configuration/recommended-rbac-configuration.mdx b/website/versioned_docs/version-0.9.1/configuration/recommended-rbac-configuration.mdx new file mode 100644 index 0000000000..caf2d24a51 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/recommended-rbac-configuration.mdx @@ -0,0 +1,180 @@ +--- +title: Recommended RBAC Configuration +sidebar_position: 0 +--- + +This page summarises the contents of the [securing access to the dashboard](securing-access-to-the-dashboard.mdx), +[service account permissions](service-account-permissions.mdx) and [user permissions](user-permissions.mdx). They should be +read in addition to this page in order to understand the suggestions made here and +their ramifications. + +This page is purposefully vague as the intention is to give a broad idea of how +such a system could be implemented, not the specifics as that will be dependent +on your specific circumstances and goals. + +:::note Gitops-Core +These recommendations are for Weave GitOps Core. A similar system can be used +within Enterprise but it would need to be adapted to account for multi-cluster +configurations and is beyond the scope of this document. +::: + +## Summary + +The general recommendation is to use OIDC and a small number of groups that +are Weave GitOps can impersonate. + +OIDC is the recommended method for managing authentication as it decouples the +need to manage user lists from the application, allowing it to be managed via +a central system designed for that purpose (i.e. the OIDC provider). OIDC also +enables the creation of groups (either via your provider's own systems or by +using a connector like [Dex](../guides/setting-up-dex.md)). + +Configuring Weave GitOps to impersonate kubernetes groups rather than +users has the following benefits: +* A user's permissions for impersonation by Weave GitOps can be separate from + any other permissions that they may or may not have within the cluster. +* Users do not have to be individually managed within the cluster and can have + their permissions managed together. + +## Example set up + +Assume that your company has the following people in OIDC +* Aisha, a cluster admin, who should have full admin access to Weave GitOps +* Brian, lead of team-A, who should have admin permissions to their team's + namespace in Weave GitOps and readonly-otherwise +* June and Jo, developers in team-A who should have read-only access to Weave GitOps. + +You could then create 3 groups: + +* `wego-admin` + - Bound to the `ClusterRole`, created by Helm, `wego-admin-cluster-role` + - Aisha is the only member +* `wego-team-a-admin` + - Bound to a `Role`, using the same permissions as `wego-admin-role`, created + in Team's namespace + - Brian and Aisha are members +* `wego-readonly` + - Bound to a `ClusterRole` that matches `wego-admin-cluster-role` but with + no `patch` permissions. + - Aisha, Brian, June & Jo are all members + +The Weave GitOps service account can then be configured with: +```yaml +rbac: + impersonationResourceNames: ["wego-admin", "wego-team-a-admin", "wego-readonly"] + impersonationResources: ["groups"] +``` +so that only these three groups can be `impersonated` by the service account. + +:::caution Using OIDC for cluster and Weave GitOps Authentication +If the same OIDC provider is used to authenticate a user with the cluster +itself (e.g. for use with `kubectl`) and to Weave GitOps then, depending +on OIDC configuration, they may end up with the super-set of their permissions +from Weave GitOps and any other permissions granted to them. + +This can lead to un-intended consequences (e.g. viewing `secrets`). To avoid +this OIDC providers will often let you configure which groups are returned +to which clients: the Weave GitOps groups should not be returned to the +cluster client (and visa versa). +::: + +### Code + +The yaml to configure these permissions would look roughly like: +```yaml +# Admin cluster role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wego-admin-cluster-role +rules: + - apiGroups: [""] + resources: ["secrets", "pods" ] + verbs: [ "get", "list" ] + - apiGroups: ["apps"] + resources: [ "deployments", "replicasets"] + verbs: [ "get", "list" ] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: [ "kustomizations" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: [ "helmreleases" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] +--- +# Read only cluster role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wego-readonly-role +rules: + # All the 'patch' permissions have been removed + - apiGroups: [""] + resources: ["secrets", "pods" ] + verbs: [ "get", "list" ] + - apiGroups: ["apps"] + resources: [ "deployments", "replicasets"] + verbs: [ "get", "list" ] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: [ "kustomizations" ] + verbs: [ "get", "list" ] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: [ "helmreleases" ] + verbs: [ "get", "list" ] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories" ] + verbs: [ "get", "list" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] +--- +# Bind the cluster admin role to the wego-admin group +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wego-cluster-admin +subjects: +- kind: Group + name: wego-admin # only Aisha is a member + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: wego-admin-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +# Bind the admin role in the team-a namespace for the wego-team-a-admin group +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: wego-team-a-admin-role + namespace: team-a +subjects: +- kind: Group + name: wego-team-a-admin # Aisha & Brian are members + apiGroup: rbac.authorization.k8s.io +roleRef: + # Use the cluster role to set rules, just bind them in the team-a namespace + kind: ClusterRole + name: wego-admin-role + apiGroup: rbac.authorization.k8s.io +--- +# Bind the readonly role to the readonly group +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wego-readonly-role +subjects: +- kind: Group + name: wego-readonly # Everyone is a member + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: wego-readonly-role + apiGroup: rbac.authorization.k8s.io +--- +``` diff --git a/website/versioned_docs/version-0.9.1/configuration/securing-access-to-the-dashboard.mdx b/website/versioned_docs/version-0.9.1/configuration/securing-access-to-the-dashboard.mdx new file mode 100644 index 0000000000..691e11fd46 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/securing-access-to-the-dashboard.mdx @@ -0,0 +1,71 @@ +--- +title: Securing access to the dashboard +sidebar_position: 1 +--- + +## Dashboard Login + +There are 2 supported methods for logging in to the dashboard: +- Login via an OIDC provider +- Login via a cluster user account + +The recommended method is to integrate with an OIDC provider, as this will let you control permissions for existing users and groups that have already been configured to use OIDC. However, it is also possible to use a cluster user account to login, if an OIDC provider is not available to use. Both methods work with standard Kubernetes RBAC. + +## Login via an OIDC provider + +You may decide to give your engineering teams access to the dashboard, in order to view and manage their workloads. In this case, you will want to secure access to the dashboard and restrict who can interact with it. Weave GitOps integrates with your OIDC provider and uses standard Kubernetes RBAC to give you fine-grained control of the permissions for the dashboard users. + +#### Background + +OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, this information is used by Weave GitOps to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and also the dashboard. + +#### Configuration + +In order to login via your OIDC provider, you need to create a Kubernetes secret to store the OIDC configuration. This configuration consists of the following parameters: + +| Parameter | Description | Default | +| ------------------| -------------------------------------------------------------------------------------------------------------------------------- | --------- | +| `issuerURL` | The URL of the issuer, typically the discovery URL without a path | | +| `clientID` | The client ID that has been setup for Weave GitOps in the issuer | | +| `clientSecret` | The client secret that has been setup for Weave GitOps in the issuer | | +| `redirectURL` | The redirect URL that has been setup for Weave GitOps in the issuer, typically the dashboard URL followed by `/oauth2/callback ` | | +| `tokenDuration` | The time duration that the ID Token will remain valid, after successful authentication | "1h0m0s" | + +Ensure that your OIDC provider has been setup with a client ID/secret and the redirect URL of the dashboard. + +Create a secret named `oidc-auth` in the `flux-system` namespace with these parameters set: + +```sh +kubectl create secret generic oidc-auth \ + --namespace flux-system \ + --from-literal=issuerURL= \ + --from-literal=clientID= \ + --from-literal=clientSecret= \ + --from-literal=redirectURL= \ + --from-literal=tokenDuration= +``` + +Once the HTTP server starts unauthenticated users will have to click the 'login with OIDC provider' to log in or use the cluster account (if configured). Upon successful authentication, the users' identity will be impersonated in any calls made to the Kubernetes API, as part of any action they take in the dashboard. By default the Helm chart will configure RBAC correctly but it is recommended to read the [service account](service-account-permissions.mdx) and [user](user-permissions.mdx) permissions pages to understand which actions are needed for Weave GitOps to function correctly. + +## Login via a cluster user account + +Before you login via the cluster user account, you need to generate a bcrypt hash for your chosen password and store it as a secret in Kubernetes. There are several different ways to generate a bcrypt hash, this guide uses `gitops get bcrypt-hash` from our CLI: + +Generate the password by running: + +```sh +PASSWORD="" +echo $PASSWORD | gitops get bcrypt-hash +$2a$10$OS5NJmPNEb13UgTOSKnMxOWlmS7mlxX77hv4yAiISvZ71Dc7IuN3q +``` + +Now create a Kubernetes secret to store your chosen username and the password hash: + +```sh +kubectl create secret generic cluster-user-auth \ + --namespace flux-system \ + --from-literal=username=admin \ + --from-literal=password='$2a$10$OS5NJmPNEb13UTOSKngMxOWlmS7mlxX77hv4yAiISvZ71Dc7IuN3q' +``` + +You should now be able to login via the cluster user account using your chosen username and password. Follow the instructions in the next section in order to configure RBAC correctly. diff --git a/website/versioned_docs/version-0.9.1/configuration/service-account-permissions.mdx b/website/versioned_docs/version-0.9.1/configuration/service-account-permissions.mdx new file mode 100644 index 0000000000..ee6601be60 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/service-account-permissions.mdx @@ -0,0 +1,122 @@ +--- +title: Service Account permissions +sidebar_position: 2 +--- + +This is an explanation of the [kubernetes permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +used by the Weave GitOps service account. This is the service account used by +the application itself (rather than the static user used for demo/emergency +access, the permissions for which are covered in the [static user permissions](user-permissions.mdx) +page) + +The default permissions of the service account are defined in the [helm chart](https://github.com/weaveworks/weave-gitops/tree/main/charts/gitops-server/templates/role.yaml) which +will generate a cluster role with the following permissions: + +```yaml +rules: +# Used to query the cluster +- apiGroups: [""] + resources: ["users", "groups"] # set by rbac.impersonationResources + verbs: [ "impersonate" ] + # resourceNames: [] # set by rbac.impersonationResourceNames +# Used to get OIDC/static user credentials for login +- apiGroups: [""] + resources: [ "secrets" ] + verbs: [ "get", "list" ] + resourceNames: # set by rbac.viewSecretsResourceNames + - "cluster-user-auth" + - "oidc-auth" +# The service account needs to read namespaces to know where it can query +- apiGroups: [ "" ] + resources: [ "namespaces" ] + verbs: [ "get", "list" ] +``` + +These allow the pod to do three things: +* [impersonate](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) the user and operate in cluster as them +* read the available namespaces (this is required to understand the users' permissions) +* read the `cluster-user-auth` and `oidc-auth` secrets, which are the default secrets + to store the cluster-user account and OIDC configuration (see + [securing access to the dashboard](securing-access-to-the-dashboard.mdx)) + +## The Helm values + +| Value | Description | Default | +|-----------------------------------|---------------------------------------------------------------------|--------------------------------------| +| `rbac.impersonationResources` | Which resource types the service account can impersonate | `["users", "groups"]` | +| `rbac.impersonationResourceNames` | Specific users, groups or services account that can be impersonated | `[]` | +| `rbac.viewSecretsResourceNames` | Specific secrets that can be read | `["cluster-user-auth", "oidc-auth"]` | + + +## Impersonation + +The primary way Weave GitOps queries the Kube API is via `impersonation`, the +application (not the cluster) authenticates the user (either via the static +cluster-user credentials or OIDC) then makes calls to the Kube API on the user's +behalf. This is equivalent to making a kubectl call like: + +```bash +$ kubectl get deployments --as aisha@example.com +``` + +Assuming the user `aisha@example.com` has been granted permissions to get +deployments within the cluster then this will return them. The same occurs +within the application. This makes the proper configuration of the application's +permissions very important as, without proper restrictions it can impersonate +very powerful `users` or `groups`. For example, the `system:masters` is group +is generally bound to the `cluster-admin` role which can do anything. + +For more details of the permissions needed by the user or group see the +[user permissions](user-permissions.mdx) guide. + +### Configuring impersonation + +It is highly recommended that you limit which users and groups that the +application can impersonate by setting `rbac.impersonationResourceNames` in +the Helm chart's `values`. e.g.: + +```yaml +rbac: + impersonationResources: ["groups"] + impersonationResourceNames: + - admin + - dev-team + - qa-team +``` +In this example the application can only impersonate the groups admin, dev-team +and qa-team (this also, implicitly disables the static cluster-user). + +Unfortunately not all OIDC providers support groups so you may need to +manually enumerate users, for example: +```yaml +rbac: + impersonationResources: ["users"] + impersonationResourceNames: + - aisha@example.com + - bill@example.com + - wego-admin # enable the static cluster-user +``` + +A better, albeit more involved, solution is to set up an OIDC connector like +[Dex](../guides/setting-up-dex.md) and use that to manage groups for you. + +## Get namespaces + +The application itself uses get namespace permissions to pre-cache the list of +available namespaces. As the user accesses resources their permissions within +various namespaces is also cached to speed up future operations. + +## Reading the cluster-user-auth and oidc-auth secrets + +The cluster-user-auth and oidc-auth secrets provide information for authenticating +to the application. The former holds the username and bcrypt-hashed password +for the static user and the later holds OIDC configuration. + +The application needs to be able to access these secrets in order to +authenticate users. + +### Configuring secrets + +The `rbac.viewSecretsResourceNames` value allows the operator to change which secrets the +application can read. This is mostly so that, if the static user is not +configured, that secret can be removed; or if the secret to be used is re-named. diff --git a/website/versioned_docs/version-0.9.1/configuration/tls.md b/website/versioned_docs/version-0.9.1/configuration/tls.md new file mode 100644 index 0000000000..d1070b2202 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/tls.md @@ -0,0 +1,50 @@ +--- +title: TLS and certificates +sidebar_position: 4 +--- + +## TLS configuration + +By default the dashboard will listen on 0.0.0.0:9001 with TLS disabled and +without exposing any external connection. + +Exposing services without TLS if not recommended. Without a certificate, a user +can't be sure they are using the right service, and the traffic will be easily +monitored, or even tampered with. All communication between the user and an endpoint +with TLS will be encrypted. + +To expose an external connection, you must first configure TLS. TLS termination +can be provided via an ingress controller or directly by the dashboard. In +either case, the helm release must be updated. To have the dashboard itself +handle TLS, you must create a `tls` secret containing the cert and key: + +``` +kubectl create secret tls my-tls-secret \ + --cert=path/to/cert/file \ + --key=path/to/key/file +``` + +and reference it from the helm release: + +``` + values: + serverTLS: + enabled: true + secretName: "my-tls-secret" +``` + +If you prefer to delegate TLS handling to the ingress controller instead, your +helm release should look like: + +``` + values: + ingress: + enabled: true + ... other parameters specific to the ingress type ... +``` + +## cert-manager + +Install [cert-manager](../guides/cert-manager.md) and request a `Certificate` in +the `flux-system` namespace. Provide the name of secret associated with the +certificate to the weave-gitops-enterprise HelmRelease as described above. diff --git a/website/versioned_docs/version-0.9.1/configuration/user-permissions.mdx b/website/versioned_docs/version-0.9.1/configuration/user-permissions.mdx new file mode 100644 index 0000000000..346ddea0e0 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/configuration/user-permissions.mdx @@ -0,0 +1,103 @@ +--- +title: User permissions +sidebar_position: 3 +--- + +This is an explanation of the [kubernetes permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +needed by users of the Weave GitOps application. As covered in +[service account permissions](service-account-permissions.mdx) +the primary way that the application interacts with the Kube API is via [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation). +This means that the permissions granted to the users and groups that Weave GitOps +can impersonate determine the scope of actions that it can take within your cluster. + +A minimal set of permissions are generated for the static cluster-user as part +of the [helm chart](https://github.com/weaveworks/weave-gitops/tree/main/charts/gitops-server/templates/admin-user-roles.yaml). + +By default both a ClusterRole and Role are generated for the static cluster-user. +Both have the same permissions with former being optional and the latter being +bound to the `flux-system` namespace (where Flux stores its resources by default). +The default set of rules fall into three groups, discussed below, they are: +```yaml +rules: +# Flux Resources +- apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: [ "kustomizations" ] + verbs: [ "get", "list", "patch" ] +- apiGroups: ["helm.toolkit.fluxcd.io"] + resources: [ "helmreleases" ] + verbs: [ "get", "list", "patch" ] +- apiGroups: ["source.toolkit.fluxcd.io"] + resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories" ] + verbs: [ "get", "list", "patch" ] +- apiGroups: ["infra.contrib.fluxcd.io"] + resources: ["terraforms"] + verbs: [ "get", "list", "patch" ] +# Resources managed via Flux +- apiGroups: [""] + resources: ["configmaps", "secrets", "pods", "services", "namespaces", "persistentvolumes", "persistentvolumeclaims"] + verbs: [ "get", "list" ] +- apiGroups: ["apps"] + resources: [ "deployments", "replicasets", "statefulsets"] + verbs: [ "get", "list" ] +- apiGroups: ["batch"] + resources: [ "jobs", "cronjobs"] + verbs: [ "get", "list" ] +- apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: [ "get", "list" ] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings"] + verbs: [ "get", "list" ] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: [ "get", "list" ] +# Feedback +- apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] +``` + + +### Flux Resources + +The resources that Flux works with directly, including the one from TF-controller. + +| Api Group | Resources | Permissions | +|-----------------------------|--------------------------------------------------------|------------------| +| kustomize.toolkit.fluxcd.io | kustomizations | get, list, patch | +| helm.toolkit.fluxcd.io | helmreleases | get, list, patch | +| source.toolkit.fluxcd.io | buckets, helmcharts, gitrepositories, helmrepositories | get, list, patch | +| infra.contrib.fluxcd.io | terraforms | get, list, patch | + +In order for Weave GitOps to be able to accurately display the state of Flux it +needs to be able to query the [CRDs](https://fluxcd.io/docs/components/) that Flux uses. This is done using the +`get` and `list` permissions + +The `patch` permissions are used to enable the 'sync' functionality which forces +reconciliation of a resource. This is done Weave GitOps modifying the annotations +of the resource in the same way `flux reconcile` does on the CLI. + +### Resources managed via Flux + +| Api Group | Resources | Permissions | +|---------------------------|--------------------------------------------------------------------------------|-------------| +| "" | configmaps, secrets, pods, services, persistentvolumes, persistentvolumeclaims | get, list | +| apps | deployments, replicasets, statefulsets | get, list | +| batch | jobs, cronjobs | get, list | +| autoscaling | horizontalpodautoscalers | get, list | +| rbac.authorization.k8s.io | roles, clusterroles, rolebindings, clusterrolebindings | get, list | +| networking.k8s.io | ingresses | get, list | + +Weave GitOps reads basic resources so that it can monitor the effect that Flux has +on what's running. + +Reading `secrets` enables Weave GitOps to monitor the state of Helm releases +as that's where it stores the [state by default](https://helm.sh/docs/faq/changes_since_helm2/#secrets-as-the-default-storage-driver). +For clarity this these are the Helm release objects _not_ the Flux HelmRelease +resource (which are dealt with by the earlier section). + +### Feedback from Flux + +The primary method by which Flux communicates the status of itself is by events, +these will show when reconciliations start and stop, whether they're successful +and information as to why they're not. diff --git a/website/versioned_docs/version-0.9.1/enterprise/_category_.json b/website/versioned_docs/version-0.9.1/enterprise/_category_.json new file mode 100644 index 0000000000..262f8b1288 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/enterprise/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Enterprise", + "position": 9 +} diff --git a/website/versioned_docs/version-0.9.1/enterprise/intro.md b/website/versioned_docs/version-0.9.1/enterprise/intro.md new file mode 100644 index 0000000000..3157bf5434 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/enterprise/intro.md @@ -0,0 +1,16 @@ +--- +title: Introduction +sidebar_position: 0 +--- + +## Weave GitOps Enterprise + +Weave GitOps Enterprise (WGE) provides ops teams with an easy way to assess the +health of multiple clusters in a single place. It shows cluster information such as +Kubernetes version and number of nodes and provides details about the GitOps operations +on those clusters, such as Git repositories and recent commits. Additionally, it +aggregates Prometheus alerts to assist with troubleshooting. + +## How to purchase + +Get in touch with sales@weave.works to discuss your needs. diff --git a/website/versioned_docs/version-0.9.1/feedback-and-telemetry.md b/website/versioned_docs/version-0.9.1/feedback-and-telemetry.md new file mode 100644 index 0000000000..81421196e2 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/feedback-and-telemetry.md @@ -0,0 +1,37 @@ +--- +title: Feedback and Telemetry +sidebar_position: 7 +hide_title: true +--- + +## Feedback + +We ❤️ your comments and suggestions as we look to make successfully adopting a cloud-native approach, to application deployment on Kubernetes with GitOps, easier and easier. There are a number of ways you can reach out: + +- Raise an [issue](https://github.com/weaveworks/weave-gitops/issues) +- Invite yourself to the Weave Users Slack. +- Chat to us on the [#weave-gitops](https://weave-community.slack.com/messages/weave-gitops/) slack channel. +- Set up time with one of our team: [David](https://calendly.com/david-harris-weaveworks) - Product Manager (UK) or [James](https://calendly.com/james-weave-works/product-interview) - Product Director (US - East Coast) +- Come along to one of our [events](https://www.meetup.com/Weave-User-Group/) + +## Telemetry + +To help us understand how we can improve your experience with Weave GitOps, and prioritise enhancements, we would like to collect anonymised usage data. Currently, only the `gitops` CLI has any notion of telemetry, however we would like to expand this to Weave GitOps in the future. + +### gitops CLI +No personally identifiable information is collected, we use [https://github.com/weaveworks/go-checkpoint](https://github.com/weaveworks/go-checkpoint) an implementation based on [https://checkpoint.hashicorp.com/](https://checkpoint.hashicorp.com/) to notify users of newly available updates, as well as collecting basic CLI metrics, up to 2 verbs, without any flags or user provided information. + +For example the command: `gitops add cluster --from-template --set key=val --dry-run` +Would report the following: `gitops add cluster` alongside: +- OS/Arch - for example, darwin +- Version of gitops - for example, 0.6.2-RC1 +- Whether the version of gitops is a release candidate or full release, yes/no +- A signature, when possible to derive from system uuid, to determine a non-identifiable (based on all other data) unique user. + +You can opt-out at any time by issuing: + +``` +export CHECKPOINT_DISABLE=1 +``` + +Weaveworks privacy policy is available [here](https://www.weave.works/weaveworks-privacy-policy/). \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/getting-started.mdx b/website/versioned_docs/version-0.9.1/getting-started.mdx new file mode 100644 index 0000000000..889ab566c7 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/getting-started.mdx @@ -0,0 +1,408 @@ +--- +title: Getting Started +sidebar_position: 2 +hide_title: true +--- + +# Getting Started with Weave GitOps + +This hands-on guide will introduce you to the basics of the GitOps Dashboard web UI, to help you understand the state of your system, before deploying a new application to your cluster. It is adapted from this guide - [Flux - Getting Started](https://fluxcd.io/docs/get-started/). + +If you haven't already, be sure to check out our [introduction](./intro.md) to Weave GitOps. + +## Before you begin + +We will provide a complete walkthrough of getting Flux installed and Weave GitOps configured. However, if you have: +- an existing cluster bootstrapped Flux 🎉 +- followed our [installation](./installation.mdx) doc to configure access to the Weave GitOps dashboard then install Weave GitOps 👏 + +Then you can skip ahead to [Part 1](#part-1---weave-gitops-overview) 🏃 +but note ⚠️ you may need to alter commands where we are committing files to GitHub ⚠️. + +To follow along, you will need the following: +- A Kubernetes cluster - such as [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/). +- A [GitHub](https://github.com) account and [personal access token with repo permissions](https://help.github.com/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) + +### Install Flux + +1. Install the flux CLI + +``` +brew install fluxcd/tap/flux +``` + +For For other installation methods, see the relevant [Flux documentation](https://fluxcd.io/docs/installation/#install-the-flux-cli). + +2. Export your credentials + +``` +export GITHUB_TOKEN= +export GITHUB_USER= +``` + +3. Check your Kubernetes cluster + +``` +flux check --pre +``` + +The output is similar to: +``` +► checking prerequisites +✔ kubernetes 1.22.2 >=1.20.6 +✔ prerequisites checks passed +``` + +4. Install Flux onto your cluster with the `flux bootstrap` command + +``` +flux bootstrap github \ + --owner=$GITHUB_USER \ + --repository=fleet-infra \ + --branch=main \ + --path=./clusters/my-cluster \ + --personal +``` + +Full installation documentation including how to work with other Git providers is available [here](https://fluxcd.io/docs/installation/). + +The bootstrap command above does following: + +- Creates a git repository fleet-infra on your GitHub account +- Adds Flux component manifests to the repository +- Deploys Flux Components to your Kubernetes Cluster +- Configures Flux components to track the path /clusters/my-cluster/ in the repository + +### Configure access to the dashboard +For this guide we will use the cluster user, for complete documentation including how to configure an OIDC provider see the documentation [here](./configuration/securing-access-to-the-dashboard.mdx). + +We will generate a bcrypt hash for your chosen password and store it as a secret in Kubernetes. There are several different ways to generate a bcrypt hash, this guide uses `gitops get bcrypt-hash` from our CLI. + +1. Clone your git repository where Flux has been bootstrapped (you could skip this step if you performed previous steps in this doc). + +``` +git clone https://github.com/$GITHUB_USER/fleet-infra +cd fleet-infra +``` + +2. Generate the password: + +``` +PASSWORD="" +echo $PASSWORD | gitops get bcrypt-hash +$2a$10$OS5NJmPNEb13UgTOSKnMxOWlmS7mlxX77hv4yAiISvZ71Dc7IuN3q +``` + +3. Save this [bcrypt-hash](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md) in a values file: +```yaml title="./weave-gitops-values.yaml" +adminUser: + create: true + username: admin + passwordHash: $2a$10$OS5NJmPNEb13UgTOSKnMxOWlmS7mlxX77hv4yAiISvZ71Dc7IuN3q +``` + +:::info +Storing a hash of a password is relatively safe for demo and testing purposes but it is recommend that you look at more secure methods of storing secrets (such as [Flux's SOPS integration](https://fluxcd.io/docs/guides/mozilla-sops/)) for production systems. +::: + +### Install Weave GitOps + +Weave GitOps is installable via a Helm Chart and as such can be managed by Flux. + +1. Clone your git repository where Flux has been bootstrapped. + +``` +git clone https://github.com/$GITHUB_USER/fleet-infra +cd fleet-infra +``` + +2. Create a `HelmRepository` Source for Weave GitOps + +``` +flux create source helm ww-gitops \ + --url=https://helm.gitops.weave.works \ + --export > ./clusters/my-cluster/weave-gitops-source.yaml +``` + +The generated file should look like this: + +```yaml title="./clusters/my-cluster/weave-gitops-source.yaml" +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ww-gitops + namespace: flux-system +spec: + interval: 1m0s + url: https://helm.gitops.weave.works +``` + +3. Commit and push the `weave-gitops-source.yaml` to the `fleet-infra` repository + +``` +git add -A && git commit -m "Add Weave GitOps HelmRepository" +git push +``` + +4. Create a `HelmRelease` to deploy Weave GitOps + +``` +flux create helmrelease ww-gitops \ + --source=HelmRepository/ww-gitops \ + --chart=weave-gitops \ + --values= \ + --export > ./clusters/my-cluster/weave-gitops-helmrelease.yaml +``` + +5. Commit and push the `weave-gitops-helmrelease.yaml` to the `fleet-infra` repository + +``` +git add -A && git commit -m "Add Weave GitOps HelmRelease" +git push +``` + +6. Validate that Weave GitOps and Flux are installed + +``` +kubectl get pods -n flux-system +``` + +You should see something similar to: + +``` +NAME READY STATUS RESTARTS AGE +helm-controller-5bfd65cd5f-gj5sz 1/1 Running 0 10m +kustomize-controller-6f44c8d499-s425n 1/1 Running 0 10m +notification-controller-844df5f694-2pfcs 1/1 Running 0 10m +source-controller-6b6c7bc4bb-ng96p 1/1 Running 0 10m +ww-gitops-weave-gitops-86b645c9c6-k9ftg 1/1 Running 0 5m +``` + +:::info +There's many other things you can configure in the weave gitops helm chart. For a reference, see [our value file reference](./references/helm-reference.md). +::: + +## Part 1 - Weave GitOps overview + +Weave GitOps provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams. We will now login to the dashboard web UI and start to explore the state of our GitOps deployments. + +### Login to the GitOps Dashboard + +1. Expose the service running on the cluster +``` +kubectl port-forward svc/ww-gitops-weave-gitops -n flux-system 9001:9001 +``` + +2. [Open the dashboard](http://localhost:9001/) and login using either the cluster user or OIDC based on your [configuration](./configuration/securing-access-to-the-dashboard.mdx). If you followed the example above, the username will be `admin`, and the password is the non-encypted value you provided as $PASSWORD. + +![Weave GitOps login screen](/img/dashboard-login.png) + +### Applications view + +When you login to the dashboard you are brought to the Applications view, which allows you to quickly understand the state of your deployments across a cluster at a glance. It shows summary information from `kustomization` and `helmrelease` objects. + +![Applications summary view showing Flux System and Weave GitOps deployments](/img/dashboard-applications-overview.png) + +In the above screenshot you can see: +- a `Kustomization` called `flux-system`, which was created when Flux was bootstrapped onto the Cluster, and is deploying the GitOps Toolkit controllers. It is also deploying further Flux objects defined in the same repo, so that Flux will deploy additional workloads which includes our Helm Chart for Weave GitOps. +- a `HelmRelease` called `ww-gitops` which deploys the aforementioned Helm Chart. + +This table view shows the reported status so you can understand whether a reconciliation has been successful, and when they have last been updated. You can also see where the Flux objects are deployed and which `Source` object they are reconciling from; clicking the name of the Source it will take you to a detail view for the given source object. The view automatically updates every few seconds so you know the current state of your system. + +You can search for and filter objects by `Name` by clicking the magnifying glass, or filter by `Type` by clicking the strawberry icon to its right. + +Clicking the Name of an object will take you to a detailed view for the given Kustomization or HelmRelease. Which we will explore in a moment. + +### The Sources view + +Clicking on Sources in the left hand menu will bring you to the Sources view. This view shows you where flux pulls its application definitions from, for example Git repositories, and the current state of that synchronization. This shows summary information from `gitrepository`, `helmrepository`, `helmchart` and `bucket` objects. + +![Sources summary view showing Flux System and Weave GitOps sources](/img/dashboard-sources.png) + +In the above screenshot you can see: +- a `GitRepository` called `flux-system`, which was created when Flux was bootstrapped onto the Cluster, and contains the manifests for the GitOps Toolkit and Weave GitOps and various Flux objects. +- a `HelmChart` called `flux-system-ww-gitops`, which is automatically created by Flux when you define a `HelmRelease` to deploy a Helm Chart from a given source. +- a `HelmRepository` called `ww-gitops` which pulls from the Helm Repository where the Weave GitOps Helm Chart is published. + +The table view again shows summary status information so you can see whether Flux has been able to successfully pull from a given source and which specific commit was last detected. It shows key information like the `Interval`, namely how frequently Flux will check for updates in a given source location. You can apply filtering as per the Applications view, can click the `URL` to navigate to a given source i.e. a repository in GitHub, or the `Name` of a `Source` to view more details about it. + + +### The Flux Runtime view + +Clicking on `Flux Runtime` provides status on the GitOps engine continuously reconciling your desired and live state. It shows your installed GitOps Toolkit Controllers and their version. + +![Flux Runtime view showing the various GitOps Toolkit controllers](/img/dashboard-flux-runtime.png) + +By default `flux bootstrap` will install the following controllers: +- helm-controller +- kustomize-controller +- notification-controller +- source-controller + +For a full description of the controllers, see [GitOps ToolKit components](https://fluxcd.io/docs/components/) in the Flux documentation. + +Weave GitOps is an extension to Flux and the pod serving this web application is also viewable as `ww-gitops-weave-gitops`. + +From this view you can see whether the controllers are healthy and which version of a given component is currently deployed. + +### Exploring the flux-system deployment + +Let's explore the `flux-system` kustomization. Navigate back to the `Applications` view and click on the `flux-system` object. + +![Application detail view for the flux system kustomization](/img/dashboard-application-flux.png) + +After a few moments loading the data, you should see similar to the above screenshot. From here you can see key information about how this resource is defined: which `Source` it is reading from, the latest applied commit, the exact path with the Source repository that is being deployed, and the `Interval` in which Flux will look to reconcile any difference between the declared and live state - i.e. if a kubectl patch had been applied on the cluster, it would effectively be reverted. If a longer error message was being reported by this object, you would be able to see it in its entirety on this page. + +Underneath the summary information are four tabs: + +- Details (default) is a table view which shows all the Kubernetes objects (including flux objects, deployments, pods, services, etc) managed and deployed through this `kustomization`. +- Events (shown below) shows any related Kubernetes events to help you diagnose issues and understand health over time. +- Reconciliation Graph (shown below) provides a directional graph alternative to the Details view to help you understand how the various objects relate to each other. +- Yaml (shown below) provides a raw dump on the current object as it currently exists inside your cluster. Note that this will be different from what's in your gitops repository, since this yaml view will contain the current status of the object. + +**Events tab** +![Application detail view showing events for an object](/img/dashboard-application-events.png) + +**Reconciliation Graph tab** +![Application detail view showing reconciliation graph - a directional graph showing object relationships](/img/dashboard-application-reconciliation.png) + +**Yaml tab** +![Application detail view showing the yaml display](/img/dashboard-application-yaml.png) + +#### Source details view +Finally lets look at the Source in more detail - go back to the Details tab, and click `GitRepository/flux-system` from the summary at the top of the page. + +![Source detail view showing details for an object](/img/dashboard-source-flux.png) + +As with an Application detail view, you can see key information about how the resource is defined. Then beneath alongside the Events tab, is a Related Automations view. This shows all the `kustomization` objects which have this object as their Source. + + +## Part 2 - Deploying and viewing podinfo application + +Now that you have a feel for how to navigate the dashboard. Let's deploy a new application and explore that as well. In this section we will use the [podinfo](https://github.com/stefanprodan/podinfo) sample web application. + +### Deploying podinfo + +1. Clone or navigate back to your git repository where you have bootstrapped Flux, for example: + +``` +git clone https://github.com/$GITHUB_USER/fleet-infra +cd fleet-infra +``` + +2. Create a `GitRepository` Source for podinfo + +``` +flux create source git podinfo \ + --url=https://github.com/stefanprodan/podinfo \ + --branch=master \ + --interval=30s \ + --export > ./clusters/my-cluster/podinfo-source.yaml +``` + +3. Commit and push the `podinfo-source` to the `fleet-infra` repository + +``` +git add -A && git commit -m "Add podinfo source" +git push +``` + +4. Create a `kustomization` to build and apply the podinfo manifest + +``` +flux create kustomization podinfo \ + --target-namespace=flux-system \ + --source=podinfo \ + --path="./kustomize" \ + --prune=true \ + --interval=5m \ + --export > ./clusters/my-cluster/podinfo-kustomization.yaml +``` + +5. Commit and push the `podinfo-kustomization` to the `fleet-infra` repository + +``` +git add -A && git commit -m "Add podinfo kustomization" +git push +``` + +### View the application in Weave GitOps + +Flux will detect the updated `fleet-infra` and add podinfo. If we navigate back to the [dashboard](http://localhost:9001/) you should see the podinfo application appear. + +![Applications summary view showing Flux System, Weave GitOps and Podinfo](/img/dashboard-applications-with-podinfo.png) + +Click on podinfo and you will see details about the deployment, including that there are 2 replicas available. + +![Applications details view for podinfo showing 2 pods](/img/dashboard-podinfo-details.png) + +### Customize podinfo + +To customize a deployment from a repository you don’t control, you can use Flux in-line patches. The following example shows how to use in-line patches to change the podinfo deployment. + +1. Add the `patches` section as shown below to the field spec of your podinfo-kustomization.yaml file so it looks like this: + +```yaml title="./clusters/my-cluster/podinfo-kustomization.yaml" +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: podinfo + namespace: flux-system +spec: + interval: 5m0s + path: ./kustomize + prune: true + sourceRef: + kind: GitRepository + name: podinfo + targetNamespace: flux-system +// highlight-start + patches: + - patch: |- + apiVersion: autoscaling/v2beta2 + kind: HorizontalPodAutoscaler + metadata: + name: podinfo + spec: + minReplicas: 3 + target: + name: podinfo + kind: HorizontalPodAutoscaler +// highlight-end +``` + +2. Commit and push the podinfo-kustomization.yaml changes: + +``` +git add -A && git commit -m "Increase podinfo minimum replicas" +git push +``` + +3. Navigate back to the dashboard and you will now see increased replica count and the newly created 3rd pod + +![Applications details view for podinfo showing 3 pods](/img/dashboard-podinfo-updated.png) + + +### Suspend updates + +Suspending updates to a kustomization allows you to directly edit objects applied from a kustomization, without your changes being reverted by the state in Git. + +To suspend updates for a kustomization, from the details page, click on the suspend button at the top, and you should see it be suspended: + +![Podinfo details showing Podinfo suspended](/img/dashboard-podinfo-details-suspended.png) + +This shows in the applications view with a yellow warning status indicating it is now suspended + +![Applications summary view showing Podinfo suspended](/img/dashboard-podinfo-suspended.png) + +To resume updates, go back to the details page, click the resume button, and after a few seconds reconsolidation will continue: + +![Applications details view for podinfo being resumed](/img/dashboard-podinfo-updated.png) + +## Complete! + +Congratulations 🎉🎉🎉 + +You've now completed the getting started guide. We would welcome any and all [feedback](feedback-and-telemetry.md) on your experience. diff --git a/website/versioned_docs/version-0.9.1/guides/_category_.json b/website/versioned_docs/version-0.9.1/guides/_category_.json new file mode 100644 index 0000000000..b6d4772488 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Guides", + "position": 4 +} diff --git a/website/versioned_docs/version-0.9.1/guides/assets/templates/capa-template.yaml b/website/versioned_docs/version-0.9.1/guides/assets/templates/capa-template.yaml new file mode 100644 index 0000000000..daeff39f1f --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/assets/templates/capa-template.yaml @@ -0,0 +1,86 @@ +apiVersion: capi.weave.works/v1alpha1 +kind: CAPITemplate +metadata: + name: aws-eks-dev + namespace: default +spec: + description: AWS EKS Development Cluster + params: + - name: CLUSTER_NAME + description: The name for this cluster. + - name: AWS_REGION + description: AWS Region to create cluster + options: ['us-east-1','eu-central-1','eu-west-2','us-west-2'] + - name: KUBERNETES_VERSION + description: EKS Kubernetes version to use + options: ['v1.19.8','v1.20.7','v1.21.2'] + - name: WORKER_MACHINE_COUNT + description: Number of worker nodes to create. + resourcetemplates: + - apiVersion: gitops.weave.works/v1alpha1 + kind: GitopsCluster + metadata: + name: "${CLUSTER_NAME}" + namespace: default + labels: + weave.works/capi: bootstrap + spec: + capiClusterRef: + name: "${CLUSTER_NAME}" + + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: Cluster + metadata: + name: ${CLUSTER_NAME} + namespace: default + labels: + weave.works/capi: bootstrap + spec: + clusterNetwork: + pods: + cidrBlocks: + - 192.168.0.0/16 + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: AWSManagedControlPlane + name: ${CLUSTER_NAME}-control-plane + infrastructureRef: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: AWSManagedControlPlane + name: ${CLUSTER_NAME}-control-plane + + - apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: AWSManagedControlPlane + metadata: + name: ${CLUSTER_NAME}-control-plane + namespace: default + spec: + region: ${AWS_REGION} + sshKeyName: default + version: ${KUBERNETES_VERSION} + eksClusterName: ${CLUSTER_NAME} + + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: MachinePool + metadata: + name: ${CLUSTER_NAME}-pool-0 + namespace: default + spec: + clusterName: ${CLUSTER_NAME} + replicas: ${WORKER_MACHINE_COUNT} + template: + spec: + bootstrap: + dataSecretName: "" + clusterName: ${CLUSTER_NAME} + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: AWSManagedMachinePool + name: ${CLUSTER_NAME}-pool-0 + + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: AWSManagedMachinePool + metadata: + name: ${CLUSTER_NAME}-pool-0 + namespace: default + spec: {} diff --git a/website/versioned_docs/version-0.9.1/guides/cert-manager.md b/website/versioned_docs/version-0.9.1/guides/cert-manager.md new file mode 100644 index 0000000000..77992ca595 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/cert-manager.md @@ -0,0 +1,97 @@ +--- +title: Generating TLS certificates with cert-manager and Let's Encrypt +sidebar_position: 2 +--- + +In this guide we will show you how to add cert-manager to a cluster bootstrapped with Weave GitOps, and how +to configure the use of Let's Encrypt to issue TLS certificates. + +### Pre-requisites +- A Kubernetes cluster such as [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) cluster running a +[Flux-supported version of Kubernetes](https://fluxcd.io/docs/installation/#prerequisites) +- Weave GitOps is [installed](../installation.mdx) + +## What is cert-manager? +[cert-manager](https://cert-manager.io/), a CNCF project, provides a way to automatically manage certificates +in Kubernetes and OpenShift clusters. "It will obtain certificates from a variety of Issuers, both popular public +Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to +renew certificates at a configured time before expiry". + +## Install cert-manager + +As cert-manager can be installed using a [Helm Chart](https://cert-manager.io/docs/installation/helm/), we can +simply create a `HelmRepository` and a `HelmRelease` to have Flux install everything. + +Commit the following to a location being reconciled by Flux. + +```yaml +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 1h + url: https://charts.jetstack.io +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 5m + chart: + spec: + chart: cert-manager + version: 1.8.0 + sourceRef: + kind: HelmRepository + name: cert-manager + namespace: cert-manager + interval: 1m + values: + installCRDs: true +``` + +:::note cert-manager version +At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please +ensure to check https://github.com/cert-manager/cert-manager/tags for updates. +::: + +Now that `cert-manager` is running, we can create a `ClusterIssuer` to represent the certificate authority +from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing +the email address, commit this to the same location as above. + + +```yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: weave-gitops@example.tld + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-prod-account-key + solvers: + # Add a single challenge solver, HTTP01 using nginx + - http01: + ingress: + class: nginx +``` + +Once this `ClusterIssuer` resource is installed, the cluster is now configured to request and use certificates generated by Cert Manager. + +This could be manually requested through the creation of a [Certificate resource](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) or configured to be automatic as shown in our [Configuring OIDC with Dex and GitHub](./setting-up-dex.md) guide. diff --git a/website/versioned_docs/version-0.9.1/guides/delivery.mdx b/website/versioned_docs/version-0.9.1/guides/delivery.mdx new file mode 100644 index 0000000000..a188726592 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/delivery.mdx @@ -0,0 +1,554 @@ +--- +title: Progressive delivery using Flagger +hide_title: true +sidebar_position: 6 +--- + +import TierLabel from "../_components/TierLabel"; + +# Progressive delivery using Flagger + +[Flagger](https://docs.flagger.app/) is a progressive delivery operator for Kubernetes. It is designed to reduce risks when introducing new software versions and to improve time to delivery through automating production releases. Weave GitOps Enterprise's UI allows you to view the state of these progressive delivery rollouts, and how they are configured using Flagger's [canary](https://docs.flagger.app/usage/how-it-works#canary-resource) object, through the Applications > Delivery view. + +![Applications Delivery view](/img/dashboard-applications-delivery.png) + +This guide uses Flux manifests to install Flagger and Linkerd. Flagger can work with a number of service meshes and ingress controllers, to support various progressive delivery [deployment strategies](https://docs.flagger.app/usage/deployment-strategies). Using Flux allows us to manage our cluster applications in a declarative way through changes in a Git repository. + +In this guide, we will walk you through a full end-to-end scenario where you will: +- [Install the Linkerd service mesh](#installing-linkerd-using-flux) +- [Install Flagger](#installing-flagger-using-flux) +- [Deploy a sample application using a canary release strategy based on metrics provided through Linkerd's in-built Prometheus instance](#deploy-a-canary-release) + +## Prerequisites +- This guide assumes you already have a Kubernetes cluster running and have bootstrapped Flux. To apply the manifests listed in this guide, you will need to commit them to a repository being reconciled with Flux. For help installing Flux, you can follow their [getting started](https://fluxcd.io/docs/get-started/) documentation. +- Flagger requires the `autoscaling/v2` API to be installed on the cluster, you can use `kubectl api-resources` to check which API versions are supported. +- The [step](https://smallstep.com/cli/) CLI installed to generate certificates in order to support mTLS connections. + +## Installing Linkerd using Flux + +For the Linkerd installation, a Kustomization file will be used. This will allow us to specify the installation order and the default namespace for the installed resources but also to easily generate Secrets from certificate files via the use of a `secretGenerator`. + +In order to support mTLS connections between meshed pods, Linkerd requires a trust anchor certificate and an issuer certificate with its corresponding key. These certificates are automatically created when the `linkerd install` command is used but when using a Helm chart to install Linkerd, these certificates need to be provided. The `step` CLI allows us to generate these certificates. + +To generate the trust anchor certificate run: +```bash +step certificate create root.linkerd.cluster.local ca.crt ca.key \ +--profile root-ca --no-password --insecure +``` + +To generate the issuer certificate run: +```bash +step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \ +--profile intermediate-ca --not-after 8760h --no-password --insecure \ +--ca ca.crt --ca-key ca.key +``` + +Add the `ca.crt`, `issuer.crt` and `issuer.key` files to the cluster repository under a `linkerd` directory. + +To control where the Linkerd components get installed, we need to add a Namespace resource: + +```yaml title="linkerd/namespace.yaml" +apiVersion: v1 +kind: Namespace +metadata: + name: linkerd + labels: + config.linkerd.io/admission-webhooks: disabled +``` + +Make the Linkerd Helm repository available in the cluster, by adding the following `HelmRepository` manifest: + +```yaml title="linkerd/source.yaml" +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: linkerd +spec: + interval: 1h + url: https://helm.linkerd.io/stable +``` + +Then, to install the latest version of Linkerd, add the following `HelmRelease` manifests: + +```yaml title="linkerd/releases.yaml" +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: linkerd +spec: + interval: 10m + chart: + spec: + chart: linkerd2 + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: linkerd + install: + crds: Create + upgrade: + crds: CreateReplace + valuesFrom: + - kind: Secret + name: linkerd-certs + valuesKey: ca.crt + targetPath: identityTrustAnchorsPEM + - kind: Secret + name: linkerd-certs + valuesKey: issuer.crt + targetPath: identity.issuer.tls.crtPEM + - kind: Secret + name: linkerd-certs + valuesKey: issuer.key + targetPath: identity.issuer.tls.keyPEM + values: + installNamespace: false + identity: + issuer: + crtExpiry: "2023-07-18T20:00:00Z" # Change this to match generated certificate expriry date +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: linkerd-viz +spec: + interval: 10m + dependsOn: + - name: linkerd + chart: + spec: + chart: linkerd-viz + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: linkerd +``` + +The value for the `spec.values.identity.issuer.crtExpiry` field above depends on the parameter value used during the creation of the issuer certificate previously. In this example, it should be set to 1 year from the certificate creation. + +Then, add the following file to instruct Kustomize to patch any `Secrets` that are referenced in `HelmRelease` manifests: + +```yaml title="linkerd/kustomizeconfig.yaml" +nameReference: + - kind: Secret + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease +``` + +Finally, add the following Kustomization file that references all the previous files that were added: + +```yaml title="linkerd/kustomization.yaml" +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: linkerd +configurations: +- kustomizeconfig.yaml +resources: +- namespace.yaml +- source.yaml +- releases.yaml +secretGenerator: + - name: linkerd-certs + files: + - ca.crt + - issuer.crt + - issuer.key +``` + +The `secretGenerator` is used to generate Secrets from the generated files. + +The `linkerd` directory in the cluster repository should look like this: + +```bash +> tree linkerd +linkerd +├── ca.crt +├── issuer.crt +├── issuer.key +├── kustomization.yaml +├── kustomizeconfig.yaml +├── namespace.yaml +├── releases.yaml +└── source.yaml +``` + +Once Flux reconciles this directory to the cluster, Linkerd should get installed. + +Before proceeding to the next step, check that all the Linkerd pods have started successfully: + +```bash +> kubectl get pods -n linkerd +NAME READY STATUS RESTARTS AGE +linkerd-destination-66d5668b-4mw49 4/4 Running 0 10m +linkerd-identity-6b4658c74b-6nc97 2/2 Running 0 10m +linkerd-proxy-injector-6b76789cb4-8vqj4 2/2 Running 0 10m + +> kubectl get pods -n linkerd-viz +NAME READY STATUS RESTARTS AGE +grafana-db56d7cb4-xlnn4 2/2 Running 0 10m +metrics-api-595c7b564-724ps 2/2 Running 0 10m +prometheus-5d4dffff55-8fscd 2/2 Running 0 10m +tap-6dcb89d487-5ns8n 2/2 Running 0 10m +tap-injector-54895654bb-9xn7k 2/2 Running 0 10m +web-6b6f65dbc7-wltdg 2/2 Running 0 10m +``` + +:::note +Make sure that any new directories that you add to the cluster repository as part of this guide, are included in a path that Flux reconciles. +::: + + + +## Installing Flagger using Flux + +For the Flagger installation, a Kustomization file will be used to define the installation order and provide a default namespace for the installed resources. + +Create a new `flagger` directory and make sure it is under a repository path that Flux reconciles. + +Then, add a Namespace resource for Flagger: + +```yaml title="flagger/namespace.yaml" +apiVersion: v1 +kind: Namespace +metadata: + name: flagger +``` + +Then, to make the Flagger Helm repository available in the cluster, add the following `HelmRepository` manifest: + +```yaml title="flagger/source.yaml" +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: flagger +spec: + interval: 1h + url: https://flagger.app +``` + +Then, to install the latest version of Flagger and the load tester app, which is used to generate synthetic traffic during the analysis phase, add the following `HelmRelease` manifests: + +```yaml title="flagger/releases.yaml" +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: flagger +spec: + releaseName: flagger + install: + crds: Create + upgrade: + crds: CreateReplace + interval: 10m + chart: + spec: + chart: flagger + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: flagger + values: + metricsServer: http://prometheus.linkerd-viz:9090 + meshProvider: linkerd +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: loadtester +spec: + interval: 10m + chart: + spec: + chart: loadtester + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: flagger +``` + +Finally, add the following Kustomization file that references all the previous files that were added: + +```yaml title="flagger/kustomization.yaml" +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: flagger +resources: +- namespace.yaml +- source.yaml +- releases.yaml +``` + +The `flagger` directory in the cluster repository should look like this: + +```bash +> tree flagger +flagger +├── kustomization.yaml +├── namespace.yaml +├── releases.yaml +└── source.yaml +``` + +Once Flux reconciles this directory to the cluster, Flagger and the load tester app should get installed. + +Before proceeding to the next step, check that all the Flagger pods have started successfully: + +```bash +> kubectl get pods -n flagger +NAME READY STATUS RESTARTS AGE +flagger-7d456d4fc7-knf2g 1/1 Running 0 4m +loadtester-855b4d77f6-scl6r 1/1 Running 0 4m +``` + +## Deploy a canary release + +To demonstrate the progressive rollout of an application, [podinfo](https://github.com/stefanprodan/podinfo) will be used. + +We will configure a [Canary release strategy](https://docs.flagger.app/usage/deployment-strategies#canary-release), +where Flagger will scale up a new version of the application (the canary), alongisde the existing version +(the primary), and gradually increase traffic to the new version in increments of 5%, up to a maximum of 50%. +It will continuously monitor the new version for an acceptable request response rate and average +request duration. Based on this analysis, Flagger will either update the primary to the new version, +or abandon the promotion; then scale the canary back down to zero. + +Add a Namespace resource: + +```yaml title="test/namespace.yaml" +apiVersion: v1 +kind: Namespace +metadata: + name: test + annotations: + linkerd.io/inject: enabled +``` + +Then, add a Deployment resource and a HorizontalPodAutoscaler resource for the `podinfo` application: + +```yaml title="test/deployment.yaml" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: podinfo + labels: + app: podinfo +spec: + minReadySeconds: 5 + revisionHistoryLimit: 5 + progressDeadlineSeconds: 60 + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: podinfo + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9797" + labels: + app: podinfo + spec: + containers: + - name: podinfod + image: ghcr.io/stefanprodan/podinfo:6.0.0 + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 9898 + protocol: TCP + - name: http-metrics + containerPort: 9797 + protocol: TCP + - name: grpc + containerPort: 9999 + protocol: TCP + command: + - ./podinfo + - --port=9898 + - --port-metrics=9797 + - --grpc-port=9999 + - --grpc-service-name=podinfo + - --level=info + - --random-delay=false + - --random-error=false + env: + - name: PODINFO_UI_COLOR + value: "#34577c" + livenessProbe: + exec: + command: + - podcli + - check + - http + - localhost:9898/healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - podcli + - check + - http + - localhost:9898/readyz + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 2000m + memory: 512Mi + requests: + cpu: 100m + memory: 64Mi + +--- +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: podinfo +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: podinfo + minReplicas: 2 + maxReplicas: 4 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + # scale up if usage is above + # 99% of the requested CPU (100m) + averageUtilization: 99 +``` + +Then, add a Canary resource that references the Deployment and HorizontalPodAutoscaler resources, +note that we have not needed to define a service resource above, instead this is specified +within the Canary defintion and created by Flagger: + +```yaml title="test/canary.yaml" +apiVersion: flagger.app/v1beta1 +kind: Canary +metadata: + name: podinfo +spec: + # deployment reference + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: podinfo + # HPA reference (optional) + autoscalerRef: + apiVersion: autoscaling/v2beta2 + kind: HorizontalPodAutoscaler + name: podinfo + # the maximum time in seconds for the canary deployment + # to make progress before it is rollback (default 600s) + progressDeadlineSeconds: 60 + service: + # ClusterIP port number + port: 9898 + # container port number or name (optional) + targetPort: 9898 + analysis: + # schedule interval (default 60s) + interval: 30s + # max number of failed metric checks before rollback + threshold: 5 + # max traffic percentage routed to canary + # percentage (0-100) + maxWeight: 50 + # canary increment step + # percentage (0-100) + stepWeight: 5 + # Linkerd Prometheus checks + metrics: + - name: request-success-rate + # minimum req success rate (non 5xx responses) + # percentage (0-100) + thresholdRange: + min: 99 + interval: 1m + - name: request-duration + # maximum req duration P99 + # milliseconds + thresholdRange: + max: 500 + interval: 30s + # testing (optional) + webhooks: + - name: acceptance-test + type: pre-rollout + url: http://loadtester.flagger/ + timeout: 30s + metadata: + type: bash + cmd: "curl -sd 'test' http://podinfo-canary.test:9898/token | grep token" + - name: load-test + type: rollout + url: http://loadtester.flagger/ + metadata: + cmd: "hey -z 2m -q 10 -c 2 http://podinfo-canary.test:9898/" +``` + +Finally, add a Kustomization file to apply all resources to the `test` namespace: + +```yaml title="test/kustomization.yaml" +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: test +resources: +- namespace.yaml +- deployment.yaml +- canary.yaml +``` + +After a short time, the status of the canary object should be set to `Initialized`: + +![Canary rollout initialized](/img/pd-details-initialized.png) + +```bash +> kubectl get canary podinfo -n test +NAME STATUS WEIGHT LASTTRANSITIONTIME +podinfo Initialized 0 2022-07-22T12:37:58Z +``` + +Now trigger a new rollout by bumping the version of `podinfo`: + +```bash +> kubectl set image deployment/podinfo podinfod=ghcr.io/stefanprodan/podinfo:6.0.1 -n test +``` + +During the progressive rollout, the canary object reports on its current status: + + +![Canary rollout progressing](/img/pd-details-progressing.png) + +```bash +> kubectl get canary podinfo -n test +NAME STATUS WEIGHT LASTTRANSITIONTIME +podinfo Progressing 5 2022-07-22T12:41:57Z +``` + +After a short time the rollout is completed and the status of the canary object is set to `Succeeded`: + +![Canary rollout succeeded](/img/pd-details-succeeded.png) + +```bash +> kubectl get canary podinfo -n test +NAME STATUS WEIGHT LASTTRANSITIONTIME +podinfo Succeeded 0 2022-07-22T12:47:58Z +``` + +## Summary + +Congratulations, you have now completed a progressive delivery rollout with Flagger and Linkerd :tada: + +Next steps: +- Explore more of what [Flagger](https://flagger.app/) can offer +- Configure [manual approving](flagger-manual-gating.mdx) for progressive delivery deployments \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/guides/deploying-capa.mdx b/website/versioned_docs/version-0.9.1/guides/deploying-capa.mdx new file mode 100644 index 0000000000..2e03f90526 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/deploying-capa.mdx @@ -0,0 +1,72 @@ +--- +title: Deploying CAPA with EKS +hide_title: true +sidebar_position: 1 +--- + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +import TierLabel from "../_components/TierLabel"; +import CodeBlock from "@theme/CodeBlock"; +import BrowserOnly from "@docusaurus/BrowserOnly"; + +# Deploying CAPA with EKS + +## Creating your first CAPA Cluster + +:::note BEFORE YOU START + +Make sure the following software is installed before continuing with these instructions: + +- `github cli` >= 2.3.0 [(source)](https://cli.github.com/) +- `kubectl` [(source)](https://kubernetes.io/docs/tasks/tools/#kubectl) +- `eksctl` [(source)](https://github.com/weaveworks/eksctl/releases) +- `aws cli` [(source)](https://aws.amazon.com/cli/) +- `clusterclt` >= v1.0.1 [(source)](https://github.com/kubernetes-sigs/cluster-api/releases) +- `clusterawsadm` >= v1.1.0 [(source)](https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases) + +The `AWS_ACCESS_KEY_ID`and `AWS_SECRET_ACCESS_KEY` of a user should be configured either via `aws configure` or exported in the current shell. +The `GITHUB_TOKEN` should be set as an environment variable in the current shell. It should have permissions to create Pull Requests against the cluster config repo. +::: + +If you've followed the [Upgrade steps](installation.mdx#weave-gitops-enterprise) in the [Installation guide](installation.mdx) you should have a management cluster ready to roll. + +### 1. Configure a capi provider + +See [Cluster API Providers](cluster-management/cluster-api-providers.mdx) page for more details on providers. He're we'll continue with `eks` and `capa` as an example. + +```bash +# Enable support for `ClusterResourceSet`s for automatically installing CNIs +export EXP_EKS=true +export EXP_MACHINE_POOL=true +export CAPA_EKS_IAM=true +export EXP_CLUSTER_RESOURCE_SET=true + +clusterctl init --infrastructure aws +``` + +### 2. Add a template + +See [CAPI Templates](cluster-management/templates.mdx) page for more details on this topic. Once we load a template we can use it in the UI to create clusters! + +import CapaTemplate from "!!raw-loader!./assets/templates/capa-template.yaml"; + +Download the template below to your config repository path, then commit and push to your git origin. + + + {() => ( + + curl -o clusters/management/capi/templates/capa-template.yaml{" "} + {window.location.protocol}//{window.location.host} + {require("./assets/templates/capa-template.yaml").default} + + )} + + + + {CapaTemplate} + diff --git a/website/versioned_docs/version-0.9.1/guides/displaying-custom-metadata.mdx b/website/versioned_docs/version-0.9.1/guides/displaying-custom-metadata.mdx new file mode 100644 index 0000000000..7f8a1b944b --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/displaying-custom-metadata.mdx @@ -0,0 +1,59 @@ +--- +title: Displaying custom metadata +sidebar_position: 4 +--- +Weave Gitops lets you add annotations with custom metadata to your +flux automations and sources, and they will be displayed in the main UI. + +For example, you might use this to add links to dashboards, issue +system or another external system, or documentation and comments that +are visible straight in the main UI. + +We will use the podinfo application that we installed in the [getting +started guide](../getting-started.mdx) as an example. Open up the +podinfo kustomization and add annotations to it so it looks like this: + +```yaml title="./clusters/my-cluster/podinfo-kustomization.yaml" +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: podinfo + namespace: flux-system +// highlight-start + annotations: + metadata.weave.works/description: | + Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes. + Podinfo is used by CNCF projects like Flux and Flagger for end-to-end testing and workshops. + metadata.weave.works/grafana-dashboard: https://grafana.my-org.example.com/d/podinfo-dashboard +// highlight-end +spec: + interval: 5m0s + path: ./kustomize + prune: true + sourceRef: + kind: GitRepository + name: podinfo + targetNamespace: flux-system +``` + +When you open the gitops dashboard and navigate to the Kustomization +details, you should see the following: + +![Application detail view showing custom metadata](/img/metadata-display.png) + +There are some restrictions to keep in mind: + + * The annotation key has to start with the domain + `metadata.weave.works`. Any other annotations will be ignored. + * The key that will be displayed is whatever you put after the + domain, title cased, and with dashes replaced with spaces. Above, + `metadata.weave.works/grafana-dashboard` was displayed as "Grafana Dashboard". + * The value can either be a link, or can be plain text. Newlines in + plain text will be respected. + * The key is subject to certain limitations that kubernetes impose on + annotations - it must be shorter than 63 characters (not including + the domain), and must be an English alphanumeric character, or one of + `-._`. See the [kubernetes + documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set) + for the full list of restrictions. diff --git a/website/versioned_docs/version-0.9.1/guides/flagger-manual-gating.mdx b/website/versioned_docs/version-0.9.1/guides/flagger-manual-gating.mdx new file mode 100644 index 0000000000..26960a7d17 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/flagger-manual-gating.mdx @@ -0,0 +1,147 @@ +--- +title: Manual approval for progressive delivery deployments +sidebar_position: 7 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +

+ {frontMatter.title} +

+ +Weave GitOps Enterprise helps you understand the state of progressive delivery +updates to your applications with [Flagger](https://flagger.app). The Delivery +view shows all your deployed `Canary` objects and the status for how a rollout +is progressing. + +By default, Flagger will automatically promote a new version of an application +should it pass the defined checks during an analysis phase. However, you can +also configure [webhooks](https://docs.flagger.app/usage/webhooks) to enable +manual approvals for Flagger to proceed to the next phase of a rollout. + +In this guide we will show you how to get started with manually gating a +progressive delivery promotion with Flagger, using the in-built load tester as +a way to demonstrate and learn the capability so that you could configure +your own gates. + +## Pre-requisites +- Basic knowledge of [Flagger](https://flagger.app). +- An existing `Canary` object and target deployment. +- Flagger's load tester [installed](https://docs.flagger.app/usage/webhooks#load-testing) + +## Basic introduction to Webhooks and Gating +Flagger can be configured to work with several types of hooks which will be called at +given stages during a progressive delivery rollout. Some of these allow you to manually +gate whether a rollout proceeds at certain points: +- Before a new deployment is scaled up and canary analysis begins with `confirm-rollout`. +- Before traffic weight is increased with `confirm-traffic-increase`. +- Before a new version is promoted following successful canary analysis with `confirm-promotion`. + +Any URL can be used as a webhook target, it will approve if it returns with a +`200 OK` status code, and halt if it's `403 Forbidden`. + +The webhook will receive a JSON payload that can be unmarshaled as +`CanaryWebhookPayload`: + +```go +type CanaryWebhookPayload struct { + // Name of the canary + Name string `json:"name"` + + // Namespace of the canary + Namespace string `json:"namespace"` + + // Phase of the canary analysis + Phase CanaryPhase `json:"phase"` + + // Metadata (key-value pairs) for this webhook + Metadata map[string]string `json:"metadata,omitempty"` +} +``` + +For more information on Webhooks in Flagger, see the +[Flagger documentation](https://docs.flagger.app/usage/webhooks) + + +## Using Flagger's load tester to manually gate a promotion +To enable manual approval of a promotion we are going to configure the +`confirm-promotion` webhook to call a particular gate provided through +Flagger's included load tester. This is an easy way to experiment with +the capability using Flagger's included components. + +**Important note** +We strongly recommend that you DO NOT USE the load tester for manual gating +in a production environment. There is no auth on the load tester, so +anyone with access to the cluster would be able to open and close; and +the load tester has no storage, so if restarted - all gates would close. + +Instead, configure these webhooks for appropriate integration with a +tool of your choice such Jira, Slack, Jenkins, etc. + +### Configure the confirm-promotion webhook +In your Canary object, add the following in the `analysis` section: + +```yaml + analysis: + webhooks: + - name: "ask for confirmation" + type: confirm-promotion + url: http://flagger-loadtester.test/gate/check +``` + +This gate is closed by default. + +### Deploy a new version of your application +Trigger a Canary rollout by updating your target deployment/daemonset, for +example by bumping the container image tag. A full list of ways to trigger +a rollout is available +[here](https://docs.flagger.app/faq#how-to-retry-a-failed-release). + +You can watch the progression of a Canary in Weave GitOps Enterprise (WGE) +through the Applications > Delivery view: + +![Podinfo Canary progressing](/img/pd-table-progressing.png) + + +### Wait for the Canary analysis to complete +Once the Canary analysis has successfully completed, Flagger will call the +`confirm-promotion` webhook and change status to `WaitingPromotion` as you +can see in the screenshots below: + +![Podinfo Canary showing Waiting Promotion - table view](/img/pd-table-waiting.png) + +![Podinfo Canary showing Waiting Promotion - details view](/img/pd-details-waiting.png) + +### Open the gate +To open the gate and therefore confirm that you are happy for the new +version of your application to be promoted, we can exec into the load tester +container: + +``` +$ kubectl -n test exec -it flagger-loadtester-xxxx-xxxx sh + +# to open +> curl -d '{"name": "app","namespace":"test"}' http://localhost:8080/gate/open +``` + +Flagger will now proceed to promote the Canary version to the primary and +complete the progressive delivery rollout :tada: + +![Podinfo Canary succeeded - full events history](/img/pd-events-gate-passed.png) + +![Podinfo Canary succeeded - promoting](/img/pd-table-promoting.png) + +![Podinfo Canary succeeded - promoted](/img/pd-table-succeeded.png) + + +To manually close the gate again you can issue: + +``` +> curl -d '{"name": "app","namespace":"test"}' http://localhost:8080/gate/close +``` + +**References:** + +* This guide was informed by the +[Official Flagger documentation](https://docs.flagger.app/usage/webhooks#manual-gating) diff --git a/website/versioned_docs/version-0.9.1/guides/setting-up-dex.md b/website/versioned_docs/version-0.9.1/guides/setting-up-dex.md new file mode 100644 index 0000000000..893c4aa595 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/setting-up-dex.md @@ -0,0 +1,276 @@ +--- +title: Configuring OIDC with Dex and GitHub +sidebar_position: 3 +--- + +In this guide we will show you how to enable users to login to the Weave GitOps dashboard by authenticating with their GitHub account. + +This example uses [Dex][tool-dex] and its GitHub connector, and assumes Weave GitOps has already been installed on a Kubernetes clusters. + +### Pre-requisites +- A Kubernetes cluster such as [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) cluster running a +[Flux-supported version of Kubernetes](https://fluxcd.io/docs/installation/#prerequisites) +- Weave GitOps is [installed](../installation.mdx) and [TLS has been enabled](../configuration/tls.md). + +## What is Dex? + +[Dex][tool-dex] is an identity service that uses [OpenID Connect][oidc] to +drive authentication for other apps. + +Alternative solutions for identity and access management exist such as [Keycloak](https://www.keycloak.org/). + +[tool-dex]: https://dexidp.io/ +[oidc]: https://openid.net/connect/ + +## Create Dex namespace + +Create a namespace where Dex will be installed: + +```yaml +--- +apiVersion: v1 +kind: Namespace +metadata: + name: dex +``` + +## Add credentials + +There are a [lot of options][dex-connectors] available with Dex, in this guide we will +use the [GitHub connector][dex-github]. + +We can get a GitHub ClientID and Client secret by creating a +[new OAuth appliation][github-oauth]. + +![GitHub OAuth configuration](/img/guides/setting-up-dex/github-oauth-application.png) + +```bash +kubectl create secret generic github-client \ + --namespace=dex \ + --from-literal=client-id=${GITHUB_CLIENT_ID} \ + --from-literal=client-secret=${GITHUB_CLIENT_SECRET} +``` + +[dex-connectors]: https://dexidp.io/docs/connectors/ +[dex-github]: https://dexidp.io/docs/connectors/github/ +[github-oauth]: https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app + +## Deploy Dex + +As we did before, we can use `HelmRepository` and `HelmRelease` objects to let +Flux deploy everything. + +```yaml +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: dex + namespace: dex +spec: + interval: 1m + url: https://charts.dexidp.io +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: dex + namespace: dex +spec: + interval: 5m + chart: + spec: + chart: dex + version: 0.6.5 + sourceRef: + kind: HelmRepository + name: dex + namespace: dex + interval: 1m + values: + image: + tag: v2.31.0 + envVars: + - name: GITHUB_CLIENT_ID + valueFrom: + secretKeyRef: + name: github-client + key: client-id + - name: GITHUB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: github-client + key: client-secret + config: + # Set it to a valid URL + issuer: https://dex.dev.example.tld + + # See https://dexidp.io/docs/storage/ for more options + storage: + type: memory + + staticClients: + - name: 'Weave GitOps Core' + id: weave-gitops + secret: AiAImuXKhoI5ApvKWF988txjZ+6rG3S7o6X5En + redirectURIs: + - 'https://localhost:9001/oauth2/callback' + - 'https://0.0.0.0:9001/oauth2/callback' + - 'http://0.0.0.0:9001/oauth2/callback' + - 'http://localhost:4567/oauth2/callback' + - 'https://localhost:4567/oauth2/callback' + - 'http://localhost:3000/oauth2/callback' + + connectors: + - type: github + id: github + name: GitHub + config: + clientID: $GITHUB_CLIENT_ID + clientSecret: $GITHUB_CLIENT_SECRET + redirectURI: https://dex.dev.example.tld/callback + orgs: + - name: weaveworks + teams: + - team-a + - team-b + - QA + - name: ww-test-org + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: dex.dev.example.tld + paths: + - path: / + pathType: ImplementationSpecific + tls: + - hosts: + - dex.dev.example.tld + secretName: dex-dev-example-tld +``` + +:::note SSL certificate without cert manager +If we don't want to use cert manager, we can remove the related annotation and +use our predefined secret in the `tls` section. +::: + +An important part of the configuration is the `orgs` field on the GitHub +connector. + +```yaml +orgs: +- name: weaveworks + teams: + - team-a + - team-b + - QA +``` + +Here we can define groups under a GitHub organisation. In this example the +GitHub organisation is `weaveworks` and all members of the `team-a`, +`team-b`, and `QA` teams can authenticate. Group membership will be added to +the user. + +Based on these groups, we can bind roles to groups: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: wego-test-user-read-resources + namespace: flux-system +subjects: + - kind: Group + name: weaveworks:QA + namespace: flux-system +roleRef: + kind: Role + name: wego-admin-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: wego-admin-role + namespace: flux-system +rules: + - apiGroups: [""] + resources: ["secrets", "pods" ] + verbs: [ "get", "list" ] + - apiGroups: ["apps"] + resources: [ "deployments", "replicasets"] + verbs: [ "get", "list" ] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: [ "kustomizations" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: [ "helmreleases" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories" ] + verbs: [ "get", "list", "patch" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] +``` + +The same way we can bind cluster roles to a group: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: weaveworks:team-a +subjects: +- kind: Group + name: weaveworks:team-a + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +``` + +### Set up static user + +For static user, add `staticPasswords` to the `config`: + +```yaml +spec: + values: + config: + staticPasswords: + - email: "admin@example.tld" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + username: "admin" + userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" +``` + +Static user password can be generated with `htpasswd`: + +```bash +echo password | htpasswd -BinC 10 admin | cut -d: -f2 +``` +## OIDC login + +Using the "Login with OIDC Provider" button: + +![Login page](/img/guides/setting-up-dex/oidc-login.png) + +We have to authorize the GitHub OAuth application: + +![GitHub OAuth page](/img/guides/setting-up-dex/github-auth.png) + +After that, grant access to Dex: + +![Dex grant access](/img/guides/setting-up-dex/dex-auth.png) + +Now we are logged in with our GitHub user and we can see all resources we have +access to: + +![UI logged in](/img/guides/setting-up-dex/ui-logged-in.png) diff --git a/website/versioned_docs/version-0.9.1/guides/using-terraform-templates.mdx b/website/versioned_docs/version-0.9.1/guides/using-terraform-templates.mdx new file mode 100644 index 0000000000..a37f1f23c2 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/guides/using-terraform-templates.mdx @@ -0,0 +1,314 @@ +--- +title: Using Terraform templates +sidebar_position: 5 +--- + +import TierLabel from "../_components/TierLabel"; + +# Using Terraform templates + +This guide will show you how to use a template to create a Terraform resource in Weave GitOps Enterprise. + +## CLI guide + +### Pre-requisites +- Install [Weave GitOps Enterprise](installation.mdx#weave-gitops-enterprise) with [TF-Controller installed](installation.mdx#optional-install-the-tf-controller) and [TLS enabled](../configuration/tls.md). + +### 1. Add a template to your cluster + +Add the following template to a path in your Git repository that is synced by Flux. For example, in the [quickstart guide](https://docs.gitops.weave.works/docs/installation/#install-flux-onto-your-cluster-with-the-flux-bootstrap-command), we set the path that is synced by Flux to `./clusters/management`. + +Commit and push these changes. Once a template is available in the cluster, it can be used to create a resource, which will be shown in the next step. + +```yaml title="./clusters/management/tf-template.yaml" +--- +apiVersion: clustertemplates.weave.works/v1alpha1 +kind: GitOpsTemplate +metadata: + name: tf-template + namespace: default +spec: + description: + This is a sample WGE template that will be translated into a tf-controller specific template. + params: + - name: RESOURCE_NAME + description: Resource Name + resourcetemplates: + - apiVersion: infra.contrib.fluxcd.io/v1alpha1 + kind: Terraform + metadata: + name: ${RESOURCE_NAME} + namespace: flux-system + spec: + interval: 1h + path: ./ + approvePlan: auto + alwaysCleanupRunnerPod: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system +``` + +Verify that your template is in the cluster: +```bash +kubectl get gitopstemplates.clustertemplates.weave.works -A +NAME AGE +sample-wge-tf-controller-template 14m +``` + +If the template does not appear immediately, reconcile the changes with Flux: +```bash +flux reconcile kustomization flux-system +► annotating Kustomization flux-system in flux-system namespace +✔ Kustomization annotated +◎ waiting for Kustomization reconciliation +✔ applied revision main/e6f5f0c3925bcfecdb50bceb12af9a87677d2213 +``` + +### 2. Use the template to create a resource +A resource can be created from a template by specifying the template's name and supplying values to it, as well as your Weave GitOps Enterprise username, password, and HTTP API endpoint. +```bash +gitops add terraform --from-template sample-wge-tf-controller-template \ +--set="RESOURCE_NAME"="name" \ +--username= --password= \ +--endpoint https://localhost:8000 \ +--url https://github.com/myawesomeorg/myawesomerepo + +Created pull request: https://github.com/myawesomeorg/myawesomerepo/pull/5 +``` + +This will create a PR in your Git repository with a TF-Controller manifest. Once the PR is merged, TF-Controller will supply the values to the Terraform manifest, apply the Terraform manifest to create the resource, and reconcile any changes that you make to the Terraform manifest! + +This template can be used to create multiple resources out of the same Terraform manifest by supplying different values to the template. Any changes to the Terraform manifest will be reconciled automatically to all resources. + +### 3. List available templates +Get a specific template that can be used to create a Terraform resource: +```bash +gitops get template terraform sample-wge-tf-controller-template --endpoint https://localhost:8000 --username= --password= +NAME PROVIDER DESCRIPTION ERROR +sample-wge-tf-controller-template This is a sample WGE template that will be translated into a tf-controller specific template. +``` + +List all the templates available on the cluster: +```bash +gitops get template terraform --endpoint https://localhost:8000 --username= --password= +NAME PROVIDER DESCRIPTION ERROR +sample-aurora-tf-template This is a sample Aurora RDS template. +sample-wge-tf-controller-template This is a sample WGE template that will be translated into a tf-controller specific template. +``` + +### 4. List the parameters of a template +List all the parameters that can be defined on a specific template: +```bash +gitops get template terraform tf-controller-aurora --list-parameters --endpoint https://localhost:8000 --username= --password= +NAME REQUIRED DESCRIPTION OPTIONS +RESOURCE_NAME false Resource Name +``` + +## Use Case: Create an Aurora RDS with WGE +:::tip BONUS + +For a more advanced example, here is a template to create an Aurora RDS cluster using WGE with Flux and the TF-Controller. +::: + +### Pre-requisites +- Everything from the [previous section](#pre-requisites) +- Get (or create) an AWS Access Key ID and Secret Access Key. Check the [AWS docs](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-appendix-sign-up.html) for details on how to do this. +- Create an AWS IAM Role for the Terraform AWS Provider. Its policy should include `iam:CreateRole`. More info [here](https://support.hashicorp.com/hc/en-us/articles/360041289933-Using-AWS-AssumeRole-with-the-AWS-Terraform-Provider). + +### 1. Configure a way to manage secrets + +Configure a way to safely store Secrets. One method is to use the Mozilla SOPS CLI, but there are other ways, such as Sealed Secrets or Vaults. + +Follow the steps in the [Flux docs](https://fluxcd.io/docs/guides/mozilla-sops/) **except** for the "Configure in-cluster secrets decryption" step! This step looks slightly different for WGE. Instead of re-creating the controllers, you can configure the `kustomize-controller` as instructed below. + +In your Git repository source, add the following to your `kustomize-controller` configuration: +```bash +cat <> ./clusters//flux-system/gotk-sync.yaml + decryption: + provider: sops + secretRef: + name: sops-gpg +EOF +``` + +### 2. Encrypt and store your credentials in your Git repository +Create a Secret to store sensitive values such as the following: +- DB username +- DB password +- AWS Access Key ID +- AWS Secret Access Key +- AWS Role ARN + +:::note +If following the Flux guide, this steps corresponds to ["Encrypting secrets using OpenPGP"](https://fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-openpgp). You can stop following the Flux guide at this step. +::: + +For example, here is what you would do if using the SOPS method: +```bash +kubectl -n flux-system create secret generic tf-controller-auth \ +--from-literal=master_username=admin \ +--from-literal=master_password=change-me \ +--from-literal=aws_access_key=AKIAIOSFODNN7EXAMPLE \ +--from-literal=aws_secret_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \ +--from-literal=aws_role_arn="arn:aws:iam::012345678910:role/wge-tf-controller-example" \ +--dry-run=client \ +-o yaml > tf-controller-auth.yaml +``` + +Then, encrypt the secret: +```bash +sops --encrypt --in-place tf-controller-auth.yaml +``` + +Commit and push your changes. You can now store encrypted secrets to your Git repository. + +### 4. Add the manifests to your cluster + +Add the following Terraform manifest to the root of your Git repository. + +```yaml title="./rds.tf" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +variable "cluster_identifier" {} +variable "database_name" {} +variable "master_username" {} +variable "master_password" {} +variable "backup_retention_period" {} +variable "region" {} +variable "aws_access_key" {} +variable "aws_secret_key" {} +variable "aws_role_arn" {} + +provider "aws" { + region = var.region + access_key = var.aws_access_key + secret_key = var.aws_secret_key + + assume_role { + role_arn = var.aws_role_arn + } +} + +locals { + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.07.5" + port = 3306 +} + +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "group-name" + values = [var.region] + } +} + +resource "aws_rds_cluster" "mycluster" { + cluster_identifier = var.cluster_identifier + engine = local.engine + engine_version = local.engine_version + port = local.port + availability_zones = slice(data.aws_availability_zones.available.names, 0, 3) + database_name = var.database_name + master_username = var.master_username + master_password = var.master_password + backup_retention_period = var.backup_retention_period + skip_final_snapshot = true + apply_immediately = true +} + +resource "aws_rds_cluster_instance" "cluster_instance" { + count = 1 + identifier = "${aws_rds_cluster.mycluster.id}-${count.index}" + cluster_identifier = aws_rds_cluster.mycluster.id + instance_class = "db.t3.small" + engine = aws_rds_cluster.mycluster.engine + engine_version = aws_rds_cluster.mycluster.engine_version +} +``` + +Add the following template to a path in your Git repository that is synced by Flux. In the [quickstart guide](https://docs.gitops.weave.works/docs/installation/#install-flux-onto-your-cluster-with-the-flux-bootstrap-command), we set this path to `./clusters/management`. + +```yaml title="./clusters/management/rds-template.yaml" +--- +apiVersion: clustertemplates.weave.works/v1alpha1 +kind: GitOpsTemplate +metadata: + name: rds-template + namespace: default +spec: + description: This is a sample Aurora RDS template. + params: + - name: RESOURCE_NAME + description: Resource Name + - name: CLUSTER_IDENTIFIER + description: Cluster Identifier + - name: DATABASE_NAME + description: Database Name + - name: BACKUP_RETENTION_PERIOD + description: Backup Retention Period + - name: REGION + description: Region + resourcetemplates: + - apiVersion: infra.contrib.fluxcd.io/v1alpha1 + kind: Terraform + metadata: + name: ${RESOURCE_NAME} + namespace: flux-system + spec: + interval: 1h + path: ./ + approvePlan: auto + alwaysCleanupRunnerPod: true + vars: + - name: cluster_identifier + value: ${CLUSTER_IDENTIFIER} + - name: database_name + value: ${DATABASE_NAME} + - name: backup_retention_period + value: ${BACKUP_RETENTION_PERIOD} + - name: region + value: ${REGION} + varsFrom: + - kind: Secret + name: tf-controller-auth + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system +``` + +Commit and push your changes. + +:::tip +You can change the location where you keep your Terraform manifests in your Git source (which the TF-Controller will reconcile) by configuring `spec.resourcetemplates.spec.path`. +::: + +### 5. Use the template to create the RDS +```bash +gitops add terraform --from-template rds-template \ +--username= --password= \ +--endpoint https://localhost:8000 \ +--url https://github.com/myawesomeorg/myawesomerepo \ +--set "RESOURCE_NAME"="tf-controller-aurora","CLUSTER_IDENTIFIER"="super-awesome-aurora","DATABASE_NAME"="db1","BACKUP_RETENTION_PERIOD"=5,"REGION"="us-west-2" + +Created pull request: https://github.com/myawesomeorg/myawesomerepo/pull/6 +``` + +Merge the PR in your Git repository to add the TF-Controller manifest. TF-Controller will supply the values to the Terraform manifest, apply the Terraform manifest to create the resource, and reconcile any changes that you make to the Terraform manifest. + +Any changes to your Terraform manifest will be automatically reconciled by the TF-controller with Flux. + +You can re-use this template to create multiple Terraform resources, each with a different set of values! + +Make sure to delete the newly created RDS resources to not incur additional costs. diff --git a/website/versioned_docs/version-0.9.1/help-and-support.md b/website/versioned_docs/version-0.9.1/help-and-support.md new file mode 100644 index 0000000000..f4777f403e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/help-and-support.md @@ -0,0 +1,33 @@ +--- +title: Help and Support +sidebar_position: 6 +--- + +## Community + +👋 Come talk to us and other users in the [#weave-gitops channel](https://app.slack.com/client/T2NDH1D9D/C0248LVC719/thread/C2ND76PAA-1621532937.019800) on Weaveworks Community Slack. + +[Invite yourself](https://slack.weave.works/) if you haven't joined yet. + +### Flux + +The Flux project has a fantastic community to help support your GitOps journey, find more details on how to reach out via their [community page](https://fluxcd.io/docs/#community) + +## Commercial Support +Weaveworks provides [Weave GitOps Enterprise](https://www.weave.works/product/gitops-enterprise/), a continuous operations product that makes it easy to deploy and manage Kubernetes clusters and applications at scale in any environment. The single management console automates trusted application delivery and secure infrastructure operations on premise, in the cloud and at the edge. + +To discuss your support needs, please contact us at [sales@weave.works](mailto:sales@weave.works). + +## Recommended resources + +Got a suggestion for this list? Please open a pull request using the "Edit this page" link at the bottom. + +### Weaveworks materials +- [GitOps for absolute beginners](https://go.weave.works/WebContent-EB-GitOps-for-Beginners.html) - eBook from Weaveworks +- [Guide to GitOps](https://www.weave.works/technologies/gitops/) - from Weaveworks +- [Awesome GitOps](https://github.com/weaveworks/awesome-gitops) - inspired by [https://github.com/sindresorhus/awesome](https://github.com/sindresorhus/awesome) + +### Other +- [Flux docs](https://fluxcd.io/docs) - comprehensive documentation on Flux +- [OpenGitOps](https://opengitops.dev/) - CNCF Sandbox project aiming to define a vendor-neutral, principle-led meaning of GitOps. +- [gitops.tech](https://www.gitops.tech/) - supported by Innoq \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/installation.mdx b/website/versioned_docs/version-0.9.1/installation.mdx new file mode 100644 index 0000000000..add6df798b --- /dev/null +++ b/website/versioned_docs/version-0.9.1/installation.mdx @@ -0,0 +1,588 @@ +--- +title: Installation +sidebar_position: 1 +hide_title: true +--- + +import TierLabel from "./_components/TierLabel"; +import CurlCodeBlock from "./_components/CurlCodeBlock"; + +## Installing Weave GitOps + +This section details the steps required to install Weave GitOps on a Kubernetes cluster. + +### Pre-requisites + +#### Kubernetes Cluster +This version of Weave GitOps is tested against the following Kubernetes releases: +* 1.20 +* 1.21 +* 1.22 +* 1.23 +* 1.24 + +Note that the version of [Flux](https://fluxcd.io/docs/installation/#prerequisites) that you use might impose further minimum version requirements. + +#### Install Flux +Weave GitOps is an extension to Flux and therefore requires that Flux 0.29 or later has already been installed on your Kubernetes cluster. Full documentation is avilable at: [https://fluxcd.io/docs/installation/](https://fluxcd.io/docs/installation/). + +This version of Weave GitOps is tested against the following Flux releases: +* 0.29 +* 0.30 +* 0.31 + +### Install the Helm Chart +Weave GitOps is provided through a Helm Chart and installed as a Flux resource through a `HelmRepository` and `HelmRelease`. To install on your cluster, adjust the following so that `username` is the username you want and `passwordHash` is a bcrypt hash of your password, and commit the file to the location bootstrapped with Flux so that it is synchronized to your Cluster. + +``` +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: ww-gitops + namespace: flux-system +spec: + chart: + spec: + chart: weave-gitops + sourceRef: + kind: HelmRepository + name: ww-gitops + interval: 1m0s + values: + adminUser: + create: true + username: + passwordHash: +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ww-gitops + namespace: flux-system +spec: + interval: 1m0s + url: https://helm.gitops.weave.works +``` + +There are many other values you can configure - for more information, see [our value file reference](./references/helm-reference.md). + +## Installing Weave GitOps Enterprise + +Weave GitOps Enterprise (WGE) provides ops teams with an easy way to assess the +health of multiple clusters in a single place. It shows cluster information such as +Kubernetes version and number of nodes and provides details about the GitOps operations +on those clusters, such as Git repositories and recent commits. Additionally, it +aggregates Prometheus alerts to assist with troubleshooting. + +To purchase entitlement to Weave GitOps Enterprise please contact [sales@weave.works](mailto:sales@weave.works) + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +To install Weave GitOps Enterprise + +import TOCInline from "@theme/TOCInline"; + + { + const trimStart = toc.slice(toc.findIndex((node) => node.id == 'installing-weave-gitops-enterprise')+1); + return trimStart.slice(0, trimStart.findIndex((node) => node.level == '2')); + })()} /> + +### 1. Set up a Management Cluster with `flux` + +To get you started in this document we'll cover: + +- `kind` as our management cluster with the _CAPD_ provider +- **EKS** as our management cluster with the _CAPA_ provider + +However Weave GitOps Enterprise supports any combination of management cluster and CAPI provider. + + + + +##### 1.1 We start with creating a kind-config. + +```yaml title="kind-config.yaml" +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + extraMounts: + - hostPath: /var/run/docker.sock + containerPath: /var/run/docker.sock +``` + +The `extraMounts` are for the Docker CAPI provider (CAPD) to be able to talk to the host docker + +##### 1.2 Start your kind cluster using the configuration above and Kubernetes v1.23.6 + +```bash +kind create cluster --config kind-config.yaml --image=kindest/node:v1.23.6 +``` + + + + +##### 1.1 Prepare IAM for installation + +The Cluster API needs special permissions in AWS. Use the `clusterawsadm` command below to roll out a CloudStack to installs the permissions into your AWS account. While the CloudStack is bound to a region, the resulting permissions are globally scoped. You can use any AWS Region that you have access to. The `clusterawsadm` command takes an AWSIAMConfiguration file. We have provided a working example for you : + +```yaml title="eks-config.yaml" +apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1 +kind: AWSIAMConfiguration +spec: + bootstrapUser: + enable: true + eks: + iamRoleCreation: false # Set to true if you plan to use the EKSEnableIAM feature flag to enable automatic creation of IAM roles + defaultControlPlaneRole: + disable: false # Set to false to enable creation of the default control plane role + managedMachinePool: + disable: false # Set to false to enable creation of the default node pool role +``` + +Run `clusterawsadm` command to create the IAM group. + +```bash +$ clusterawsadm bootstrap iam create-cloudformation-stack --config eks-config.yaml --region $REGION +``` + +Create an IAM User. This user will be used as a kind of service account. Assign the newly created group to this user. The group name will be something like: `cluster-api-provider-aws-s-AWSIAMGroupBootstrapper-XXXX`. Create a secret for the newly created IAM user. + +##### 1.2 Create the cluster + +In testing we used the following values +`$INSTANCESIZE` : t3.large +`$NUMOFNODES` : 2 +`$MINNODES` : 2 +`$MAXNODES` : 6 + +```bash +eksctl create cluster -n "$CLUSTERNAME" -r "$REGION" --nodegroup-name workers -t $INSTANCESIZE --nodes $NUMOFNODES --nodes-min $MINNODES --nodes-max $MAXNODES --ssh-access --alb-ingress-access +``` + +##### 1.3 Add cluster to kubeconfig + +Once the cluster is created, add the cluster to your `kubeconfig` + +```bash +aws eks --region "$REGION" update-kubeconfig --name "$CLUSTERNAME" +``` + + + + +##### Install Flux onto your cluster with the `flux bootstrap` command. + + + + +``` +flux bootstrap github \ + --owner= \ + --repository=fleet-infra \ + --branch=main \ + --path=./clusters/management \ + --personal +``` + + + + + +``` +flux bootstrap gitlab \ + --owner= \ + --repository=fleet-infra \ + --branch=main \ + --path=./clusters/management \ + --personal +``` + + + + + + +* **owner** - The username (or organization) of the git repository +* **repository** - Git repository name +* **branch** - Git branch (default "main") +* **path** - path relative to the repository root, when specified the cluster sync will be scoped to this path +* **personal** - if set, the owner is assumed to be a repo user + +More information about `flux` and the `flux bootstrap` command can be found [here](https://fluxcd.io/docs/cmd/) + +:::note At this point a few things have occurred: +* Your Flux management cluster is now running +* A new git repo was created based on the parameters you set in the `flux bootstrap` command. Take a look at your repositories. +::: + +### 2. Install a CAPI provider + +:::note `clusterctl` versions + +The example templates provided in this guide have been tested with `clusterctl` version `1.1.3`. However you might need to use an older or newer version depending on the capi-providers you plan on using. + +Download a specific version of clusterctl from the [releases page](https://github.com/kubernetes-sigs/cluster-api/releases). +::: + +In order to be able to provision Kubernetes clusters, a CAPI provider needs to be installed. See [Cluster API Providers](./cluster-management/cluster-api-providers.mdx) page for more details on providers. +Here we'll continue with our example instructions for CAPD and CAPA. + + + + +``` +# Enable support for `ClusterResourceSet`s for automatically installing CNIs +export EXP_CLUSTER_RESOURCE_SET=true + +clusterctl init --infrastructure docker +``` + + + + +``` +export EXP_EKS=true +export EXP_MACHINE_POOL=true +export CAPA_EKS_IAM=true +export EXP_CLUSTER_RESOURCE_SET=true + +clusterctl init --infrastructure aws +``` + + + + +### 3. Apply the entitlements secret + +Contact sales@weave.works for a valid entitlements secret. Then apply it to the cluster: + +```bash +kubectl apply -f entitlements.yaml +``` + +### 4. Configure access for writing to git from the UI + + + +GitHub requires no additional configuration for OAuth git access + + + +Create a GitLab OAuth Application that will request `api` permissions to create pull requests on the user's behalf. +Follow the [GitLab docs](https://docs.gitlab.com/ee/integration/oauth_provider.html). + +The application should have at least these scopes: + +- `api` +- `openid` +- `email` +- `profile` + +Add callback URLs to the application for each address the UI will be exposed on, e.g.: + +- `https://localhost:8000/oauth/gitlab` For port-forwarding and testing +- `https://git.example.com/oauth/gitlab` For production use + +Save your application and take note of the **Client ID** and **Client Secret** and save +them into the `git-provider-credentials` secret along with: + +- `GIT_HOST_TYPES` to tell WGE that the host is gitlab +- `GITLAB_HOSTNAME` where the OAuth app is hosted + +**Replace values** in this snippet and run: + +```bash +kubectl create secret generic git-provider-credentials --namespace=flux-system \ + --from-literal="GITLAB_CLIENT_ID=13457" \ + --from-literal="GITLAB_CLIENT_SECRET=24680" \ + --from-literal="GITLAB_HOSTNAME=git.example.com" \ + --from-literal="GIT_HOST_TYPES=git.example.com=gitlab" +``` + + + + + +### 5. Configure and commit + +We deploy WGE via a Helm chart. We'll save and adapt the below template, before commiting it to git to a flux-reconciled path. + +Clone the newly created repo locally as we're gonna add some things! + +``` +git clone git@:/fleet-infra +cd fleet-infra +``` + +Download the helm-release to `clusters/management/weave-gitops-enterprise.yaml` and tweak: + +import ExampleWGE from "./assets/example-enterprise-helm.yaml"; +import ExampleWGEContent from "!!raw-loader!./assets/example-enterprise-helm.yaml"; + + + +#### `values.config.capi.repositoryURL` +Ensure this has been set to your repository URL. + +#### `values.config.capi.repositoryPath` +By default, WGE will create new clusters in the `clusters/management/clusters` path. +This can be configured with `values.config.capi.repositoryPath`. +For example you might what to change it to `clusters/my-cluster/cluster` if you configured flux to reconcile `./clusters/my-cluster` instead. + +#### `values.config.capi.repositoryClustersPath` +The other important path to configure is where applications and workloads that will be run on the new cluster will be stored. +By default this is `./clusters`. When a new cluster is specified any profiles that have been selected will be written to `./clusters/{.clusterName}/profiles.yaml`. +When the new cluster is bootstrapped, flux will be sync the `./clusters/{.clusterName}` path. + +Commit and push all the files + +``` +git add clusters/management/weave-gitops-enterprise.yaml +git commit -m "Deploy Weave GitOps Enterprise" +git push +``` + +Flux will reconcile the helm-release and WGE will be deployed into the cluster. You can check the `flux-system` namespace to verify all pods are running. + +### 6. Configure password + +In order to login to the WGE UI, you need to generate a bcrypt hash for your chosen password and store it as a secret in the Kubernetes cluster. + +There are several different ways to generate a bcrypt hash, this guide uses `gitops get bcrypt-hash` from our CLI. + +```bash +PASSWORD="" +echo $PASSWORD | gitops get bcrypt-hash +$2a$10$OS5NJmPNEb13UgTOSKnMxOWlmS7mlxX77hv4yAiISvZ71Dc7IuN3q +``` + +Use the hashed output to create a Kubernetes username/password secret. + +```bash +kubectl create secret generic cluster-user-auth \ + --namespace flux-system \ + --from-literal=username=wego-admin \ + --from-literal=password='$2a$.......' +``` + +### 7. Check that WGE is installed + +You should now be able to load the WGE UI by port forwarding. + +```bash +kubectl port-forward --namespace flux-system svc/clusters-service 8000:8000 +``` + +The WGE UI should now be accessible at [https://localhost:8000](https://localhost:8000). + +Use the username above and regular password (not the hashed version) to login. + +Head over to either: + +- [Getting started](./cluster-management/getting-started.mdx) to create your first CAPI Cluster with `kind`/CAPD +- [Deploying CAPA with EKS](./guides/deploying-capa.mdx) to create your first CAPI Cluster with EKS/CAPA. + +### (Optional) Install the TF-Controller + +The [TF-Controller](https://weaveworks.github.io/tf-controller/) is a controller for Flux to reconcile Terraform resources in a GitOps way. + +With Flux and the TF-Controller, Weave GitOps Enterprise makes it easy to add Terraform templates to clusters and continuously reconcile any changes made to the Terraform source manifest. + +Check out our guide on how to [use Terraform templates](./../guides/using-terraform-templates), and why not try your hands at using it with the RDS example! + +Install the TF-Controller to a cluster using Helm: +```bash +# Add tf-controller helm repository +helm repo add tf-controller https://weaveworks.github.io/tf-controller/ + +# Install tf-controller +helm upgrade -i tf-controller tf-controller/tf-controller \ + --namespace flux-system +``` + +Consult the TF-Controller [Installation](https://weaveworks.github.io/tf-controller/getting_started/) documentation for more details on which parameters are configurable and how to install a specific version. + +## AWS Marketplace +Weave GitOps is also available via the AWS Marketplace. + +The following steps will allow you to deploy the Weave GitOps product to an EKS cluster via a Helm Chart. + +These instructions presume you already have installed [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/), +[`eksctl`](https://github.com/weaveworks/eksctl), [`helm`](https://github.com/helm/helm) and +the [Helm S3 Plugin](https://github.com/hypnoglow/helm-s3). + +### Step 1: Subscribe to Weave GitOps on the AWS Marketplace + +To deploy the managed Weave GitOps solution, first subscribe to the product on [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-vkn2wejad2ix4). +**This subscription is only available for deployment on EKS versions 1.17-1.21.** + +_Note: it may take ~20 minutes for your Subscription to become live and deployable._ + +### [Optional] Step 2: Create an EKS cluster + +**If you already have an EKS cluster, you can skip ahead to Step 3.** + +If you do not have a cluster on EKS, you can use [`eksctl`](https://github.com/weaveworks/eksctl) to create one. + +Copy the contents of the sample file below into `cluster-config.yaml` and replace the placeholder values with your settings. +See the [`eksctl` documentation](https://eksctl.io/) for more configuration options. + +```yaml +--- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: CLUSTER_NAME # Change this + region: REGION # Change this + +# This section is required +iam: + withOIDC: true + serviceAccounts: + - metadata: + name: wego-service-account # Altering this will require a corresponding change in a later command + namespace: flux-system + roleOnly: true + attachPolicy: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "aws-marketplace:RegisterUsage" + Resource: '*' + +# This section will create a single Managed nodegroup with one node. +# Edit or remove as desired. +managedNodeGroups: +- name: ng1 + instanceType: m5.large + desiredCapacity: 1 +``` + +Create the cluster: + +```bash +eksctl create cluster -f cluster-config.yaml +``` + +### [Optional] Step 3: Update your EKS cluster + +**If you created your cluster using the configuration file in Step 2, your cluster is +already configured correctly and you can skip ahead to Step 4.** + +In order to use the Weave GitOps container product, +your cluster must be configured to run containers with the correct IAM Policies. + +The recommended way to do this is via [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/). + +Use this `eksctl` configuration below (replacing the placeholder values) to: +- Associate an OIDC provider +- Create the required service account ARN + +Save the example below as `oidc-config.yaml` +```yaml +--- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: CLUSTER_NAME # Change this + region: REGION # Change this + +# This section is required +iam: + withOIDC: true + serviceAccounts: + - metadata: + name: wego-service-account # Altering this will require a corresponding change in a later command + namespace: flux-system + roleOnly: true + attachPolicy: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "aws-marketplace:RegisterUsage" + Resource: '*' + +``` + +```bash +eksctl utils associate-iam-oidc-provider -f oidc-config.yaml --approve +eksctl create iamserviceaccount -f oidc-config.yaml --approve +``` + +### Step 4: Fetch the Service Account Role ARN +First retrieve the ARN of the IAM role which you created for the `wego-service-account`: + +```bash +# replace the placeholder values with your configuration +# if you changed the service account name from wego-service-account, update that in the command +export SA_ARN=$(eksctl get iamserviceaccount --cluster --region | awk '/wego-service-account/ {print $3}') + +echo $SA_ARN +# should return +# arn:aws:iam:::role/eksctl--addon-iamserviceaccount-xxx-Role1-1N41MLVQEWUOF +``` + +_This value will also be discoverable in your IAM console, and in the Outputs of the Cloud Formation +template which created it._ + +### Step 5: Install Weave GitOps + +Copy the Chart URL from the Usage Instructions in AWS Marketplace, or download the file from the Deployment template to your workstation. + +To be able to log in to your new installation, you need to set up authentication. Create a new file `values.yaml` where you set your username, and a bcrypt hash of your desired password, like so: + +```yaml title="./values.yaml" +gitops: + adminUser: + create: true + username: + passwordHash: +``` + +Then install it: +```bash +helm install wego \ + --namespace=flux-system \ + --create-namespace \ + --set serviceAccountRole="$SA_ARN" \ + --values ./values.yaml + +# if you changed the name of the service account +helm install wego \ + --namespace=flux-system \ + --create-namespace \ + --set serviceAccountName='' \ + --set serviceAccountRole="$SA_ARN" \ + --values ./values.yaml +``` + +### Step 6: Check your installation + +Run the following from your workstation: + +```bash +kubectl get pods -n flux-system +# you should see something like the following returned +flux-system helm-controller-5b96d94c7f-tds9n 1/1 Running 0 53s +flux-system kustomize-controller-8467b8b884-x2cpd 1/1 Running 0 53s +flux-system notification-controller-55f94bc746-ggmwc 1/1 Running 0 53s +flux-system source-controller-78bfb8576-stnr5 1/1 Running 0 53s +flux-system wego-metering-f7jqp 1/1 Running 0 53s +flux-system ww-gitops-weave-gitops-5bdc9f7744-vkh65 1/1 Running 0 53s +``` + +Your Weave GitOps installation is now ready! + +The quickest way to access your dashboard is by setting up a port forward: +``` +kubectl port-forward svc/ww-gitops-weave-gitops -n flux-system 9001:9001 +``` +Then, [open the dashboard](http://localhost:9001/). diff --git a/website/versioned_docs/version-0.9.1/intro.md b/website/versioned_docs/version-0.9.1/intro.md new file mode 100644 index 0000000000..fde2b53066 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/intro.md @@ -0,0 +1,53 @@ +--- +title: Introduction +sidebar_position: 0 +hide_title: true +--- +# Weave GitOps + +Weave GitOps is a powerful extension to [Flux](https://fluxcd.io), a leading GitOps engine and CNCF project, which provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams. + +The web UI surfaces key information to help application operators easily discover and resolve issues. The intuitive interface provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required. + +Weave GitOps is an open source project sponsored by [Weaveworks](https://weave.works) - the GitOps company, and original creators of [Flux](https://fluxcd.io). + +## Why adopt GitOps? +> "GitOps is the best thing since configuration as code. Git changed how we collaborate, but declarative configuration is the key to dealing with infrastructure at scale, and sets the stage for the next generation of management tools" + +- Kelsey Hightower, Staff Developer Advocate, Google.

+ +Adopting GitOps can bring a number of key benefits: +- Faster and more frequent deployments +- Easy recovery from failures +- Improved security and auditability + +To learn more about GitOps, check out these resources: + +- [GitOps for absolute beginners](https://go.weave.works/WebContent-EB-GitOps-for-Beginners.html) - eBook from Weaveworks +- [Guide to GitOps](https://www.weave.works/technologies/gitops/) - from Weaveworks +- [OpenGitOps](https://opengitops.dev/) - CNCF Sandbox project aiming to define a vendor-neutral, principle-led meaning of GitOps. +- [gitops.tech](https://www.gitops.tech/) - supported by Innoq + +## Getting Started + +See [Installation](/docs/installation) and [Getting Started](/docs/getting-started) + +## Features + +- **Applications view** - allows you to quickly understand the state of your deployments across a cluster at a glance. It shows summary information from `kustomization` and `helmrelease` objects. +- **Sources view** - shows the status of resources which are synchronizing content from where you have declared the desired state of your system, for example Git repositories. This shows summary information from `gitrepository`, `helmrepository` and `bucket` objects. +- **Flux Runtime view** - provides status on the GitOps engine continuously reconciling your desired and live state. It shows your installed GitOps Toolkit Controllers and their version. +- Drill down into more detailed information on any given Flux resource. +- Uncover relationships between resources and quickly navigate between them. +- Understand how workloads are reconciled through a directional graph. +- View Kubernetes events relating to a given object to understand issues and changes. +- Secure access to the dashboard through the ability to integrate with an OIDC provider (such as Dex) or through a configurable cluster user. +- Fully integrates with [Flux](https://fluxcd.io/docs/) as the GitOps engine to provide: + - Continuous Delivery through GitOps for apps and infrastructure + - Support for GitHub, GitLab, Bitbucket, and even use s3-compatible buckets as a source; all major container registries; and all CI workflow providers. + - A secure, pull-based mechanism, operating with least amount of privileges, and adhering to Kubernetes security policies. + - Compatible with any conformant [Kubernetes version](https://fluxcd.io/docs/installation/#prerequisites) and common ecosystem technologies such as Helm, Kustomize, RBAC, Prometheus, OPA, Kyverno, etc. + - Multitenancy, multiple git repositories, multiple clusters + - Alerts and notifications + + diff --git a/website/versioned_docs/version-0.9.1/policy/_category_.json b/website/versioned_docs/version-0.9.1/policy/_category_.json new file mode 100644 index 0000000000..7b78e837e7 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Policy", + "position": 5 +} diff --git a/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs-configmap.yaml b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs-configmap.yaml new file mode 100644 index 0000000000..4293707dca --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs-configmap.yaml @@ -0,0 +1,2441 @@ +apiVersion: v1 +data: + calico.yaml: "---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap + is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: + v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha + is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n + \ calico_backend: \"vxlan\"\n # On Azure, the underlying network has an MTU of + 1400, even though the network interface will have an MTU of 1500.\n # We set + this value to 1350 for “physical network MTU size minus 50” since we use VXLAN, + which uses a 50-byte header.\n # If enabling Wireguard, this value should be + changed to 1340 (Wireguard uses a 60-byte header).\n # https://docs.projectcalico.org/networking/mtu#determine-mtu-size\n + \ veth_mtu: \"1350\"\n \n # The CNI network configuration to install on each + node. The special\n # values in this config will be automatically populated.\n + \ cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": + \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n + \ \"log_level\": \"info\",\n \"log_file_path\": \"/var/log/calico/cni/cni.log\",\n + \ \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n + \ \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": + \"calico-ipam\"\n },\n \"policy\": {\n \"type\": + \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": + \"__KUBECONFIG_FILEPATH__\"\n }\n },\n {\n \"type\": + \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": + true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": + {\"bandwidth\": true}\n }\n ]\n }\n\n---\n# Source: calico/templates/kdd-crds.yaml\n\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: bgpconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BGPConfiguration\n listKind: BGPConfigurationList\n plural: + bgpconfigurations\n singular: bgpconfiguration\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n description: + BGPConfiguration contains the configuration for any BGP routing.\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BGPConfigurationSpec contains the + values of the BGP configuration.\n properties:\n asNumber:\n + \ description: 'ASNumber is the default AS number used by a node. + [Default:\n 64512]'\n format: int32\n type: + integer\n communities:\n description: Communities + is a list of BGP community values and their\n arbitrary names + for tagging routes.\n items:\n description: + Community contains standard or large community value\n and + its name.\n properties:\n name:\n description: + Name given to community value.\n type: string\n value:\n + \ description: Value must be of format `aa:nn` or `aa:nn:mm`.\n + \ For standard community use `aa:nn` format, where `aa` + and\n `nn` are 16 bit number. For large community use + `aa:nn:mm`\n format, where `aa`, `nn` and `mm` are 32 + bit number. Where,\n `aa` is an AS Number, `nn` and `mm` + are per-AS identifier.\n pattern: ^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$\n + \ type: string\n type: object\n type: + array\n listenPort:\n description: ListenPort + is the port where BGP protocol should listen.\n Defaults to + 179\n maximum: 65535\n minimum: 1\n type: + integer\n logSeverityScreen:\n description: 'LogSeverityScreen + is the log severity above which logs\n are sent to the stdout. + [Default: INFO]'\n type: string\n nodeToNodeMeshEnabled:\n + \ description: 'NodeToNodeMeshEnabled sets whether full node to + node\n BGP mesh is enabled. [Default: true]'\n type: + boolean\n prefixAdvertisements:\n description: + PrefixAdvertisements contains per-prefix advertisement\n configuration.\n + \ items:\n description: PrefixAdvertisement + configures advertisement properties\n for the specified CIDR.\n + \ properties:\n cidr:\n description: + CIDR for which properties should be advertised.\n type: + string\n communities:\n description: + Communities can be list of either community names\n already + defined in `Specs.Communities` or community value\n of + format `aa:nn` or `aa:nn:mm`. For standard community use\n `aa:nn` + format, where `aa` and `nn` are 16 bit number. For\n large + community use `aa:nn:mm` format, where `aa`, `nn` and\n `mm` + are 32 bit number. Where,`aa` is an AS Number, `nn` and\n `mm` + are per-AS identifier.\n items:\n type: + string\n type: array\n type: object\n + \ type: array\n serviceClusterIPs:\n description: + ServiceClusterIPs are the CIDR blocks from which service\n cluster + IPs are allocated. If specified, Calico will advertise these\n blocks, + as well as any cluster IPs within them.\n items:\n description: + ServiceClusterIPBlock represents a single allowed ClusterIP\n CIDR + block.\n properties:\n cidr:\n type: + string\n type: object\n type: array\n serviceExternalIPs:\n + \ description: ServiceExternalIPs are the CIDR blocks for Kubernetes\n + \ Service External IPs. Kubernetes Service ExternalIPs will + only be\n advertised if they are within one of these blocks.\n + \ items:\n description: ServiceExternalIPBlock + represents a single allowed\n External IP CIDR block.\n properties:\n + \ cidr:\n type: string\n type: + object\n type: array\n serviceLoadBalancerIPs:\n + \ description: ServiceLoadBalancerIPs are the CIDR blocks for + Kubernetes\n Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress\n + \ IPs will only be advertised if they are within one of these + blocks.\n items:\n description: ServiceLoadBalancerIPBlock + represents a single allowed\n LoadBalancer IP CIDR block.\n + \ properties:\n cidr:\n type: + string\n type: object\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: bgppeers.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BGPPeer\n listKind: BGPPeerList\n plural: bgppeers\n + \ singular: bgppeer\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BGPPeerSpec contains the specification + for a BGPPeer resource.\n properties:\n asNumber:\n + \ description: The AS Number of the peer.\n format: + int32\n type: integer\n keepOriginalNextHop:\n + \ description: Option to keep the original nexthop field when + routes\n are sent to a BGP Peer. Setting \"true\" configures + the selected BGP\n Peers node to use the \"next hop keep;\" + instead of \"next hop self;\"(default)\n in the specific branch + of the Node on \"bird.cfg\".\n type: boolean\n maxRestartTime:\n + \ description: Time to allow for software restart. When specified, + this\n is configured as the graceful restart timeout. When + not specified,\n the BIRD default of 120s is used.\n type: + string\n node:\n description: The node name identifying + the Calico node instance that\n is targeted by this peer. If + this is not set, and no nodeSelector\n is specified, then this + BGP peer selects all nodes in the cluster.\n type: string\n nodeSelector:\n + \ description: Selector for the nodes that should have this peering. + \ When\n this is set, the Node field must be empty.\n type: + string\n password:\n description: Optional BGP + password for the peerings generated by this\n BGPPeer resource.\n + \ properties:\n secretKeyRef:\n description: + Selects a key of a secret in the node pod's namespace.\n properties:\n + \ key:\n description: The key of + the secret to select from. Must be\n a valid secret + key.\n type: string\n name:\n + \ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\n + \ TODO: Add other useful fields. apiVersion, kind, uid?'\n + \ type: string\n optional:\n description: + Specify whether the Secret or its key must be\n defined\n + \ type: boolean\n required:\n - + key\n type: object\n type: object\n peerIP:\n + \ description: The IP address of the peer followed by an optional + port\n number to peer with. If port number is given, format + should be `[]:port`\n or `:` for IPv4. If + optional port number is not set,\n and this peer IP and ASNumber + belongs to a calico/node with ListenPort\n set in BGPConfiguration, + then we use that port to peer.\n type: string\n peerSelector:\n + \ description: Selector for the remote nodes to peer with. When + this\n is set, the PeerIP and ASNumber fields must be empty. + \ For each\n peering between the local node and selected remote + nodes, we configure\n an IPv4 peering if both ends have NodeBGPSpec.IPv4Address + specified,\n and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address + specified. The\n remote AS number comes from the remote node’s + NodeBGPSpec.ASNumber,\n or the global default if that is not + set.\n type: string\n sourceAddress:\n description: + Specifies whether and how to configure a source address\n for + the peerings generated by this BGPPeer resource. Default value\n \"UseNodeIP\" + means to configure the node IP as the source address. \"None\"\n means + not to configure a source address.\n type: string\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: blockaffinities.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: BlockAffinity\n listKind: BlockAffinityList\n plural: + blockaffinities\n singular: blockaffinity\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: BlockAffinitySpec contains the specification + for a BlockAffinity\n resource.\n properties:\n cidr:\n + \ type: string\n deleted:\n description: + Deleted indicates that this block affinity is being deleted.\n This + field is a string for compatibility with older releases that\n mistakenly + treat this field as a string.\n type: string\n node:\n + \ type: string\n state:\n type: + string\n required:\n - cidr\n - deleted\n + \ - node\n - state\n type: object\n + \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n + \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: clusterinformations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: ClusterInformation\n listKind: ClusterInformationList\n + \ plural: clusterinformations\n singular: clusterinformation\n scope: Cluster\n + \ versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: + ClusterInformation contains the cluster specific information.\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: ClusterInformationSpec contains + the values of describing\n the cluster.\n properties:\n + \ calicoVersion:\n description: CalicoVersion is + the version of Calico that the cluster\n is running\n type: + string\n clusterGUID:\n description: ClusterGUID + is the GUID of the cluster\n type: string\n clusterType:\n + \ description: ClusterType describes the type of the cluster\n + \ type: string\n datastoreReady:\n description: + DatastoreReady is used during significant datastore migrations\n to + signal to components such as Felix that it should wait before\n accessing + the datastore.\n type: boolean\n variant:\n description: + Variant declares which variant of Calico should be active.\n type: + string\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: felixconfigurations.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: FelixConfiguration\n listKind: + FelixConfigurationList\n plural: felixconfigurations\n singular: felixconfiguration\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ description: Felix Configuration contains the configuration for Felix.\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: FelixConfigurationSpec contains + the values of the Felix configuration.\n properties:\n allowIPIPPacketsFromWorkloads:\n + \ description: 'AllowIPIPPacketsFromWorkloads controls whether + Felix\n will add a rule to drop IPIP encapsulated traffic from + workloads\n [Default: false]'\n type: boolean\n + \ allowVXLANPacketsFromWorkloads:\n description: + 'AllowVXLANPacketsFromWorkloads controls whether Felix\n will + add a rule to drop VXLAN encapsulated traffic from workloads\n [Default: + false]'\n type: boolean\n awsSrcDstCheck:\n description: + 'Set source-destination-check on AWS EC2 instances. Accepted\n value + must be one of \"DoNothing\", \"Enabled\" or \"Disabled\". [Default:\n DoNothing]'\n + \ enum:\n - DoNothing\n - + Enable\n - Disable\n type: string\n bpfConnectTimeLoadBalancingEnabled:\n + \ description: 'BPFConnectTimeLoadBalancingEnabled when in BPF + mode,\n controls whether Felix installs the connection-time load + balancer. The\n connect-time load balancer is required for the + host to be able to\n reach Kubernetes services and it improves + the performance of pod-to-service\n connections. The only reason + to disable it is for debugging purposes. [Default:\n true]'\n + \ type: boolean\n bpfDataIfacePattern:\n description: + 'BPFDataIfacePattern is a regular expression that controls\n which + interfaces Felix should attach BPF programs to in order to\n catch + traffic to/from the network. This needs to match the interfaces\n that + Calico workload traffic flows over as well as any interfaces\n that + handle incoming traffic to nodeports and services from outside\n the + cluster. It should not match the workload interfaces (usually\n named + cali...). [Default: ^(en.*|eth.*|tunl0$)]'\n type: string\n bpfDisableUnprivileged:\n + \ description: 'BPFDisableUnprivileged, if enabled, Felix sets + the kernel.unprivileged_bpf_disabled\n sysctl to disable unprivileged + use of BPF. This ensures that unprivileged\n users cannot access + Calico''s BPF maps and cannot insert their own\n BPF programs + to interfere with Calico''s. [Default: true]'\n type: boolean\n + \ bpfEnabled:\n description: 'BPFEnabled, if enabled + Felix will use the BPF dataplane.\n [Default: false]'\n type: + boolean\n bpfExtToServiceConnmark:\n description: + 'BPFExtToServiceConnmark in BPF mode, control a 32bit\n mark + that is set on connections from an external client to a local\n service. + This mark allows us to control how packets of that connection\n are + routed within the host and how is routing intepreted by RPF\n check. + [Default: 0]'\n type: integer\n bpfExternalServiceMode:\n + \ description: 'BPFExternalServiceMode in BPF mode, controls how + connections\n from outside the cluster to services (node ports + and cluster IPs)\n are forwarded to remote workloads. If set + to \"Tunnel\" then both\n request and response traffic is tunneled + to the remote node. If\n set to \"DSR\", the request traffic + is tunneled but the response traffic\n is sent directly from + the remote node. In \"DSR\" mode, the remote\n node appears + to use the IP of the ingress node; this requires a\n permissive + L2 network. [Default: Tunnel]'\n type: string\n bpfKubeProxyEndpointSlicesEnabled:\n + \ description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, + controls\n whether Felix's embedded kube-proxy accepts EndpointSlices + or not.\n type: boolean\n bpfKubeProxyIptablesCleanupEnabled:\n + \ description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled + in BPF\n mode, Felix will proactively clean up the upstream Kubernetes + kube-proxy''s\n iptables chains. Should only be enabled if kube-proxy + is not running. [Default:\n true]'\n type: + boolean\n bpfKubeProxyMinSyncPeriod:\n description: + 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the\n minimum + time between updates to the dataplane for Felix''s embedded\n kube-proxy. + \ Lower values give reduced set-up latency. Higher values\n reduce + Felix CPU usage by batching up more work. [Default: 1s]'\n type: + string\n bpfLogLevel:\n description: 'BPFLogLevel + controls the log level of the BPF programs\n when in BPF dataplane + mode. One of \"Off\", \"Info\", or \"Debug\". The\n logs are + emitted to the BPF trace pipe, accessible with the command\n `tc + exec bpf debug`. [Default: Off].'\n type: string\n chainInsertMode:\n + \ description: 'ChainInsertMode controls whether Felix hooks the + kernel’s\n top-level iptables chains by inserting a rule at the + top of the\n chain or by appending a rule at the bottom. insert + is the safe default\n since it prevents Calico’s rules from being + bypassed. If you switch\n to append mode, be sure that the other + rules in the chains signal\n acceptance by falling through to + the Calico rules, otherwise the\n Calico policy will be bypassed. + [Default: insert]'\n type: string\n dataplaneDriver:\n + \ type: string\n debugDisableLogDropping:\n type: + boolean\n debugMemoryProfilePath:\n type: string\n + \ debugSimulateCalcGraphHangAfter:\n type: string\n + \ debugSimulateDataplaneHangAfter:\n type: string\n + \ defaultEndpointToHostAction:\n description: 'DefaultEndpointToHostAction + controls what happens to\n traffic that goes from a workload + endpoint to the host itself (after\n the traffic hits the endpoint + egress policy). By default Calico\n blocks traffic from workload + endpoints to the host itself with an\n iptables “DROP” action. + If you want to allow some or all traffic\n from endpoint to host, + set this parameter to RETURN or ACCEPT. Use\n RETURN if you have + your own rules in the iptables “INPUT” chain;\n Calico will insert + its rules at the top of that chain, then “RETURN”\n packets to + the “INPUT” chain once it has completed processing workload\n endpoint + egress policy. Use ACCEPT to unconditionally accept packets\n from + workloads after processing workload endpoint egress policy.\n [Default: + Drop]'\n type: string\n deviceRouteProtocol:\n + \ description: This defines the route protocol added to programmed + device\n routes, by default this will be RTPROT_BOOT when left + blank.\n type: integer\n deviceRouteSourceAddress:\n + \ description: This is the source address to use on programmed + device\n routes. By default the source address is left blank, + leaving the\n kernel to choose the source address used.\n type: + string\n disableConntrackInvalidCheck:\n type: + boolean\n endpointReportingDelay:\n type: string\n + \ endpointReportingEnabled:\n type: boolean\n externalNodesList:\n + \ description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes\n + \ which may source tunnel traffic and have the tunneled traffic + be\n accepted at calico nodes.\n items:\n + \ type: string\n type: array\n failsafeInboundHostPorts:\n + \ description: 'FailsafeInboundHostPorts is a list of UDP/TCP + ports\n and CIDRs that Felix will allow incoming traffic to + host endpoints\n on irrespective of the security policy. This + is useful to avoid\n accidentally cutting off a host with incorrect + configuration. For\n back-compatibility, if the protocol is + not specified, it defaults\n to \"tcp\". If a CIDR is not specified, + it will allow traffic from\n all addresses. To disable all + inbound host ports, use the value\n none. The default value + allows ssh access and DHCP. [Default: tcp:22,\n udp:68, tcp:179, + tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'\n items:\n + \ description: ProtoPort is combination of protocol, port, and + CIDR.\n Protocol and port must be specified.\n properties:\n + \ net:\n type: string\n port:\n + \ type: integer\n protocol:\n type: + string\n required:\n - port\n - + protocol\n type: object\n type: array\n failsafeOutboundHostPorts:\n + \ description: 'FailsafeOutboundHostPorts is a list of UDP/TCP + ports\n and CIDRs that Felix will allow outgoing traffic from + host endpoints\n to irrespective of the security policy. This + is useful to avoid\n accidentally cutting off a host with incorrect + configuration. For\n back-compatibility, if the protocol is + not specified, it defaults\n to \"tcp\". If a CIDR is not specified, + it will allow traffic from\n all addresses. To disable all + outbound host ports, use the value\n none. The default value + opens etcd''s standard ports to ensure that\n Felix does not + get cut off from etcd as well as allowing DHCP and\n DNS. [Default: + tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,\n tcp:6667, + udp:53, udp:67]'\n items:\n description: ProtoPort + is combination of protocol, port, and CIDR.\n Protocol and + port must be specified.\n properties:\n net:\n + \ type: string\n port:\n type: + integer\n protocol:\n type: string\n + \ required:\n - port\n - + protocol\n type: object\n type: array\n featureDetectOverride:\n + \ description: FeatureDetectOverride is used to override the feature\n + \ detection. Values are specified in a comma separated list + with no\n spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\".\n + \ \"true\" or \"false\" will force the feature, empty or omitted + values\n are auto-detected.\n type: string\n + \ genericXDPEnabled:\n description: 'GenericXDPEnabled + enables Generic XDP so network cards\n that don''t support XDP + offload or driver modes can use XDP. This\n is not recommended + since it doesn''t provide better performance\n than iptables. + [Default: false]'\n type: boolean\n healthEnabled:\n + \ type: boolean\n healthHost:\n type: + string\n healthPort:\n type: integer\n interfaceExclude:\n + \ description: 'InterfaceExclude is a comma-separated list of + interfaces\n that Felix should exclude when monitoring for host + endpoints. The\n default value ensures that Felix ignores Kubernetes'' + IPVS dummy\n interface, which is used internally by kube-proxy. + If you want to\n exclude multiple interface names using a single + value, the list\n supports regular expressions. For regular expressions + you must wrap\n the value with ''/''. For example having values + ''/^kube/,veth1''\n will exclude all interfaces that begin with + ''kube'' and also the\n interface ''veth1''. [Default: kube-ipvs0]'\n + \ type: string\n interfacePrefix:\n description: + 'InterfacePrefix is the interface name prefix that identifies\n workload + endpoints and so distinguishes them from host endpoint\n interfaces. + Note: in environments other than bare metal, the orchestrators\n configure + this appropriately. For example our Kubernetes and Docker\n integrations + set the ‘cali’ value, and our OpenStack integration\n sets the + ‘tap’ value. [Default: cali]'\n type: string\n interfaceRefreshInterval:\n + \ description: InterfaceRefreshInterval is the period at which + Felix\n rescans local interfaces to verify their state. The + rescan can be\n disabled by setting the interval to 0.\n type: + string\n ipipEnabled:\n type: boolean\n ipipMTU:\n + \ description: 'IPIPMTU is the MTU to set on the tunnel device. + See\n Configuring MTU [Default: 1440]'\n type: + integer\n ipsetsRefreshInterval:\n description: + 'IpsetsRefreshInterval is the period at which Felix re-checks\n all + iptables state to ensure that no other process has accidentally\n broken + Calico’s rules. Set to 0 to disable iptables refresh. [Default:\n 90s]'\n + \ type: string\n iptablesBackend:\n description: + IptablesBackend specifies which backend of iptables will\n be + used. The default is legacy.\n type: string\n iptablesFilterAllowAction:\n + \ type: string\n iptablesLockFilePath:\n description: + 'IptablesLockFilePath is the location of the iptables\n lock + file. You may need to change this if the lock file is not in\n its + standard location (for example if you have mapped it into Felix’s\n container + at a different path). [Default: /run/xtables.lock]'\n type: string\n + \ iptablesLockProbeInterval:\n description: 'IptablesLockProbeInterval + is the time that Felix will\n wait between attempts to acquire + the iptables lock if it is not\n available. Lower values make + Felix more responsive when the lock\n is contended, but use more + CPU. [Default: 50ms]'\n type: string\n iptablesLockTimeout:\n + \ description: 'IptablesLockTimeout is the time that Felix will + wait\n for the iptables lock, or 0, to disable. To use this feature, + Felix\n must share the iptables lock file with all other processes + that\n also take the lock. When running Felix inside a container, + this\n requires the /run directory of the host to be mounted + into the calico/node\n or calico/felix container. [Default: 0s + disabled]'\n type: string\n iptablesMangleAllowAction:\n + \ type: string\n iptablesMarkMask:\n description: + 'IptablesMarkMask is the mask that Felix selects its\n IPTables + Mark bits from. Should be a 32 bit hexadecimal number with\n at + least 8 bits set, none of which clash with any other mark bits\n in + use on the system. [Default: 0xff000000]'\n format: int32\n type: + integer\n iptablesNATOutgoingInterfaceFilter:\n type: + string\n iptablesPostWriteCheckInterval:\n description: + 'IptablesPostWriteCheckInterval is the period after Felix\n has + done a write to the dataplane that it schedules an extra read\n back + in order to check the write was not clobbered by another process.\n This + should only occur if another application on the system doesn’t\n respect + the iptables lock. [Default: 1s]'\n type: string\n iptablesRefreshInterval:\n + \ description: 'IptablesRefreshInterval is the period at which + Felix\n re-checks the IP sets in the dataplane to ensure that + no other process\n has accidentally broken Calico''s rules. + Set to 0 to disable IP\n sets refresh. Note: the default for + this value is lower than the\n other refresh intervals as a + workaround for a Linux kernel bug that\n was fixed in kernel + version 4.11. If you are using v4.11 or greater\n you may want + to set this to, a higher value to reduce Felix CPU\n usage. + [Default: 10s]'\n type: string\n ipv6Support:\n + \ type: boolean\n kubeNodePortRanges:\n description: + 'KubeNodePortRanges holds list of port ranges used for\n service + node ports. Only used if felix detects kube-proxy running\n in + ipvs mode. Felix uses these ranges to separate host and workload\n traffic. + [Default: 30000:32767].'\n items:\n anyOf:\n + \ - type: integer\n - type: string\n + \ pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n logFilePath:\n description: + 'LogFilePath is the full path to the Felix log. Set to\n none + to disable file logging. [Default: /var/log/calico/felix.log]'\n type: + string\n logPrefix:\n description: 'LogPrefix + is the log prefix that Felix uses when rendering\n LOG rules. + [Default: calico-packet]'\n type: string\n logSeverityFile:\n + \ description: 'LogSeverityFile is the log severity above which + logs\n are sent to the log file. [Default: Info]'\n type: + string\n logSeverityScreen:\n description: 'LogSeverityScreen + is the log severity above which logs\n are sent to the stdout. + [Default: Info]'\n type: string\n logSeveritySys:\n + \ description: 'LogSeveritySys is the log severity above which + logs\n are sent to the syslog. Set to None for no logging to + syslog. [Default:\n Info]'\n type: string\n + \ maxIpsetSize:\n type: integer\n metadataAddr:\n + \ description: 'MetadataAddr is the IP address or domain name + of the\n server that can answer VM queries for cloud-init metadata. + In OpenStack,\n this corresponds to the machine running nova-api + (or in Ubuntu,\n nova-api-metadata). A value of none (case insensitive) + means that\n Felix should not set up any NAT rule for the metadata + path. [Default:\n 127.0.0.1]'\n type: string\n + \ metadataPort:\n description: 'MetadataPort is + the port of the metadata server. This,\n combined with global.MetadataAddr + (if not ‘None’), is used to set\n up a NAT rule, from 169.254.169.254:80 + to MetadataAddr:MetadataPort.\n In most cases this should not + need to be changed [Default: 8775].'\n type: integer\n mtuIfacePattern:\n + \ description: MTUIfacePattern is a regular expression that controls\n + \ which interfaces Felix should scan in order to calculate the + host's\n MTU. This should not match workload interfaces (usually + named cali...).\n type: string\n natOutgoingAddress:\n + \ description: NATOutgoingAddress specifies an address to use + when performing\n source NAT for traffic in a natOutgoing pool + that is leaving the\n network. By default the address used + is an address on the interface\n the traffic is leaving on + (ie it uses the iptables MASQUERADE target)\n type: string\n + \ natPortRange:\n anyOf:\n - + type: integer\n - type: string\n description: + NATPortRange specifies the range of ports that is used\n for + port mapping when doing outgoing NAT. When unset the default\n behavior + of the network stack is used.\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n netlinkTimeout:\n type: string\n openstackRegion:\n + \ description: 'OpenstackRegion is the name of the region that + a particular\n Felix belongs to. In a multi-region Calico/OpenStack + deployment,\n this must be configured somehow for each Felix + (here in the datamodel,\n or in felix.cfg or the environment + on each compute node), and must\n match the [calico] openstack_region + value configured in neutron.conf\n on each node. [Default: Empty]'\n + \ type: string\n policySyncPathPrefix:\n description: + 'PolicySyncPathPrefix is used to by Felix to communicate\n policy + changes to external services, like Application layer policy.\n [Default: + Empty]'\n type: string\n prometheusGoMetricsEnabled:\n + \ description: 'PrometheusGoMetricsEnabled disables Go runtime + metrics\n collection, which the Prometheus client does by default, + when set\n to false. This reduces the number of metrics reported, + reducing\n Prometheus load. [Default: true]'\n type: + boolean\n prometheusMetricsEnabled:\n description: + 'PrometheusMetricsEnabled enables the Prometheus metrics\n server + in Felix if set to true. [Default: false]'\n type: boolean\n + \ prometheusMetricsHost:\n description: 'PrometheusMetricsHost + is the host that the Prometheus\n metrics server should bind + to. [Default: empty]'\n type: string\n prometheusMetricsPort:\n + \ description: 'PrometheusMetricsPort is the TCP port that the + Prometheus\n metrics server should bind to. [Default: 9091]'\n + \ type: integer\n prometheusProcessMetricsEnabled:\n + \ description: 'PrometheusProcessMetricsEnabled disables process + metrics\n collection, which the Prometheus client does by default, + when set\n to false. This reduces the number of metrics reported, + reducing\n Prometheus load. [Default: true]'\n type: + boolean\n removeExternalRoutes:\n description: + Whether or not to remove device routes that have not\n been + programmed by Felix. Disabling this will allow external applications\n to + also add device routes. This is enabled by default which means\n we + will remove externally added routes.\n type: boolean\n reportingInterval:\n + \ description: 'ReportingInterval is the interval at which Felix + reports\n its status into the datastore or 0 to disable. Must + be non-zero\n in OpenStack deployments. [Default: 30s]'\n type: + string\n reportingTTL:\n description: 'ReportingTTL + is the time-to-live setting for process-wide\n status reports. + [Default: 90s]'\n type: string\n routeRefreshInterval:\n + \ description: 'RouterefreshInterval is the period at which Felix + re-checks\n the routes in the dataplane to ensure that no other + process has\n accidentally broken Calico’s rules. Set to 0 to + disable route refresh.\n [Default: 90s]'\n type: + string\n routeSource:\n description: 'RouteSource + configures where Felix gets its routing\n information. - WorkloadIPs: + use workload endpoints to construct\n routes. - CalicoIPAM: the + default - use IPAM data to construct routes.'\n type: string\n + \ routeTableRange:\n description: Calico programs + additional Linux route tables for various\n purposes. RouteTableRange + specifies the indices of the route tables\n that Calico should + use.\n properties:\n max:\n type: + integer\n min:\n type: integer\n required:\n + \ - max\n - min\n type: + object\n serviceLoopPrevention:\n description: + 'When service IP advertisement is enabled, prevent routing\n loops + to service IPs that are not in use, by dropping or rejecting\n packets + that do not get DNAT''d by kube-proxy. Unless set to \"Disabled\",\n in + which case such routing loops continue to be allowed. [Default:\n Drop]'\n + \ type: string\n sidecarAccelerationEnabled:\n + \ description: 'SidecarAccelerationEnabled enables experimental + sidecar\n acceleration [Default: false]'\n type: + boolean\n usageReportingEnabled:\n description: + 'UsageReportingEnabled reports anonymous Calico version\n number + and cluster size to projectcalico.org. Logs warnings returned\n by + the usage server. For example, if a significant security vulnerability\n has + been discovered in the version of Calico being used. [Default:\n true]'\n + \ type: boolean\n usageReportingInitialDelay:\n + \ description: 'UsageReportingInitialDelay controls the minimum + delay\n before Felix makes a report. [Default: 300s]'\n type: + string\n usageReportingInterval:\n description: + 'UsageReportingInterval controls the interval at which\n Felix + makes reports. [Default: 86400s]'\n type: string\n useInternalDataplaneDriver:\n + \ type: boolean\n vxlanEnabled:\n type: + boolean\n vxlanMTU:\n description: 'VXLANMTU is + the MTU to set on the tunnel device. See\n Configuring MTU [Default: + 1440]'\n type: integer\n vxlanPort:\n type: + integer\n vxlanVNI:\n type: integer\n wireguardEnabled:\n + \ description: 'WireguardEnabled controls whether Wireguard is + enabled.\n [Default: false]'\n type: boolean\n + \ wireguardInterfaceName:\n description: 'WireguardInterfaceName + specifies the name to use for\n the Wireguard interface. [Default: + wg.calico]'\n type: string\n wireguardListeningPort:\n + \ description: 'WireguardListeningPort controls the listening + port used\n by Wireguard. [Default: 51820]'\n type: + integer\n wireguardMTU:\n description: 'WireguardMTU + controls the MTU on the Wireguard interface.\n See Configuring + MTU [Default: 1420]'\n type: integer\n wireguardRoutingRulePriority:\n + \ description: 'WireguardRoutingRulePriority controls the priority + value\n to use for the Wireguard routing rule. [Default: 99]'\n + \ type: integer\n xdpEnabled:\n description: + 'XDPEnabled enables XDP acceleration for suitable untracked\n incoming + deny rules. [Default: true]'\n type: boolean\n xdpRefreshInterval:\n + \ description: 'XDPRefreshInterval is the period at which Felix + re-checks\n all XDP state to ensure that no other process has + accidentally broken\n Calico''s BPF maps or attached programs. + Set to 0 to disable XDP\n refresh. [Default: 90s]'\n type: + string\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: GlobalNetworkPolicy\n listKind: + GlobalNetworkPolicyList\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n properties:\n applyOnForward:\n + \ description: ApplyOnForward indicates to apply the rules in + this policy\n on forward traffic.\n type: + boolean\n doNotTrack:\n description: DoNotTrack + indicates whether packets matched by the rules\n in this policy + should go through the data plane's connection tracking,\n such + as Linux conntrack. If True, the rules in this policy are\n applied + before any data plane connection tracking, and packets allowed\n by + this policy are marked as not to be tracked.\n type: boolean\n + \ egress:\n description: The ordered set of egress + rules. Each rule contains\n a set of packet match criteria + and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n ingress:\n description: The ordered set + of ingress rules. Each rule contains\n a set of packet match + criteria and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n namespaceSelector:\n description: NamespaceSelector + is an optional field for an expression\n used to select a pod + based on namespaces.\n type: string\n order:\n + \ description: Order is an optional field that specifies the order + in\n which the policy is applied. Policies with higher \"order\" + are applied\n after those with lower order. If the order is + omitted, it may be\n considered to be \"infinite\" - i.e. the + policy will be applied last. Policies\n with identical order + will be applied in alphanumerical order based\n on the Policy + \"Name\".\n type: number\n preDNAT:\n description: + PreDNAT indicates to apply the rules in this policy before\n any + DNAT.\n type: boolean\n selector:\n description: + \"The selector is an expression used to pick pick out\n the endpoints + that the policy should be applied to. \\n Selector\n expressions + follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n \\ + -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel != \\\"string_literal\\\"\n + \ \\ -> not equal; also matches if label is not present \\tlabel + in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", ... } -> true if the + value of label X is\n one of \\\"a\\\", \\\"b\\\", \\\"c\\\" + \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... } -> + \ true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" + \\thas(label_name) -> True if that label is present \\t! expr\n -> + negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || + expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or + the empty selector -> matches all endpoints. \\n Label names are\n allowed + to contain alphanumerics, -, _ and /. String literals are\n more + permissive but they do not support escape characters. \\n Examples\n (with + made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == + \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n + \ \\\"dev\\\" \\t! has(label_name)\"\n type: + string\n serviceAccountSelector:\n description: + ServiceAccountSelector is an optional field for an expression\n used + to select a pod based on service accounts.\n type: string\n types:\n + \ description: \"Types indicates whether this policy applies to + ingress,\n or to egress, or to both. When not explicitly specified + (and so\n the value on creation is empty or nil), Calico defaults + Types according\n to what Ingress and Egress rules are present + in the policy. The\n default is: \\n - [ PolicyTypeIngress ], + if there are no Egress rules\n (including the case where there + are also no Ingress rules) \\n\n - [ PolicyTypeEgress ], if + there are Egress rules but no Ingress\n rules \\n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are\n both Ingress and Egress rules. + \\n When the policy is read back again,\n Types will always be + one of these values, never empty or nil.\"\n items:\n description: + PolicyType enumerates the possible values of the PolicySpec\n Types + field.\n type: string\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: globalnetworksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: GlobalNetworkSet\n listKind: GlobalNetworkSetList\n plural: + globalnetworksets\n singular: globalnetworkset\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n description: + GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs\n that + share labels to allow rules to refer to them via selectors. The labels\n of + GlobalNetworkSet are not namespaced.\n properties:\n apiVersion:\n + \ description: 'APIVersion defines the versioned schema of this representation\n + \ of an object. Servers should convert recognized schemas to the latest\n + \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: GlobalNetworkSetSpec contains the + specification for a NetworkSet\n resource.\n properties:\n + \ nets:\n description: The list of IP networks + that belong to this set.\n items:\n type: + string\n type: array\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: hostendpoints.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: HostEndpoint\n listKind: HostEndpointList\n plural: + hostendpoints\n singular: hostendpoint\n scope: Cluster\n versions:\n - + name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n + \ description: 'APIVersion defines the versioned schema of this representation\n + \ of an object. Servers should convert recognized schemas to the latest\n + \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: HostEndpointSpec contains the specification + for a HostEndpoint\n resource.\n properties:\n expectedIPs:\n + \ description: \"The expected IP addresses (IPv4 and IPv6) of + the endpoint.\n If \\\"InterfaceName\\\" is not present, Calico + will look for an interface\n matching any of the IPs in the list + and apply policy to that. Note:\n \\tWhen using the selector + match criteria in an ingress or egress\n security Policy \\tor + Profile, Calico converts the selector into\n a set of IP addresses. + For host \\tendpoints, the ExpectedIPs field\n is used for that + purpose. (If only the interface \\tname is specified,\n Calico + does not learn the IPs of the interface for use in match\n \\tcriteria.)\"\n + \ items:\n type: string\n type: + array\n interfaceName:\n description: \"Either + \\\"*\\\", or the name of a specific Linux interface\n to apply + policy to; or empty. \\\"*\\\" indicates that this HostEndpoint\n governs + all traffic to, from or through the default network namespace\n of + the host named by the \\\"Node\\\" field; entering and leaving that\n namespace + via any interface, including those from/to non-host-networked\n local + workloads. \\n If InterfaceName is not \\\"*\\\", this HostEndpoint\n only + governs traffic that enters or leaves the host through the\n specific + interface named by InterfaceName, or - when InterfaceName\n is + empty - through the specific interface that has one of the IPs\n in + ExpectedIPs. Therefore, when InterfaceName is empty, at least\n one + expected IP must be specified. Only external interfaces (such\n as + “eth0”) are supported here; it isn't possible for a HostEndpoint\n to + protect traffic through a specific local workload interface.\n \\n + Note: Only some kinds of policy are implemented for \\\"*\\\" HostEndpoints;\n + \ initially just pre-DNAT policy. Please check Calico documentation\n + \ for the latest position.\"\n type: string\n + \ node:\n description: The node name identifying + the Calico node instance.\n type: string\n ports:\n + \ description: Ports contains the endpoint's named ports, which + may\n be referenced in security policy rules.\n items:\n + \ properties:\n name:\n type: + string\n port:\n type: integer\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n required:\n - name\n - + port\n - protocol\n type: object\n type: + array\n profiles:\n description: A list of identifiers + of security Profile objects that\n apply to this endpoint. + Each profile is applied in the order that\n they appear in + this list. Profile rules are applied after the selector-based\n security + policy.\n items:\n type: string\n type: + array\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: + CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: + (devel)\n creationTimestamp: null\n name: ipamblocks.crd.projectcalico.org\nspec:\n + \ group: crd.projectcalico.org\n names:\n kind: IPAMBlock\n listKind: IPAMBlockList\n + \ plural: ipamblocks\n singular: ipamblock\n scope: Cluster\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMBlockSpec contains the specification + for an IPAMBlock\n resource.\n properties:\n affinity:\n + \ type: string\n allocations:\n items:\n + \ type: integer\n # TODO: This nullable is + manually added in. We should update controller-gen\n # to handle + []*int properly itself.\n nullable: true\n type: + array\n attributes:\n items:\n properties:\n + \ handle_id:\n type: string\n secondary:\n + \ additionalProperties:\n type: + string\n type: object\n type: object\n + \ type: array\n cidr:\n type: + string\n deleted:\n type: boolean\n strictAffinity:\n + \ type: boolean\n unallocated:\n items:\n + \ type: integer\n type: array\n required:\n + \ - allocations\n - attributes\n - + cidr\n - strictAffinity\n - unallocated\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: ipamconfigs.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPAMConfig\n listKind: IPAMConfigList\n plural: ipamconfigs\n + \ singular: ipamconfig\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMConfigSpec contains the specification + for an IPAMConfig\n resource.\n properties:\n autoAllocateBlocks:\n + \ type: boolean\n maxBlocksPerHost:\n description: + MaxBlocksPerHost, if non-zero, is the max number of blocks\n that + can be affine to each host.\n type: integer\n strictAffinity:\n + \ type: boolean\n required:\n - autoAllocateBlocks\n + \ - strictAffinity\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: ipamhandles.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPAMHandle\n listKind: IPAMHandleList\n plural: ipamhandles\n + \ singular: ipamhandle\n scope: Cluster\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPAMHandleSpec contains the specification + for an IPAMHandle\n resource.\n properties:\n block:\n + \ additionalProperties:\n type: integer\n type: + object\n deleted:\n type: boolean\n handleID:\n + \ type: string\n required:\n - block\n + \ - handleID\n type: object\n type: object\n + \ served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: ippools.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: IPPool\n listKind: IPPoolList\n plural: ippools\n singular: + ippool\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: IPPoolSpec contains the specification + for an IPPool resource.\n properties:\n blockSize:\n + \ description: The block size to use for IP address assignments + from\n this pool. Defaults to 26 for IPv4 and 112 for IPv6.\n + \ type: integer\n cidr:\n description: + The pool CIDR.\n type: string\n disabled:\n description: + When disabled is true, Calico IPAM will not assign addresses\n from + this pool.\n type: boolean\n ipip:\n description: + 'Deprecated: this field is only used for APIv1 backwards\n compatibility. + Setting this field is not allowed, this field is\n for internal + use only.'\n properties:\n enabled:\n description: + When enabled is true, ipip tunneling will be used\n to + deliver packets to destinations within this pool.\n type: + boolean\n mode:\n description: The IPIP + mode. This can be one of \"always\" or \"cross-subnet\". A\n mode + of \"always\" will also use IPIP tunneling for routing to\n destination + IP addresses within this pool. A mode of \"cross-subnet\"\n will + only use IPIP tunneling when the destination node is on\n a + different subnet to the originating node. The default value\n (if + not specified) is \"always\".\n type: string\n type: + object\n ipipMode:\n description: Contains configuration + for IPIP tunneling for this pool.\n If not specified, then + this is defaulted to \"Never\" (i.e. IPIP tunneling\n is disabled).\n + \ type: string\n nat-outgoing:\n description: + 'Deprecated: this field is only used for APIv1 backwards\n compatibility. + Setting this field is not allowed, this field is\n for internal + use only.'\n type: boolean\n natOutgoing:\n description: + When nat-outgoing is true, packets sent from Calico networked\n containers + in this pool to destinations outside of this pool will\n be + masqueraded.\n type: boolean\n nodeSelector:\n + \ description: Allows IPPool to allocate for a specific node by + label\n selector.\n type: string\n vxlanMode:\n + \ description: Contains configuration for VXLAN tunneling for + this pool.\n If not specified, then this is defaulted to \"Never\" + (i.e. VXLAN\n tunneling is disabled).\n type: + string\n required:\n - cidr\n type: object\n + \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n + \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: kubecontrollersconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: KubeControllersConfiguration\n listKind: KubeControllersConfigurationList\n + \ plural: kubecontrollersconfigurations\n singular: kubecontrollersconfiguration\n + \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n + \ properties:\n apiVersion:\n description: 'APIVersion + defines the versioned schema of this representation\n of an object. + Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: KubeControllersConfigurationSpec + contains the values of the\n Kubernetes controllers configuration.\n + \ properties:\n controllers:\n description: + Controllers enables and configures individual Kubernetes\n controllers\n + \ properties:\n namespace:\n description: + Namespace enables and configures the namespace controller.\n Enabled + by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to perform + reconciliation\n with the Calico datastore. [Default: + 5m]'\n type: string\n type: object\n + \ node:\n description: Node enables and + configures the node controller.\n Enabled by default, set + to nil to disable.\n properties:\n hostEndpoint:\n + \ description: HostEndpoint controls syncing nodes to + host endpoints.\n Disabled by default, set to nil to + disable.\n properties:\n autoCreate:\n + \ description: 'AutoCreate enables automatic creation + of\n host endpoints for every node. [Default: Disabled]'\n + \ type: string\n type: object\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ syncLabels:\n description: 'SyncLabels + controls whether to copy Kubernetes\n node labels to + Calico nodes. [Default: Enabled]'\n type: string\n type: + object\n policy:\n description: Policy + enables and configures the policy controller.\n Enabled + by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to perform + reconciliation\n with the Calico datastore. [Default: + 5m]'\n type: string\n type: object\n + \ serviceAccount:\n description: ServiceAccount + enables and configures the service\n account controller. + Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ type: object\n workloadEndpoint:\n description: + WorkloadEndpoint enables and configures the workload\n endpoint + controller. Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform reconciliation\n with + the Calico datastore. [Default: 5m]'\n type: string\n + \ type: object\n type: object\n etcdV3CompactionPeriod:\n + \ description: 'EtcdV3CompactionPeriod is the period between etcdv3\n + \ compaction requests. Set to 0 to disable. [Default: 10m]'\n + \ type: string\n healthChecks:\n description: + 'HealthChecks enables or disables support for health\n checks + [Default: Enabled]'\n type: string\n logSeverityScreen:\n + \ description: 'LogSeverityScreen is the log severity above which + logs\n are sent to the stdout. [Default: Info]'\n type: + string\n prometheusMetricsPort:\n description: + 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics + server should bind to. Set to 0 to disable. [Default: 9094]'\n type: + integer\n required:\n - controllers\n type: + object\n status:\n description: KubeControllersConfigurationStatus + represents the status\n of the configuration. It's useful for admins + to be able to see the actual\n config that was applied, which can + be modified by environment variables\n on the kube-controllers + process.\n properties:\n environmentVars:\n additionalProperties:\n + \ type: string\n description: EnvironmentVars + contains the environment variables on\n the kube-controllers + that influenced the RunningConfig.\n type: object\n runningConfig:\n + \ description: RunningConfig contains the effective config that + is running\n in the kube-controllers pod, after merging the + API resource with\n any environment variables.\n properties:\n + \ controllers:\n description: Controllers + enables and configures individual Kubernetes\n controllers\n + \ properties:\n namespace:\n description: + Namespace enables and configures the namespace\n controller. + Enabled by default, set to nil to disable.\n properties:\n + \ reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform\n reconciliation + with the Calico datastore. [Default:\n 5m]'\n type: + string\n type: object\n node:\n + \ description: Node enables and configures the node controller.\n + \ Enabled by default, set to nil to disable.\n properties:\n + \ hostEndpoint:\n description: + HostEndpoint controls syncing nodes to host\n endpoints. + Disabled by default, set to nil to disable.\n properties:\n + \ autoCreate:\n description: + 'AutoCreate enables automatic creation\n of host + endpoints for every node. [Default: Disabled]'\n type: + string\n type: object\n leakGracePeriod:\n + \ description: 'LeakGracePeriod is the period used + by the\n controller to determine if an IP address + has been leaked.\n Set to 0 to disable IP garbage + collection. [Default:\n 15m]'\n type: + string\n reconcilerPeriod:\n description: + 'ReconcilerPeriod is the period to perform\n reconciliation + with the Calico datastore. [Default:\n 5m]'\n type: + string\n syncLabels:\n description: + 'SyncLabels controls whether to copy Kubernetes\n node + labels to Calico nodes. [Default: Enabled]'\n type: + string\n type: object\n policy:\n + \ description: Policy enables and configures the policy + controller.\n Enabled by default, set to nil to disable.\n + \ properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n serviceAccount:\n + \ description: ServiceAccount enables and configures the + service\n account controller. Enabled by default, set + to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n workloadEndpoint:\n + \ description: WorkloadEndpoint enables and configures + the workload\n endpoint controller. Enabled by default, + set to nil to disable.\n properties:\n reconcilerPeriod:\n + \ description: 'ReconcilerPeriod is the period to + perform\n reconciliation with the Calico datastore. + [Default:\n 5m]'\n type: + string\n type: object\n type: object\n + \ etcdV3CompactionPeriod:\n description: + 'EtcdV3CompactionPeriod is the period between etcdv3\n compaction + requests. Set to 0 to disable. [Default: 10m]'\n type: string\n + \ healthChecks:\n description: 'HealthChecks + enables or disables support for health\n checks [Default: + Enabled]'\n type: string\n logSeverityScreen:\n + \ description: 'LogSeverityScreen is the log severity above + which\n logs are sent to the stdout. [Default: Info]'\n type: + string\n prometheusMetricsPort:\n description: + 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics + server should bind to. Set to 0 to disable. [Default:\n 9094]'\n + \ type: integer\n required:\n - + controllers\n type: object\n type: object\n type: + object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: + \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: + apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n + \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n + \ name: networkpolicies.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: + networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n + \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n + \ apiVersion:\n description: 'APIVersion defines the versioned + schema of this representation\n of an object. Servers should convert + recognized schemas to the latest\n internal value, and may reject + unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n properties:\n egress:\n description: + The ordered set of egress rules. Each rule contains\n a set + of packet match criteria and a corresponding action to apply.\n items:\n + \ description: \"A Rule encapsulates a set of match criteria + and an\n action. Both selector-based security Policy and security + Profiles\n reference rules - separated out as a list of rules + for both ingress\n and egress packet matching. \\n Each positive + match criteria has\n a negated version, prefixed with ”Not”. + All the match criteria\n within a rule must be satisfied for + a packet to match. A single\n rule can contain the positive + and negative version of a match\n and both must be satisfied + for the rule to match.\"\n properties:\n action:\n + \ type: string\n destination:\n description: + Destination contains the match criteria that apply\n to + destination entity.\n properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n ingress:\n description: The ordered set + of ingress rules. Each rule contains\n a set of packet match + criteria and a corresponding action to apply.\n items:\n description: + \"A Rule encapsulates a set of match criteria and an\n action. + \ Both selector-based security Policy and security Profiles\n reference + rules - separated out as a list of rules for both ingress\n and + egress packet matching. \\n Each positive match criteria has\n a + negated version, prefixed with ”Not”. All the match criteria\n within + a rule must be satisfied for a packet to match. A single\n rule + can contain the positive and negative version of a match\n and + both must be satisfied for the rule to match.\"\n properties:\n + \ action:\n type: string\n destination:\n + \ description: Destination contains the match criteria that + apply\n to destination entity.\n properties:\n + \ namespaceSelector:\n description: + \"NamespaceSelector is an optional field that\n contains + a selector expression. Only traffic that originates\n from + (or terminates at) endpoints within the selected\n namespaces + will be matched. When both NamespaceSelector\n and + Selector are defined on the same rule, then only workload\n endpoints + that are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n http:\n description: + HTTP contains match criteria that apply to HTTP\n requests.\n + \ properties:\n methods:\n description: + Methods is an optional field that restricts\n the + rule to apply only to HTTP requests that use one of\n the + listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods + are OR'd together.\n items:\n type: + string\n type: array\n paths:\n + \ description: 'Paths is an optional field that restricts\n + \ the rule to apply to HTTP requests that use one of + the\n listed HTTP Paths. Multiple paths are OR''d together.\n + \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry + may\n ONLY specify either a `exact` or a `prefix` match. + The\n validator will check for it.'\n items:\n + \ description: 'HTTPPath specifies an HTTP path to + match.\n It may be either of the form: exact: : + which matches\n the path exactly or prefix: : + which matches\n the path prefix'\n properties:\n + \ exact:\n type: + string\n prefix:\n type: + string\n type: object\n type: + array\n type: object\n icmp:\n description: + ICMP is an optional field that restricts the rule\n to + apply to a specific type and code of ICMP traffic. This\n should + only be specified if the Protocol field is set to \"ICMP\"\n or + \"ICMPv6\".\n properties:\n code:\n + \ description: Match on a specific ICMP code. If specified,\n + \ the Type value must also be specified. This is a + technical\n limitation imposed by the kernel’s iptables + firewall,\n which Calico uses to enforce the rule.\n + \ type: integer\n type:\n description: + Match on a specific ICMP type. For example\n a value + of 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n ipVersion:\n + \ description: IPVersion is an optional field that restricts + the\n rule to only match a specific IP version.\n type: + integer\n metadata:\n description: + Metadata contains additional information for this\n rule\n + \ properties:\n annotations:\n + \ additionalProperties:\n type: + string\n description: Annotations is a set of key value + pairs that\n give extra information about the rule\n + \ type: object\n type: object\n + \ notICMP:\n description: NotICMP is + the negated version of the ICMP field.\n properties:\n + \ code:\n description: Match + on a specific ICMP code. If specified,\n the Type + value must also be specified. This is a technical\n limitation + imposed by the kernel’s iptables firewall,\n which + Calico uses to enforce the rule.\n type: integer\n + \ type:\n description: Match + on a specific ICMP type. For example\n a value of + 8 refers to ICMP Echo Request (i.e. pings).\n type: + integer\n type: object\n notProtocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: NotProtocol is the negated + version of the Protocol\n field.\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n protocol:\n + \ anyOf:\n - type: integer\n - + type: string\n description: \"Protocol is an optional field + that restricts the\n rule to only apply to traffic of a + specific IP protocol. Required\n if any of the EntityRules + contain Ports (because ports only\n apply to certain protocols). + \\n Must be one of these string\n values: \\\"TCP\\\", + \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" + or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n source:\n description: Source + contains the match criteria that apply to\n source entity.\n + \ properties:\n namespaceSelector:\n + \ description: \"NamespaceSelector is an optional field + that\n contains a selector expression. Only traffic + that originates\n from (or terminates at) endpoints + within the selected\n namespaces will be matched. When + both NamespaceSelector\n and Selector are defined on + the same rule, then only workload\n endpoints that + are matched by both selectors will be selected\n by + the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies + that the Selector is limited to selecting only\n workload + endpoints in the same namespace as the NetworkPolicy.\n \\n + For NetworkPolicy, `global()` NamespaceSelector implies\n that + the Selector is limited to selecting only GlobalNetworkSet\n or + HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector + implies the Selector applies to workload\n endpoints + across all namespaces.\"\n type: string\n nets:\n + \ description: Nets is an optional field that restricts + the\n rule to only apply to traffic that originates + from (or\n terminates at) IP addresses in any of + the given subnets.\n items:\n type: + string\n type: array\n notNets:\n + \ description: NotNets is the negated version of the + Nets\n field.\n items:\n + \ type: string\n type: + array\n notPorts:\n description: + NotPorts is the negated version of the Ports\n field. + Since only some protocols have ports, if any ports\n are + specified it requires the Protocol match in the Rule\n to + be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n + \ - type: integer\n - + type: string\n pattern: ^.*\n x-kubernetes-int-or-string: + true\n type: array\n notSelector:\n + \ description: NotSelector is the negated version of + the Selector\n field. See Selector field for subtleties + with negated\n selectors.\n type: + string\n ports:\n description: + \"Ports is an optional field that restricts\n the rule + to only apply to traffic that has a source (destination)\n port + that matches one of these ranges/values. This value\n is + a list of integers or strings that represent ranges\n of + ports. \\n Since only some protocols have ports, if\n any + ports are specified it requires the Protocol match\n in + the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n + \ anyOf:\n - type: + integer\n - type: string\n pattern: + ^.*\n x-kubernetes-int-or-string: true\n type: + array\n selector:\n description: + \"Selector is an optional field that contains\n a selector + expression (see Policy for sample syntax).\n \\ Only + traffic that originates from (terminates at) endpoints\n matching + the selector will be matched. \\n Note that: in\n addition + to the negated version of the Selector (see NotSelector\n below), + the selector expression syntax itself supports\n negation. + \ The two types of negation are subtly different.\n One + negates the set of matched endpoints, the other negates\n the + whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets + that are from other Calico-controlled \\tendpoints\n that + do not have the label “my_label”. \\n \\tNotSelector\n = + \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled + \\tendpoints that do have the label “my_label”.\n \\n + The effect is that the latter will accept packets from\n non-Calico + sources whereas the former is limited to packets\n from + Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n + \ description: ServiceAccounts is an optional field + that restricts\n the rule to only apply to traffic + that originates from\n (or terminates at) a pod running + as a matching service\n account.\n properties:\n + \ names:\n description: + Names is an optional field that restricts\n the + rule to only apply to traffic that originates\n from + (or terminates at) a pod running as a service\n account + whose name is in the list.\n items:\n type: + string\n type: array\n selector:\n + \ description: Selector is an optional field that + restricts\n the rule to only apply to traffic + that originates\n from (or terminates at) a pod + running as a service\n account that matches the + given label selector. If\n both Names and Selector + are specified then they are\n AND'ed.\n type: + string\n type: object\n services:\n + \ description: \"Services is an optional field that + contains\n options for matching Kubernetes Services. + If specified,\n only traffic that originates from + or terminates at endpoints\n within the selected + service(s) will be matched, and only\n to/from each + endpoint's port. \\n Services cannot be specified\n on + the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, + NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only + valid on egress rules.\"\n properties:\n name:\n + \ description: Name specifies the name of a Kubernetes\n + \ Service to match.\n type: + string\n namespace:\n description: + Namespace specifies the namespace of the\n given + Service. If left empty, the rule will match\n within + this policy's namespace.\n type: string\n type: + object\n type: object\n required:\n + \ - action\n type: object\n type: + array\n order:\n description: Order is an optional + field that specifies the order in\n which the policy is applied. + Policies with higher \"order\" are applied\n after those with + lower order. If the order is omitted, it may be\n considered + to be \"infinite\" - i.e. the policy will be applied last. Policies\n with + identical order will be applied in alphanumerical order based\n on + the Policy \"Name\".\n type: number\n selector:\n + \ description: \"The selector is an expression used to pick pick + out\n the endpoints that the policy should be applied to. \\n + Selector\n expressions follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n + \ \\ -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel + != \\\"string_literal\\\"\n \\ -> not equal; also matches if + label is not present \\tlabel in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", + ... } -> true if the value of label X is\n one of \\\"a\\\", + \\\"b\\\", \\\"c\\\" \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... + } -> true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" + \\thas(label_name) -> True if that label is present \\t! expr\n -> + negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || + expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or + the empty selector -> matches all endpoints. \\n Label names are\n allowed + to contain alphanumerics, -, _ and /. String literals are\n more + permissive but they do not support escape characters. \\n Examples\n (with + made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == + \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n + \ \\\"dev\\\" \\t! has(label_name)\"\n type: + string\n serviceAccountSelector:\n description: + ServiceAccountSelector is an optional field for an expression\n used + to select a pod based on service accounts.\n type: string\n types:\n + \ description: \"Types indicates whether this policy applies to + ingress,\n or to egress, or to both. When not explicitly specified + (and so\n the value on creation is empty or nil), Calico defaults + Types according\n to what Ingress and Egress are present in the + policy. The default\n is: \\n - [ PolicyTypeIngress ], if there + are no Egress rules (including\n the case where there are also + no Ingress rules) \\n - [ PolicyTypeEgress\n ], if there are + Egress rules but no Ingress rules \\n - [ PolicyTypeIngress,\n PolicyTypeEgress + ], if there are both Ingress and Egress rules.\n \\n When the + policy is read back again, Types will always be one\n of these + values, never empty or nil.\"\n items:\n description: + PolicyType enumerates the possible values of the PolicySpec\n Types + field.\n type: string\n type: array\n type: + object\n type: object\n served: true\n storage: true\nstatus:\n + \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: + []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n + \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: + null\n name: networksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n + \ names:\n kind: NetworkSet\n listKind: NetworkSetList\n plural: networksets\n + \ singular: networkset\n scope: Namespaced\n versions:\n - name: v1\n schema:\n + \ openAPIV3Schema:\n description: NetworkSet is the Namespaced-equivalent + of the GlobalNetworkSet.\n properties:\n apiVersion:\n description: + 'APIVersion defines the versioned schema of this representation\n of + an object. Servers should convert recognized schemas to the latest\n internal + value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n + \ type: string\n kind:\n description: 'Kind + is a string value representing the REST resource this\n object represents. + Servers may infer this from the endpoint the client\n submits requests + to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n + \ type: string\n metadata:\n type: object\n + \ spec:\n description: NetworkSetSpec contains the specification + for a NetworkSet\n resource.\n properties:\n nets:\n + \ description: The list of IP networks that belong to this set.\n + \ items:\n type: string\n type: + array\n type: object\n type: object\n served: true\n + \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n + \ conditions: []\n storedVersions: []\n\n---\n---\n# Source: calico/templates/calico-kube-controllers-rbac.yaml\n\n# + Include a clusterrole for the kube-controllers component,\n# and bind it to the + calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n + \ name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for + deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n + \ - watch\n - list\n - get\n # Pods are watched to check for existence + as part of IPAM controller.\n - apiGroups: [\"\"]\n resources:\n - pods\n + \ verbs:\n - get\n - list\n - watch\n # IPAM resources are manipulated + when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n + \ verbs:\n - get\n - list\n - create\n - update\n - + delete\n - watch\n # kube-controllers manages hostendpoints.\n - apiGroups: + [\"crd.projectcalico.org\"]\n resources:\n - hostendpoints\n verbs:\n + \ - get\n - list\n - create\n - update\n - delete\n # + Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - clusterinformations\n verbs:\n - get\n - + create\n - update\n # KubeControllersConfiguration is where it gets its + config\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - kubecontrollersconfigurations\n + \ verbs:\n # read its own config\n - get\n # create a default + if none exists\n - create\n # update status\n - update\n # + watch for changes\n - watch\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n + \ name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n + \ kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n - kind: ServiceAccount\n + \ name: calico-kube-controllers\n namespace: kube-system\n---\n\n---\n# Source: + calico/templates/calico-node-rbac.yaml\n# Include a clusterrole for the calico-node + DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: + rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The + CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n + \ resources:\n - pods\n - nodes\n - namespaces\n verbs:\n + \ - get\n # EndpointSlices are used for Service-based network policy rule\n + \ # enforcement.\n - apiGroups: [\"discovery.k8s.io\"]\n resources:\n - + endpointslices\n verbs:\n - watch\n - list\n - apiGroups: [\"\"]\n + \ resources:\n - endpoints\n - services\n verbs:\n # Used + to discover service IPs for advertisement.\n - watch\n - list\n # + Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm + needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n + \ verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n + \ verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - + patch\n # Calico stores some configuration information in node annotations.\n + \ - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: + [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n + \ - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: + [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n + \ verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n + \ - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - + patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - globalfelixconfigs\n - felixconfigurations\n - + bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n + \ - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n + \ - networkpolicies\n - networksets\n - clusterinformations\n - + hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n + \ - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: + [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n + \ - clusterinformations\n verbs:\n - create\n - update\n # Calico + stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n + \ - nodes\n verbs:\n - get\n - list\n - watch\n # These + permissions are only required for upgrade from v2.6, and can\n # be removed after + upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n + \ resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - + create\n - update\n # These permissions are required for Calico CNI to perform + IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n + \ - get\n - list\n - create\n - update\n - delete\n - + apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n + \ verbs:\n - get\n # Block affinities must also be watchable by confd + for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n + \ - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration + needs to get daemonsets. These permissions can be\n # removed if not upgrading + from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n + \ - daemonsets\n verbs:\n - get\n\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: + ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n + \ kind: ClusterRole\n name: calico-node\nsubjects:\n - kind: ServiceAccount\n + \ name: calico-node\n namespace: kube-system\n\n---\n# Source: calico/templates/calico-node.yaml\n# + This manifest installs the calico-node container, as well\n# as the CNI plugins + and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: + DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n + \ labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: + calico-node\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n + \ maxUnavailable: 1\n template:\n metadata:\n labels:\n k8s-app: + calico-node\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n + \ hostNetwork: true\n tolerations:\n # Make sure calico-node gets + scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n + \ # Mark the pod as a critical add-on for rescheduling.\n - key: + CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n + \ operator: Exists\n serviceAccountName: calico-node\n # Minimize + downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n + \ # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n + \ terminationGracePeriodSeconds: 0\n priorityClassName: system-node-critical\n + \ initContainers:\n # This container performs upgrade from host-local + IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, + or if you have already\n # upgraded to use calico-ipam.\n - name: + upgrade-ipam\n image: calico/cni:v3.20.0\n command: [\"/opt/cni/bin/calico-ipam\", + \"-upgrade\"]\n envFrom:\n - configMapRef:\n # + Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for + eBPF mode.\n name: kubernetes-services-endpoint\n optional: + true\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n + \ fieldRef:\n fieldPath: spec.nodeName\n - + name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: calico_backend\n + \ volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: + host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: + cni-bin-dir\n securityContext:\n privileged: true\n # + This container installs the CNI binaries\n # and CNI network config file + on each node.\n - name: install-cni\n image: calico/cni:v3.20.0\n + \ command: [\"/opt/cni/bin/install\"]\n envFrom:\n - + configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT + to be overridden for eBPF mode.\n name: kubernetes-services-endpoint\n + \ optional: true\n env:\n # Name of the CNI + config file to create.\n - name: CNI_CONF_NAME\n value: + \"10-calico.conflist\"\n # The CNI network config to install on each + node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: cni_network_config\n + \ # Set the hostname based on the k8s node name.\n - name: + KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: + spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: veth_mtu\n # Prevents the container + from sleeping forever.\n - name: SLEEP\n value: \"false\"\n + \ volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: + cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: + cni-net-dir\n securityContext:\n privileged: true\n # + Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n + \ # to communicate with Felix over the Policy Sync API.\n - name: + flexvol-driver\n image: calico/pod2daemon-flexvol:v3.20.0\n volumeMounts:\n + \ - name: flexvol-driver-host\n mountPath: /host/driver\n + \ securityContext:\n privileged: true\n containers:\n + \ # Runs calico-node container on each Kubernetes node. This\n # + container programs network policy and routes on each\n # host.\n - + name: calico-node\n image: calico/node:v3.20.0\n envFrom:\n + \ - configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and + KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.\n name: + kubernetes-services-endpoint\n optional: true\n env:\n + \ # Use Kubernetes API as the backing datastore.\n - name: + DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the + datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n + \ # Set based on the k8s node name.\n - name: NODENAME\n + \ valueFrom:\n fieldRef:\n fieldPath: + spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: calico_backend\n # Cluster type + to identify the deployment type\n - name: CLUSTER_TYPE\n value: + \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: + IP\n value: \"autodetect\"\n # Enable VXLAN\n - + name: CALICO_IPV4POOL_VXLAN\n value: \"Always\"\n # Set + MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n + \ valueFrom:\n configMapKeyRef:\n name: + calico-config\n key: veth_mtu\n # Set MTU for the + VXLAN tunnel device.\n - name: FELIX_VXLANMTU\n valueFrom:\n + \ configMapKeyRef:\n name: calico-config\n key: + veth_mtu\n # Set MTU for the Wireguard tunnel device.\n - + name: FELIX_WIREGUARDMTU\n valueFrom:\n configMapKeyRef:\n + \ name: calico-config\n key: veth_mtu\n # + The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # + chosen from this range. Changing this value after installation will have\n # + no effect. This should fall within `--cluster-cidr`.\n # - name: CALICO_IPV4POOL_CIDR\n + \ # value: \"192.168.0.0/16\"\n # Disable file logging + so `kubectl logs` works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: + \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n + \ - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n + \ # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n + \ value: \"false\"\n - name: FELIX_FEATUREDETECTOVERRIDE\n + \ value: \"ChecksumOffloadBroken=true\"\n - name: FELIX_HEALTHENABLED\n + \ value: \"true\"\n securityContext:\n privileged: + true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n + \ exec:\n command:\n - /bin/calico-node\n + \ - -felix-live\n periodSeconds: 10\n initialDelaySeconds: + 10\n failureThreshold: 6\n readinessProbe:\n exec:\n + \ command:\n - /bin/calico-node\n - + -felix-ready\n periodSeconds: 10\n volumeMounts:\n - + mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n readOnly: + false\n - mountPath: /lib/modules\n name: lib-modules\n + \ readOnly: true\n - mountPath: /run/xtables.lock\n name: + xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n + \ name: var-run-calico\n readOnly: false\n - + mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: + false\n - name: policysync\n mountPath: /var/run/nodeagent\n + \ # For eBPF mode, we need to be able to mount the BPF filesystem at + /sys/fs/bpf so we mount in the\n # parent directory.\n - + name: sysfs\n mountPath: /sys/fs/\n # Bidirectional + means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to + the host.\n # If the host is known to mount that filesystem already + then Bidirectional can be omitted.\n mountPropagation: Bidirectional\n + \ - name: cni-log-dir\n mountPath: /var/log/calico/cni\n + \ readOnly: true\n volumes:\n # Used by calico-node.\n + \ - name: lib-modules\n hostPath:\n path: /lib/modules\n + \ - name: var-run-calico\n hostPath:\n path: /var/run/calico\n + \ - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n + \ - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n + \ type: FileOrCreate\n - name: sysfs\n hostPath:\n path: + /sys/fs/\n type: DirectoryOrCreate\n # Used to install CNI.\n + \ - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n + \ - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n + \ # Used to access CNI logs.\n - name: cni-log-dir\n hostPath:\n + \ path: /var/log/calico/cni\n # Mount in the directory for host-local + IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, + and can be removed\n # if not using the upgrade-ipam init container.\n + \ - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n + \ # Used to create per-pod Unix Domain Sockets\n - name: policysync\n + \ hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n + \ # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n + \ hostPath:\n type: DirectoryOrCreate\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n---\n\napiVersion: + v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n---\n# + Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: + apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: + kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers + can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n + \ k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n + \ metadata:\n name: calico-kube-controllers\n namespace: kube-system\n + \ labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n + \ kubernetes.io/os: linux\n tolerations:\n # Mark the pod as + a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: + Exists\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n + \ serviceAccountName: calico-kube-controllers\n priorityClassName: system-cluster-critical\n + \ containers:\n - name: calico-kube-controllers\n image: calico/kube-controllers:v3.20.0\n + \ env:\n # Choose which controllers to run.\n - + name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n + \ value: kubernetes\n livenessProbe:\n exec:\n + \ command:\n - /usr/bin/check-status\n - + -l\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: + 6\n timeoutSeconds: 10\n readinessProbe:\n exec:\n + \ command:\n - /usr/bin/check-status\n - + -r\n periodSeconds: 10\n\n---\n\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n + \ name: calico-kube-controllers\n namespace: kube-system\n\n---\n\n# This manifest + creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler + to evict\n\napiVersion: policy/v1beta1\nkind: PodDisruptionBudget\nmetadata:\n + \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: + calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n + \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: calico-crs-configmap + namespace: default diff --git a/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs.yaml b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs.yaml new file mode 100644 index 0000000000..acfe874639 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/calico-crs.yaml @@ -0,0 +1,13 @@ +apiVersion: addons.cluster.x-k8s.io/v1alpha3 +kind: ClusterResourceSet +metadata: + name: calico-crs + namespace: default +spec: + clusterSelector: + matchLabels: + cni: calico + resources: + - kind: ConfigMap + name: calico-crs-configmap + diff --git a/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml new file mode 100644 index 0000000000..3226b2682b --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/bootstrap/capi-gitops-cluster-bootstrap-config.yaml @@ -0,0 +1,37 @@ +apiVersion: capi.weave.works/v1alpha1 +kind: ClusterBootstrapConfig +metadata: + name: capi-gitops + namespace: default +spec: + clusterSelector: + matchLabels: + weave.works/capi: bootstrap + jobTemplate: + generateName: "run-gitops-{{ .ObjectMeta.Name }}" + spec: + containers: + - image: ghcr.io/fluxcd/flux-cli:v0.29.5 + name: flux-bootstrap + resources: {} + volumeMounts: + - name: kubeconfig + mountPath: "/etc/gitops" + readOnly: true + args: + [ + "bootstrap", + "github", + "--kubeconfig=/etc/gitops/value", + "--owner=$GITHUB_USER", + "--repository=fleet-infra", + "--path=./clusters/{{ .ObjectMeta.Name }}", + ] + envFrom: + - secretRef: + name: my-pat + restartPolicy: Never + volumes: + - name: kubeconfig + secret: + secretName: "{{ .ObjectMeta.Name }}-kubeconfig" diff --git a/website/versioned_docs/version-0.9.1/policy/assets/profiles/profile-repo.yaml b/website/versioned_docs/version-0.9.1/policy/assets/profiles/profile-repo.yaml new file mode 100644 index 0000000000..dfd989d091 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/profiles/profile-repo.yaml @@ -0,0 +1,10 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + creationTimestamp: null + name: weaveworks-charts + namespace: flux-system +spec: + interval: 1m + url: https://my-org.github.io/profiles +status: {} diff --git a/website/versioned_docs/version-0.9.1/policy/assets/rbac/wego-admin.yaml b/website/versioned_docs/version-0.9.1/policy/assets/rbac/wego-admin.yaml new file mode 100644 index 0000000000..01e20a007f --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/rbac/wego-admin.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wego-test-user-read-resources-cr +subjects: + - kind: User + name: wego-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: wego-admin-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wego-admin-cluster-role +rules: + - apiGroups: [""] + resources: ["secrets", "pods"] + verbs: ["get", "list"] + - apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list"] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: ["kustomizations"] + verbs: ["get", "list", "patch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "patch"] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["buckets", "helmcharts", "gitrepositories", "helmrepositories"] + verbs: ["get", "list", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] + - apiGroups: ["pac.weave.works"] + resources: ["policies"] + verbs: ["get", "list"] diff --git a/website/versioned_docs/version-0.9.1/policy/assets/templates/.keep b/website/versioned_docs/version-0.9.1/policy/assets/templates/.keep new file mode 100644 index 0000000000..dc92bc0885 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/templates/.keep @@ -0,0 +1 @@ +"# keep" \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/policy/assets/templates/capd-template.yaml b/website/versioned_docs/version-0.9.1/policy/assets/templates/capd-template.yaml new file mode 100644 index 0000000000..253293fb97 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/assets/templates/capd-template.yaml @@ -0,0 +1,156 @@ +apiVersion: capi.weave.works/v1alpha1 +kind: CAPITemplate +metadata: + name: cluster-template-development + namespace: default +spec: + description: A simple CAPD template + params: + - name: CLUSTER_NAME + required: true + description: This is used for the cluster naming. + - name: NAMESPACE + description: Namespace to create the cluster in + - name: KUBERNETES_VERSION + description: Kubernetes version to use for the cluster + options: ["1.19.11", "1.21.1", "1.22.0", "1.23.3"] + - name: CONTROL_PLANE_MACHINE_COUNT + description: Number of control planes + options: ["1", "2", "3"] + - name: WORKER_MACHINE_COUNT + description: Number of control planes + resourcetemplates: + - apiVersion: gitops.weave.works/v1alpha1 + kind: GitopsCluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + labels: + weave.works/capi: bootstrap + spec: + capiClusterRef: + name: "${CLUSTER_NAME}" + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: Cluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + labels: + cni: calico + spec: + clusterNetwork: + pods: + cidrBlocks: + - 192.168.0.0/16 + serviceDomain: cluster.local + services: + cidrBlocks: + - 10.128.0.0/12 + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlane + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerCluster + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerCluster + metadata: + name: "${CLUSTER_NAME}" + namespace: "${NAMESPACE}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + metadata: + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + spec: + template: + spec: + extraMounts: + - containerPath: /var/run/docker.sock + hostPath: /var/run/docker.sock + - apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlane + metadata: + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + spec: + kubeadmConfigSpec: + clusterConfiguration: + apiServer: + certSANs: + - localhost + - 127.0.0.1 + - 0.0.0.0 + controllerManager: + extraArgs: + enable-hostpath-provisioner: "true" + initConfiguration: + nodeRegistration: + criSocket: /var/run/containerd/containerd.sock + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + joinConfiguration: + nodeRegistration: + criSocket: /var/run/containerd/containerd.sock + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + machineTemplate: + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + name: "${CLUSTER_NAME}-control-plane" + namespace: "${NAMESPACE}" + replicas: "${CONTROL_PLANE_MACHINE_COUNT}" + version: "${KUBERNETES_VERSION}" + - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + template: + spec: {} + - apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 + kind: KubeadmConfigTemplate + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + template: + spec: + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + cgroup-driver: cgroupfs + eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0% + - apiVersion: cluster.x-k8s.io/v1beta1 + kind: MachineDeployment + metadata: + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + spec: + clusterName: "${CLUSTER_NAME}" + replicas: "${WORKER_MACHINE_COUNT}" + selector: + matchLabels: null + template: + spec: + bootstrap: + configRef: + apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 + kind: KubeadmConfigTemplate + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + clusterName: "${CLUSTER_NAME}" + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: DockerMachineTemplate + name: "${CLUSTER_NAME}-md-0" + namespace: "${NAMESPACE}" + version: "${KUBERNETES_VERSION}" diff --git a/website/versioned_docs/version-0.9.1/policy/commit-time-checks.mdx b/website/versioned_docs/version-0.9.1/policy/commit-time-checks.mdx new file mode 100644 index 0000000000..f5a4ee515d --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/commit-time-checks.mdx @@ -0,0 +1,180 @@ +--- +title: Commit/Build time checks +hide_title: true +sidebar_position: 3 +--- + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +import TierLabel from "../_components/TierLabel"; + +# Commit/Build time checks + +## Overview +Weave GitOps Enterprise enable developers and operators to check policy violations early in their software developement life cycle, specifically at commit and build time. Developers and operators can have Weave Policy Validator integrated in their CI tools to validate whether their code changes are violating any policies or not. + +Weave GitOps Enterprise offer a policy engine image that can be used to perform commit/build time checks.The image can be found on Docker Hub under the name: `magalixcorp/weave-validator:v1.0.0`. + +--- +## Usage +```bash +USAGE: + main [global options] command [command options] [arguments...] + +VERSION: + 0.0.1 + +COMMANDS: + help, h Shows a list of commands or help for one command + +GLOBAL OPTIONS: + --path value path to resources kustomization directory + --helm-values-file value path to resources helm values file + --policies-path value path to policies kustomization directory + --policies-helm-values-file value path to policies helm values file + --git-repo-provider value git repository provider [$WEAVE_REPO_PROVIDER] + --git-repo-url value git repository url [$WEAVE_REPO_URL] + --git-repo-branch value git repository branch [$WEAVE_REPO_BRANCH] + --git-repo-sha value git repository commit sha [$WEAVE_REPO_SHA] + --git-repo-token value git repository token [$WEAVE_REPO_TOKEN] + --sast value save result as gitlab sast format + --sarif value save result as sarif format + --json value save result as json format + --generate-git-report generate git report if supported (default: false) [$WEAVE_GENERATE_GIT_PROVIDER_REPORT] + --remediate auto remediate resources if possible (default: false) + --no-exit-error exit with no error (default: false) + --help, -h show help (default: false) + --version, -v print the version (default: false) +``` +--- +## Setup policies +Policies can be helm chart, kustomize directory or just plain kubernetes yaml files. + +Example of policies kustomize directory +```bash +└── policies + ├── kustomization.yaml + ├── minimum-replica-count.yaml + ├── privileged-mode.yaml + └── privilege-escalation.yaml +``` + +```yaml +# kustomization.yaml +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +resources: +- minimum-replica-count.yaml +- privilege-escalation.yaml +- privileged-mode.yaml +``` + +--- +## Auto-Remediation +Weave validator supports auto-remediation functionality which creates a pull request with suggested fixes to remediate the reported violations. + +Supported in: +- [ ] Helm +- [x] Kustomize +- [x] Plain kubernetes files + +To enable it you need to provide ```--remediate``` flag and ```--git-repo-token```. + +> The token must have the permission to create pull request + +--- +## UseCase: Github +See how to setup the [Github Action](https://github.com/weaveworks/weave-action) + +--- +## UseCase: Gitlab + +```yaml +weave: + image: + name: magalixcorp/weave-validator:v1 + script: + - weave-validator --path --policies-path +``` + +#### Enable Auto Remediation + +```yaml + script: + - weave-validator --path --policies-path --git-repo-token $GITLAB_TOKEN --remediate +``` +--- +#### Enable Static Application Security Testing + +```yaml +stages: + - weave + - sast + +weave: + stage: weave + image: + name: magalixcorp/weave-validator:v1 + script: + - weave-validator --policies-path --sast sast.json + artifacts: + when: on_failure + paths: + - sast.json + +upload_sast: + stage: sast + when: always + script: + - echo "creating sast report" + artifacts: + reports: + sast: sast.json +``` +--- +## UseCase: Bitbucket + +```yaml +pipelines: + default: + - step: + name: 'Weaveworks' + image: magalixcorp/weave-validator:v1 + script: + - weave-validator --path --policies-path +``` +#### Enable Auto Remediation + +```yaml + script: + - weave-validator --path --policies-path --git-repo-token $TOKEN --remediate +``` + +#### Create Pipeline Report + +```yaml + script: + - weave-validator --path --policies-path --git-repo-token $TOKEN -generate-git-report +``` + +--- +## UseCase: CircleCI + +```yaml +jobs: + weave: + docker: + - image: magalixcorp/weave-validator:v1 + steps: + - checkout + - run: + command: weave-validator --path --policies-path +``` + +#### Enable Auto Remediation + +```yaml + - run: + command: weave-validator --path --policies-path --git-repo-token ${GITHUB_TOKEN} --remediate +``` \ No newline at end of file diff --git a/website/versioned_docs/version-0.9.1/policy/getting-started.mdx b/website/versioned_docs/version-0.9.1/policy/getting-started.mdx new file mode 100644 index 0000000000..42a4c28793 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/getting-started.mdx @@ -0,0 +1,76 @@ +--- +title: Getting started +sidebar_position: 1 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; +import CodeBlock from "@theme/CodeBlock"; +import BrowserOnly from "@docusaurus/BrowserOnly"; + +# Getting started + +This section introduces you to the Policy Profile and details the steps required to install it in Weave GitOps. + +## Pre-requisites + +### Weave GitOps +You need to have a running instance of Weave GitOps with at least one CAPI provider installed to provision Kubernetes clusters. See [Weave GitOps Installation](https://docs.gitops.weave.works/docs/installation/) page for more details about installing Weave GitOps. + +### Policy Library +For the policy agent to work, it will need a source for the policies that it will enforce in the cluster. You should have a policy library repo set up which includes your policies resources as CRDs. You can also add a `kustomization.yaml` file selecting the policies you want to install on that specific cluster that will be provisioned by Weave Gitops: + +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- policies/ +- policies/ +- policies/ +``` + +:::info +Enterprise customers should have access to fork policy library repo into their local repositories. +::: + +## Install Policy Profile +To install the policy profile on a cluster, you should select the `weave-policy-agent` from the profiles dropdown in the `Create Cluster` page. + +![Policy Profile](./img/weave-policy-profile.png) + +You should then configure the `values.yaml`. You can find more about the policy profile configurations [here](../weave-policy-profile/). + +Add or link to profile config + +``` +policySource: + url: URL of the repo where your policies exist + branch: Branch name on the policies repo + path: Path to the policies dir - or a kustomization.yaml that selects some policies - in the repo + secretRef (if the repo is private): Name of the K8s secret with private repo credentials (leave empty if the repo is public) +``` + +## Policies in UI +After the leaf cluster is provisioned and the profile is installed, you should now see the policies listed in the Policies tab in Weave GitOps UI. + +![Policies](./img/weave-policies.png) + +Now you have a provisioned cluster with these policies enforced by the policy agent. + +> By default, the policy profile is set up to enforce policies at deployment time using admission controller, which results in blocking any deployment that violates the enforced policies. + +## Prevent Violating Changes +Now let's try to deploy a Kubernetes deployment that violates one of the enforced policies. Let's deploy a deployment that has `spec.securityContext.allowPrivilegeEscalation` as `true`. This violates the `Allow Privilege Escalation` policy. + +Once you apply it, the policy agent will deny this request and show a violation message. + +## Violations Logs in UI +You can view all the violation log in Weave GitOps UI to view all connected clusters policy violations, and where you can dive into the details of each violation. + +Violations Log + +![Violations Logs](./img/violations-logs.png) + +Violations Log Details + +![Violation Log Details](./img/violations-log-detail.png) diff --git a/website/versioned_docs/version-0.9.1/policy/img/violations-log-detail.png b/website/versioned_docs/version-0.9.1/policy/img/violations-log-detail.png new file mode 100644 index 0000000000..a180387bf7 Binary files /dev/null and b/website/versioned_docs/version-0.9.1/policy/img/violations-log-detail.png differ diff --git a/website/versioned_docs/version-0.9.1/policy/img/violations-logs.png b/website/versioned_docs/version-0.9.1/policy/img/violations-logs.png new file mode 100644 index 0000000000..58773740d9 Binary files /dev/null and b/website/versioned_docs/version-0.9.1/policy/img/violations-logs.png differ diff --git a/website/versioned_docs/version-0.9.1/policy/img/weave-policies.png b/website/versioned_docs/version-0.9.1/policy/img/weave-policies.png new file mode 100644 index 0000000000..bff055674d Binary files /dev/null and b/website/versioned_docs/version-0.9.1/policy/img/weave-policies.png differ diff --git a/website/versioned_docs/version-0.9.1/policy/img/weave-policy-profile.png b/website/versioned_docs/version-0.9.1/policy/img/weave-policy-profile.png new file mode 100644 index 0000000000..287904a316 Binary files /dev/null and b/website/versioned_docs/version-0.9.1/policy/img/weave-policy-profile.png differ diff --git a/website/versioned_docs/version-0.9.1/policy/intro.mdx b/website/versioned_docs/version-0.9.1/policy/intro.mdx new file mode 100644 index 0000000000..79465dac79 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/intro.mdx @@ -0,0 +1,23 @@ +--- +title: Introduction +sidebar_position: 0 +hide_title: true +--- + +import TierLabel from "../_components/TierLabel"; + +

+ {frontMatter.title} +

+ +## Policy + +Weave Policy Engine help users to have continuous security and compliance checks across their software delivery pipeline. The engine utilize policy-as-code to guarantee security, resilience and coding standards across applications and infrastructure. The engine comes alongside with 100+ policies covering SOC2, GDPR, PCI-DSS, HIPAA, Mitre Attack and more. + +The policy engine provide the following functionality: +

Admission Controller

+An out-of-the-box admission controller that monitors any changes happening to the clusters deployments and resources, and prevent violating changes at deployment time from being deployed to clusters. +

Audit

+Daily scans for your clusters deployments and resources, then report back any policy violations. The audit results can be published to different data analytics tools to provide compliance posture analysis for your clusters runtime. +

Commit/Build Time Checks

+Early feedback on policy violations at the commit or build time, by reporting policy violations right inside git or other CI tools. That helps developers and operators detect policy violations and fix them before they deploy their changes to the clusters. diff --git a/website/versioned_docs/version-0.9.1/policy/weave-policy-profile.mdx b/website/versioned_docs/version-0.9.1/policy/weave-policy-profile.mdx new file mode 100644 index 0000000000..6acee46dbf --- /dev/null +++ b/website/versioned_docs/version-0.9.1/policy/weave-policy-profile.mdx @@ -0,0 +1,469 @@ +--- +title: Weave policy profile +hide_title: true +sidebar_position: 2 +--- + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +import TierLabel from "../_components/TierLabel"; + +# Weave policy profile + +# Weave Policy Profile + +## Overview + +Weave policy profile provides policies to automate the enforcement of best practice and conventions. It ensures the compliance of workloads through the use of a policy agent that provides an admission controller webhook that stops violating resources from deploying to a cluster and runs a daily audit that reports violating resources already deployed. + +--- +## Policy Sources + +Policies are provided in the profile as Custom Resources. The agent reads from the policies deployed on the cluster and runs them during each admission request or when auditing a resource. + +Policies are hosted in a policy library which is ususally a git repository. They are fetched in the profile through the use of `kustomize.toolkit.fluxcd.io.Kustomization`, that deploys the policies to the cluster. + +By default all policies in the specified path would be deployed in order to specify which policies should be deployed in a library, a `kustomize.config.k8s.io.Kustomization` file should be defined in the repository. + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: # specifies the path to each required policy + - policies/ControllerContainerAllowingPrivilegeEscalation/policy.yaml + - policies/ControllerContainerRunningAsRoot/policy.yaml + - policies/ControllerReadOnlyFileSystem/policy.yaml +``` + +The profile then needs to be configured with the necessary config to be able to reach the repository that is acting as a policy library. + +```yaml +policyLibraryConfig: + url: ssh://git@github.com/myorg/policy-library # repo url + branch: agent-profile # which branch to use + kustomizationPath: ./ # directory containing the kustomization file + private: true # set to true if a private repo + secretRef: policy-library-auth # secret containing cred to authenticate with a private repo +``` +--- +## Policy Sets + +Policy set is a custom resource that gives more control over which policies to be used in each scenario. There are cases in which certain policies are required to be observed but denying the requests of violating objects would be disruptive. Policy set allows definining additional filters for each scenario: `Audit` and `Admission` so it is possible to report violations on certain policies without the need of blocking the deployments if certain policies are not as critical as others. + +Policy set should also be hosted on the policy library. The following definition defines which specific policies should be used using policy names: + +```yaml +apiVersion: pac.weave.works/v2beta1 +kind: PolicySet +metadata: + name: admission-policy-set +spec: + id: admission-policy-set + name: admission-policy-set + filters: + ids: + - weave.policies.containers-running-with-privilege-escalation + - weave.policies.containers-read-only-root-filesystem +``` + +To make use of this policy set in the profile: + +```yaml +config: + AGENT_ADMISSION_POLICY_SET: admission-policy-set # name of policy set to be used for admission + AGENT_AUDIT_POLICY_SET: audit-policy-set # name of policy set to be used for audit +``` + +--- +## Policy Validation Sinks + +When validating a resource a validation object is generated that contains information about the status of that validation and metadata about the resource and policy involved. These objects should be exported to be visible for users as a critical part of the audit flow, but can also be useful as logs for the admission scenario. + +By default the agent only writes policy validation that are violating a certain policy when performing an audit, to write compliance results as well, the following needs to be specified in the profile: + +```yaml +config: + AGENT_WRITE_COMPLIANCE: "true" +``` + +The agent profile supports multiple methods to expose this data and multiple can be used at the same time: + + + + + +The results would be dumped into a text file in the agent container as a json string. It is important to note that this file would not be persistent and would be deleted upon pod restart, so generally this approach is not recommended for production environment. + +To enable writing to a text file: + +```yaml +config: + AGENT_FILESYSTEM_SINK_FILE_PATH: "/path/to/file" +``` + +It is possible to make the file persistent, this assumes that there is a [PersistentVolume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) already configured on the cluster. + +```yaml +persistence: + enabled: false # specifies whether to use persistence or not + claimStorage: 1Gi # claim size + sinkDir: /path/to # directory to be mounted + storageClassName: standard # k8s StorageClass name +``` + + +The results would be written as Kubernetes events. This means that they are accessible through the kubernetes API and can be consumed by custom exporters. + +To enable writing Kubernetes events: + +```yaml +config: + AGENT_ENABLE_K8S_EVENTS_SINK: "true" +``` + + +This requires the cluster to be managed using flux. It makes use of flux notification controller to send events to multiple sources, depending on the controller configuration. The agent writes the events to the controller and it proceeds to publish it to the configured listeners. + +To enable writing to flux notification controller: + +```yaml +config: + AGENT_FLUX_NOTIFICATION_SINK_ADDR: "true" +``` + + + + +--- +## Admission Controller Setup + +To enable admission control: + +```yaml +config: + AGENT_ENABLE_ADMISSION: "1" +``` + +Enabling admission controller requires certificates for secure communication with the webhook client and the admission server. The best way to achieve this is by installing [cert manager](https://cert-manager.io/docs/installation/) and then configuring the profile as follows: + +```yaml +useCertManager: true +``` + +There is the option of providing previously generated certificates although it is not recommended and it is up to the user to manage it: + +```yaml +certificate: "---" # admission server certificate +key: "---" # admission server private key +caCertificate: "---" # CA bundle to validate the webhook server, used by the client +``` + +If the agent webhook could not be reached or the request failed to complete, the corresponding request would be refused. To change that behavior and accepts the reuqest in cases of failure, this needs to be set: + +```yaml +failurePolicy: Ignore +``` + +--- +## Audit +Audit functionality provide a full scan on the cluster(s) and report back policy violations. This usually is used for policy violations reporting, and Compliance posture analysis against known benchmarks like PCI DSS, CIS, .etc. + +To enable audit functionality: + +```yaml +config: + AGENT_ENABLE_AUDIT: "1" +``` + +Audit will be performed when the agent starts and then at an interval of 23 hours. The results from that sink would be published by the registered sinks. + +--- +## Policy Validation + +Policy validation object contains all the necessary information to give the user a clear idea on what caused it. It is the result of validating an entity against a policy. + +```yaml +id: string # identifier for the violation +account_id: string # organization identifier +cluster_id: string # cluster identifier +policy: object # contains related policy data +entity: object # contains related resource data +status: string # Violation or Compliance +message: string # message that summarizes the policy validation +type: string # Admission or Audit +trigger: string # what triggered the validation, create request or initial audit,.. +created_at: string # time that the validation occured in +``` + + + + + + + + + + + +### Managing non-capi clusters {#how-to-connect-a-cluster} + +Any kubernetes cluster whether capi or not can be added to Weave Gitops Enterprise. The only thing we need is a secret containing a valid `kubeconfig`. + +import TOCInline from "@theme/TOCInline"; +; + + + + +If you already have a `kubeconfig` stored in a secret in your management cluster, continue below to create a `GitopsCluster`. + +If you have a kubeconfig, you can load in into the cluster like so: + +``` +kubectl create secret generic demo-01-kubeconfig \ +--from-file=value.yaml=./demo-01-kubeconfig +``` + + + + +### How to create a kubeconfig secret using a service account + +1. Create a new service account on the remote cluster: + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: demo-01 + namespace: default +``` + +2. Add RBAC permissions for the service account + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: impersonate-user-groups +subjects: + - kind: ServiceAccount + name: demo-02 + namespace: default +roleRef: + kind: ClusterRole + name: user-groups-impersonator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: user-groups-impersonator +rules: + - apiGroups: [""] + resources: ["users", "groups"] + verbs: ["impersonate"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] +``` + +This will allow WGE to introspect the cluster for available namespaces. + +Once we know what namespaces are available we can test whether the logged in user can access them via impersonation. + +3. Get the token of the service account + +First get the list of secrets of the service accounts by running the following command: + +```sh +kubectl get secrets --field-selector type=kubernetes.io/service-account-token +NAME TYPE DATA AGE +default-token-lsjz4 kubernetes.io/service-account-token 3 13d +demo-01-token-gqz7p kubernetes.io/service-account-token 3 99m +``` + +`demo-01-token-gqz7p` is the secret that holds the token for `demo-01` service account + +To get the token of the service account run the following command: + +```sh +TOKEN=$(kubectl get secret demo-01-token-gqz7p -o jsonpath={.data.token} | base64 -d) +``` + +4. Create a kubeconfig secret + +We'll use a helper script to generate the kubeconfig, save this into `static-kubeconfig.sh`: + +```bash title="static-kubeconfig.sh" +#!/bin/bash + +if [[ -z "$CLUSTER_NAME" ]]; then + echo "Ensure CLUSTER_NAME has been set" + exit 1 +fi + +if [[ -z "$CA_CERTIFICATE" ]]; then + echo "Ensure CA_CERTIFICATE has been set to the path of the CA certificate" + exit 1 +fi + +if [[ -z "$ENDPOINT" ]]; then + echo "Ensure ENDPOINT has been set" + exit 1 +fi + +if [[ -z "$TOKEN" ]]; then + echo "Ensure TOKEN has been set" + exit 1 +fi + +export CLUSTER_CA_CERTIFICATE=$(cat "$CA_CERTIFICATE" | base64) + +envsubst <Details->Endpoint->”Show cluster certificate”. You will need to copy the contents of the certificate into the `ca.crt` file used below. + +```sh +CLUSTER_NAME=demo-01 \ +CA_CERTIFICATE=ca.crt \ +ENDPOINT= \ +TOKEN= ./static-kubeconfig.sh > demo-01-kubeconfig +``` + +Replace the following: + +- CLUSTER_NAME: the name of your cluster i.e. `demo-01` +- ENDPOINT: the API server endpoint i.e. `34.218.72.31` +- CA_CERTIFICATE: path to the CA certificate file of the cluster +- TOKEN: the token of the service account retrieved in the previous step + +Finally create a secret for the generated kubeconfig: + +```sh +kubectl create secret generic demo-01-kubeconfig \ +--from-file=value.yaml=./demo-01-kubeconfig +``` + + + + +### Connect a cluster + +:::note Get started first! + +Make sure you've + +1. Added some common RBAC rules into the `clusters/bases` folder, as described in [Getting started](./getting-started.mdx). +2. Configured the cluster bootstrap controller as described in [Getting started](./getting-started.mdx). + +::: + +Create a `GitopsCluster` + +```yaml title="./clusters/management/clusters/demo-01.yaml" +apiVersion: gitops.weave.works/v1alpha1 +kind: GitopsCluster +metadata: + name: demo-01 + namespace: default + # Signals that this cluster should be bootstrapped. + labels: + weave.works/capi: bootstrap +spec: + secretRef: + name: demo-01-kubeconfig +``` + +When the `GitopsCluster` appears in the cluster, the Cluster Bootstrap Controller will install flux on it and by default start reconciling the `./clusters/demo-01` path in your management cluster's git repository. To inspect the Applications and Sources running on the new cluster we need to give permissions to the user accessing the UI. Common RBAC rules like this should be stored in `./clusters/bases`. Here we create a kustomziation to add these common resources onto our new cluster: + +```yaml title="./clusters/demo-01/clusters-bases-kustomization.yaml" +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + creationTimestamp: null + name: clusters-bases-kustomization + namespace: flux-system +spec: + interval: 10m0s + path: clusters/bases + prune: true + sourceRef: + kind: GitRepository + name: flux-system +``` + +Save these 2 files into your git repository. Commit and push. + +Once flux has reconciled the cluster you can inspect your flux resources via the UI! + +## Debugging + +### How to test a kubeconfig secret in a cluster + +To test a kubeconfig secret has been correctly setup apply the following manifest and check the logs after the job completes: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: kubectl +spec: + ttlSecondsAfterFinished: 30 + template: + spec: + containers: + - name: kubectl + image: bitnami/kubectl + args: + [ + "get", + "pods", + "-n", + "kube-system", + "--kubeconfig", + "/etc/kubeconfig/value.yaml", + ] + volumeMounts: + - name: kubeconfig + mountPath: "/etc/kubeconfig" + readOnly: true + restartPolicy: Never + volumes: + - name: kubeconfig + secret: + secretName: demo-01-kubeconfig + optional: false +``` + +In the manifest above `demo-01-kubeconfig`is the name of the secret that contains the kubeconfig for the remote cluster. + +--- + +# Background + +- [Authentication strategies](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) + - [X509 client certificates](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs): can be used across different namespaces + - [Service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens): limited to a single namespace +- [Kubernetes authentication 101 (CNCF blog post)](https://www.cncf.io/blog/2020/07/31/kubernetes-rbac-101-authentication/) +- [Kubernetes authentication (Magalix blog post)](https://www.magalix.com/blog/kubernetes-authentication) diff --git a/website/versioned_docs/version-0.9.1/references/_category_.json b/website/versioned_docs/version-0.9.1/references/_category_.json new file mode 100644 index 0000000000..553b71a42e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "References", + "position": 8 +} diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/_category_.json b/website/versioned_docs/version-0.9.1/references/cli-reference/_category_.json new file mode 100644 index 0000000000..8164f0a2ca --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/_category_.json @@ -0,0 +1,3 @@ +{ + "label": "CLI Reference", +} diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops.md new file mode 100644 index 0000000000..b1cd5c991e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops.md @@ -0,0 +1,48 @@ +## gitops + +Weave GitOps + +### Synopsis + +Command line utility for managing Kubernetes applications via GitOps. + +### Examples + +``` + + # Get help for gitops add cluster command + gitops add cluster -h + gitops help add cluster + + # Get the version of gitops along with commit, branch, and flux version + gitops version + + To learn more, you can find our documentation at https://docs.gitops.weave.works/ + +``` + +### Options + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + -h, --help help for gitops + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops add](gitops_add.md) - Add a new Weave GitOps resource +* [gitops beta](gitops_beta.md) - This component contains unstable or still-in-development functionality +* [gitops check](gitops_check.md) - Validates flux compatibility +* [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell +* [gitops delete](gitops_delete.md) - Delete one or many Weave GitOps resources +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources +* [gitops update](gitops_update.md) - Update a Weave GitOps resource +* [gitops upgrade](gitops_upgrade.md) - Upgrade to Weave GitOps Enterprise +* [gitops version](gitops_version.md) - Display gitops version + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add.md new file mode 100644 index 0000000000..5d76689faf --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add.md @@ -0,0 +1,37 @@ +## gitops add + +Add a new Weave GitOps resource + +### Examples + +``` + +# Add a new cluster using a CAPI template +gitops add cluster +``` + +### Options + +``` + -h, --help help for add +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops add cluster](gitops_add_cluster.md) - Add a new cluster using a CAPI template +* [gitops add profile](gitops_add_profile.md) - Add a profile to a cluster +* [gitops add terraform](gitops_add_terraform.md) - Add a new Terraform resource using a TF template + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_cluster.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_cluster.md new file mode 100644 index 0000000000..3abc7a3fba --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_cluster.md @@ -0,0 +1,58 @@ +## gitops add cluster + +Add a new cluster using a CAPI template + +``` +gitops add cluster [flags] +``` + +### Examples + +``` + +# Add a new cluster using a CAPI template +gitops add cluster --from-template --set key=val + +# View a CAPI template populated with parameter values +# without creating a pull request for it +gitops add cluster --from-template --set key=val --dry-run + +# Add a new cluster supplied with profiles versions and values files +gitops add cluster --from-template \ +--profile 'name=foo-profile,version=0.0.1' --profile 'name=bar-profile,values=bar-values.yaml + +``` + +### Options + +``` + --base string The base branch of the remote repository + --branch string The branch to create the pull request from + --commit-message string The commit message to use + --description string The description of the pull request + --dry-run View the populated template without creating a pull request + --from-template string Specify the template to create the resource from + -h, --help help for cluster + --profile stringArray Set profiles values files on the command line (--profile 'name=foo-profile,version=0.0.1' --profile 'name=bar-profile,values=bar-values.yaml') + --set strings Set parameter values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --set-credentials string The CAPI credentials to use + --title string The title of the pull request + --url string URL of remote repository to create the pull request +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops add](gitops_add.md) - Add a new Weave GitOps resource + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_profile.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_profile.md new file mode 100644 index 0000000000..2c5a25c772 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_profile.md @@ -0,0 +1,49 @@ +## gitops add profile + +Add a profile to a cluster + +``` +gitops add profile [flags] +``` + +### Examples + +``` + + # Add a profile to a cluster + gitops add profile --name=podinfo --cluster=prod --version=1.0.0 --config-repo=ssh://git@github.com/owner/config-repo.git + +``` + +### Options + +``` + --auto-merge If set, 'gitops add profile' will merge automatically into the repository's branch + --base string The base branch of the remote repository + --branch string The branch to create the pull request from + --cluster string Name of the cluster to add the profile to + --commit-message string The commit message to use + --config-repo string URL of the external repository that contains the automation manifests + --description string The description of the pull request + -h, --help help for profile + --name string Name of the profile + --title string The title of the pull request + --version string Version of the profile specified as semver (e.g.: 0.1.0) or as 'latest' (default "latest") +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops add](gitops_add.md) - Add a new Weave GitOps resource + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_terraform.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_terraform.md new file mode 100644 index 0000000000..96c035f913 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_add_terraform.md @@ -0,0 +1,47 @@ +## gitops add terraform + +Add a new Terraform resource using a TF template + +``` +gitops add terraform [flags] +``` + +### Examples + +``` + +# Add a new Terraform resource using a TF template +gitops add terraform --from-template --set key=val + +``` + +### Options + +``` + --base string The base branch of the remote repository + --branch string The branch to create the pull request from + --commit-message string The commit message to use + --description string The description of the pull request + --from-template string Specify the template to create the resource from + -h, --help help for terraform + --set strings Set parameter values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --title string The title of the pull request + --url string URL of remote repository to create the pull request +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops add](gitops_add.md) - Add a new Weave GitOps resource + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta.md new file mode 100644 index 0000000000..86bd720497 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta.md @@ -0,0 +1,27 @@ +## gitops beta + +This component contains unstable or still-in-development functionality + +### Options + +``` + -h, --help help for beta +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops beta run](gitops_beta_run.md) - Set up an interactive sync between your cluster and your local file system + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta_run.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta_run.md new file mode 100644 index 0000000000..636be16a28 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_beta_run.md @@ -0,0 +1,65 @@ +## gitops beta run + +Set up an interactive sync between your cluster and your local file system + +### Synopsis + +This will set up a sync between the cluster in your kubeconfig and the path that you specify on your local filesystem. If you do not have Flux installed on the cluster then this will add it to the cluster automatically. This is a requirement so we can sync the files successfully from your local system onto the cluster. Flux will take care of producing the objects for you. + +``` +gitops beta run [flags] +``` + +### Examples + +``` + +# Run the sync on the current working directory +gitops beta run . [flags] + +# Run the sync against the dev overlay path +gitops beta run ./deploy/overlays/dev + +# Run the sync on the dev directory and forward the port. +# Listen on port 8080 on localhost, forwarding to 5000 in a pod of the service app. +gitops beta run ./dev --port-forward port=8080:5000,resource=svc/app + +# Run the sync on the dev directory with a specified root dir. +gitops beta run ./clusters/default/dev --root-dir ./clusters/default + +# Run the sync on the podinfo demo. +git clone https://github.com/stefanprodan/podinfo +cd podinfo +gitops beta run ./deploy/overlays/dev --timeout 3m --port-forward namespace=dev,resource=svc/backend,port=9898:9898 +``` + +### Options + +``` + --allow-k8s-context string The name of the KubeConfig context to explicitly allow. + --components strings The Flux components to install. (default [source-controller,kustomize-controller,helm-controller,notification-controller]) + --components-extra strings Additional Flux components to install. + --context string The name of the kubeconfig context to use + --dashboard-port string GitOps Dashboard port (default "9001") + --flux-version string The version of Flux to install. (default "0.31.0") + -h, --help help for run + --port-forward string Forward the port from a cluster's resource to your local machine i.e. 'port=8080:8080,resource=svc/app'. + --root-dir string Specify the root directory to watch for changes. If not specified, the root of Git repository will be used. + --timeout duration The timeout for operations during GitOps Run. (default 30s) +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops beta](gitops_beta.md) - This component contains unstable or still-in-development functionality + diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_check.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_check.md new file mode 100644 index 0000000000..7ee5cbee9a --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_check.md @@ -0,0 +1,39 @@ +## gitops check + +Validates flux compatibility + +``` +gitops check [flags] +``` + +### Examples + +``` + +# Validate flux and kubernetes compatibility +gitops check + +``` + +### Options + +``` + -h, --help help for check +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion.md new file mode 100644 index 0000000000..67800ae343 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion.md @@ -0,0 +1,36 @@ +## gitops completion + +Generate the autocompletion script for the specified shell + +### Synopsis + +Generate the autocompletion script for gitops for the specified shell. +See each sub-command's help for details on how to use the generated script. + + +### Options + +``` + -h, --help help for completion +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops completion bash](gitops_completion_bash.md) - Generate the autocompletion script for bash +* [gitops completion fish](gitops_completion_fish.md) - Generate the autocompletion script for fish +* [gitops completion powershell](gitops_completion_powershell.md) - Generate the autocompletion script for powershell +* [gitops completion zsh](gitops_completion_zsh.md) - Generate the autocompletion script for zsh + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_bash.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_bash.md new file mode 100644 index 0000000000..43ccb611e4 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_bash.md @@ -0,0 +1,55 @@ +## gitops completion bash + +Generate the autocompletion script for bash + +### Synopsis + +Generate the autocompletion script for the bash shell. + +This script depends on the 'bash-completion' package. +If it is not installed already, you can install it via your OS's package manager. + +To load completions in your current shell session: + + source <(gitops completion bash) + +To load completions for every new session, execute once: + +#### Linux: + + gitops completion bash > /etc/bash_completion.d/gitops + +#### macOS: + + gitops completion bash > /usr/local/etc/bash_completion.d/gitops + +You will need to start a new shell for this setup to take effect. + + +``` +gitops completion bash +``` + +### Options + +``` + -h, --help help for bash + --no-descriptions disable completion descriptions +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_fish.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_fish.md new file mode 100644 index 0000000000..a5b04cc534 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_fish.md @@ -0,0 +1,46 @@ +## gitops completion fish + +Generate the autocompletion script for fish + +### Synopsis + +Generate the autocompletion script for the fish shell. + +To load completions in your current shell session: + + gitops completion fish | source + +To load completions for every new session, execute once: + + gitops completion fish > ~/.config/fish/completions/gitops.fish + +You will need to start a new shell for this setup to take effect. + + +``` +gitops completion fish [flags] +``` + +### Options + +``` + -h, --help help for fish + --no-descriptions disable completion descriptions +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_powershell.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_powershell.md new file mode 100644 index 0000000000..73209f97b6 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_powershell.md @@ -0,0 +1,43 @@ +## gitops completion powershell + +Generate the autocompletion script for powershell + +### Synopsis + +Generate the autocompletion script for powershell. + +To load completions in your current shell session: + + gitops completion powershell | Out-String | Invoke-Expression + +To load completions for every new session, add the output of the above command +to your powershell profile. + + +``` +gitops completion powershell [flags] +``` + +### Options + +``` + -h, --help help for powershell + --no-descriptions disable completion descriptions +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_zsh.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_zsh.md new file mode 100644 index 0000000000..3182e0e014 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_completion_zsh.md @@ -0,0 +1,53 @@ +## gitops completion zsh + +Generate the autocompletion script for zsh + +### Synopsis + +Generate the autocompletion script for the zsh shell. + +If shell completion is not already enabled in your environment you will need +to enable it. You can execute the following once: + + echo "autoload -U compinit; compinit" >> ~/.zshrc + +To load completions for every new session, execute once: + +#### Linux: + + gitops completion zsh > "${fpath[1]}/_gitops" + +#### macOS: + + gitops completion zsh > /usr/local/share/zsh/site-functions/_gitops + +You will need to start a new shell for this setup to take effect. + + +``` +gitops completion zsh [flags] +``` + +### Options + +``` + -h, --help help for zsh + --no-descriptions disable completion descriptions +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops completion](gitops_completion.md) - Generate the autocompletion script for the specified shell + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete.md new file mode 100644 index 0000000000..4c769eaa38 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete.md @@ -0,0 +1,35 @@ +## gitops delete + +Delete one or many Weave GitOps resources + +### Examples + +``` + +# Delete a CAPI cluster given its name +gitops delete cluster +``` + +### Options + +``` + -h, --help help for delete +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops delete cluster](gitops_delete_cluster.md) - Delete a cluster given its name + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete_cluster.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete_cluster.md new file mode 100644 index 0000000000..c78e27f328 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_delete_cluster.md @@ -0,0 +1,45 @@ +## gitops delete cluster + +Delete a cluster given its name + +``` +gitops delete cluster [flags] +``` + +### Examples + +``` + +# Delete a CAPI cluster by its name +gitops delete cluster + +``` + +### Options + +``` + --base string The base branch to open the pull request against + --branch string The branch to create the pull request from + --commit-message string The commit message to use when deleting the clusters + --description string The description of the pull request + -h, --help help for cluster + --title string The title of the pull request + --url string The repository to open a pull request against +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops delete](gitops_delete.md) - Delete one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get.md new file mode 100644 index 0000000000..589b50d36a --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get.md @@ -0,0 +1,45 @@ +## gitops get + +Display one or many Weave GitOps resources + +### Examples + +``` + +# Get all CAPI templates +gitops get templates + +# Get all CAPI credentials +gitops get credentials + +# Get all CAPI clusters +gitops get clusters +``` + +### Options + +``` + -h, --help help for get +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops get bcrypt-hash](gitops_get_bcrypt-hash.md) - Generates a hashed secret +* [gitops get cluster](gitops_get_cluster.md) - Display one or many CAPI clusters +* [gitops get credential](gitops_get_credential.md) - Get CAPI credentials +* [gitops get profile](gitops_get_profile.md) - Show information about available profiles +* [gitops get template](gitops_get_template.md) - Display one or many CAPI templates + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_bcrypt-hash.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_bcrypt-hash.md new file mode 100644 index 0000000000..4a56eb62b4 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_bcrypt-hash.md @@ -0,0 +1,39 @@ +## gitops get bcrypt-hash + +Generates a hashed secret + +``` +gitops get bcrypt-hash [flags] +``` + +### Examples + +``` + +# PASSWORD="" +# echo $PASSWORD | gitops get bcrypt-hash + +``` + +### Options + +``` + -h, --help help for bcrypt-hash +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_cluster.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_cluster.md new file mode 100644 index 0000000000..4e360d8a67 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_cluster.md @@ -0,0 +1,45 @@ +## gitops get cluster + +Display one or many CAPI clusters + +``` +gitops get cluster [flags] +``` + +### Examples + +``` + +# Get all CAPI clusters +gitops get clusters + +# Get a single CAPI cluster +gitops get cluster + +# Get the Kubeconfig of a cluster +gitops get cluster --kubeconfig +``` + +### Options + +``` + -h, --help help for cluster + --print-kubeconfig Returns the Kubeconfig of the workload cluster +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_credential.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_credential.md new file mode 100644 index 0000000000..9afbce6c9f --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_credential.md @@ -0,0 +1,39 @@ +## gitops get credential + +Get CAPI credentials + +``` +gitops get credential [flags] +``` + +### Examples + +``` + +# Get all CAPI credentials +gitops get credentials + +``` + +### Options + +``` + -h, --help help for credential +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_profile.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_profile.md new file mode 100644 index 0000000000..ce8e096609 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_profile.md @@ -0,0 +1,39 @@ +## gitops get profile + +Show information about available profiles + +``` +gitops get profile [flags] +``` + +### Examples + +``` + + # Get all profiles + gitops get profiles + +``` + +### Options + +``` + -h, --help help for profile +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template.md new file mode 100644 index 0000000000..5fe315f61e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template.md @@ -0,0 +1,49 @@ +## gitops get template + +Display one or many CAPI templates + +``` +gitops get template [flags] +``` + +### Examples + +``` + +# Get all CAPI templates +gitops get templates + +# Get all AWS CAPI templates +gitops get templates --provider aws + +# Show the parameters of a CAPI template +gitops get template --list-parameters + +``` + +### Options + +``` + -h, --help help for template + --list-parameters Show parameters of CAPI template + --list-profiles Show profiles of CAPI template + --provider string Filter templates by provider. Supported providers: aws azure digitalocean docker openstack packet vsphere +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get](gitops_get.md) - Display one or many Weave GitOps resources +* [gitops get template terraform](gitops_get_template_terraform.md) - Display one or many Terraform templates + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template_terraform.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template_terraform.md new file mode 100644 index 0000000000..3b8894319c --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_get_template_terraform.md @@ -0,0 +1,43 @@ +## gitops get template terraform + +Display one or many Terraform templates + +``` +gitops get template terraform [flags] +``` + +### Examples + +``` + +# Get all terraform templates +gitops get template terraform + +# Show the parameters of a Terraform template +gitops get template terraform --list-parameters + +``` + +### Options + +``` + -h, --help help for terraform + --list-parameters Show parameters of Terraform template +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops get template](gitops_get_template.md) - Display one or many CAPI templates + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update.md new file mode 100644 index 0000000000..5ce97448ed --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update.md @@ -0,0 +1,36 @@ +## gitops update + +Update a Weave GitOps resource + +### Examples + +``` + + # Update a profile that is installed on a cluster + gitops update profile --name=podinfo --cluster=prod --config-repo=ssh://git@github.com/owner/config-repo.git --version=1.0.0 + +``` + +### Options + +``` + -h, --help help for update +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps +* [gitops update profile](gitops_update_profile.md) - Update a profile installation + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update_profile.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update_profile.md new file mode 100644 index 0000000000..816080c680 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_update_profile.md @@ -0,0 +1,49 @@ +## gitops update profile + +Update a profile installation + +``` +gitops update profile [flags] +``` + +### Examples + +``` + + # Update a profile that is installed on a cluster + gitops update profile --name=podinfo --cluster=prod --config-repo=ssh://git@github.com/owner/config-repo.git --version=1.0.0 + +``` + +### Options + +``` + --auto-merge If set, 'gitops update profile' will merge automatically into the repository's branch + --base string The base branch of the remote repository + --branch string The branch to create the pull request from + --cluster string Name of the cluster where the profile is installed + --commit-message string The commit message to use + --config-repo string URL of the external repository that contains the automation manifests + --description string The description of the pull request + -h, --help help for profile + --name string Name of the profile + --title string The title of the pull request + --version string Version of the profile specified as semver (e.g.: 0.1.0) or as 'latest' (default "latest") +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops update](gitops_update.md) - Update a Weave GitOps resource + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_upgrade.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_upgrade.md new file mode 100644 index 0000000000..555c7faa7e --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_upgrade.md @@ -0,0 +1,49 @@ +## gitops upgrade + +Upgrade to Weave GitOps Enterprise + +``` +gitops upgrade [flags] +``` + +### Examples + +``` + # Upgrade Weave GitOps in the flux-system namespace + gitops upgrade --version 0.0.17 --config-repo https://github.com/my-org/my-management-cluster.git + + # Upgrade Weave GitOps and set the natsURL + gitops upgrade --version 0.0.17 --set "agentTemplate.natsURL=my-cluster.acme.org:4222" \ + --config-repo https://github.com/my-org/my-management-cluster.git +``` + +### Options + +``` + --base string The base branch to open the pull request against + --branch string The branch to create the pull request from (default "tier-upgrade-enterprise") + --commit-message string The commit message (default "Upgrade to WGE") + --config-repo string URL of external repository that will hold automation manifests + --dry-run Output the generated profile without creating a pull request + -h, --help help for upgrade + --path string The path within the Git repository containing files for the current cluster + --set stringArray set profile values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --version string Version of Weave GitOps Enterprise to be installed +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_version.md b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_version.md new file mode 100644 index 0000000000..28b8d7c504 --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/cli-reference/gitops_version.md @@ -0,0 +1,30 @@ +## gitops version + +Display gitops version + +``` +gitops version [flags] +``` + +### Options + +``` + -h, --help help for version +``` + +### Options inherited from parent commands + +``` + -e, --endpoint WEAVE_GITOPS_ENTERPRISE_API_URL The Weave GitOps Enterprise HTTP API endpoint can be set with WEAVE_GITOPS_ENTERPRISE_API_URL environment variable + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --namespace string The namespace scope for this operation (default "flux-system") + -p, --password WEAVE_GITOPS_PASSWORD The Weave GitOps Enterprise password for authentication can be set with WEAVE_GITOPS_PASSWORD environment variable + -u, --username WEAVE_GITOPS_USERNAME The Weave GitOps Enterprise username for authentication can be set with WEAVE_GITOPS_USERNAME environment variable +``` + +### SEE ALSO + +* [gitops](gitops.md) - Weave GitOps + +###### Auto generated by spf13/cobra on 27-Jul-2022 diff --git a/website/versioned_docs/version-0.9.1/references/helm-reference.md b/website/versioned_docs/version-0.9.1/references/helm-reference.md new file mode 100644 index 0000000000..e568f8d82c --- /dev/null +++ b/website/versioned_docs/version-0.9.1/references/helm-reference.md @@ -0,0 +1,56 @@ +# Helm chart reference + + +This is a reference of all the configurable values in weave gitops's +helm chart. This is intended for customizing your installation after +you've gone through the [getting started](../getting-started.mdx) guide. + +This reference was generated for the chart version 2.2.4 which installs weave gitops v0.9.1. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| adminUser.create | bool | `false` | Whether the local admin user should be created. If you use this make sure you add it to `rbac.impersonationResourceNames`. | +| adminUser.createClusterRole | bool | `true` | Specifies whether the clusterRole & binding to the admin user should be created. Will be created only if `adminUser.create` is enabled. Without this, the adminUser will only be able to see resources in the `flux-system` namespace. | +| adminUser.createSecret | bool | `true` | Whether we should create the secret for the local adminUser. Will be created only if `adminUser.create` is enabled. Without this, we'll still set up the roles and permissions, but the secret with username and password has to be provided separately. | +| adminUser.passwordHash | string | `nil` | Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret` This needs to have been hashed using bcrypt. You can do this via our CLI with `gitops get bcrypt-hash`. | +| adminUser.username | string | `"gitops-test-user"` | Set username for local admin user, these will be stored in a secret in k8s. Requires `adminUser.create` and `adminUser.createSecret`. | +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/weaveworks/wego-app"` | | +| image.tag | string | `"v0.9.1"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts | string | `nil` | | +| ingress.tls | list | `[]` | | +| logLevel | string | `"info"` | What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error' | +| metrics.enabled | bool | `false` | Start the metrics exporter | +| metrics.service.annotations | object | `{"prometheus.io/path":"/metrics","prometheus.io/port":"{{ .Values.metrics.service.port }}","prometheus.io/scrape":"true"}` | Annotations to set on the service | +| metrics.service.port | int | `2112` | Port to start the metrics exporter on | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| oidcSecret.create | bool | `false` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| rbac.additionalRules | list | `[]` | If non-empty, these additional rules will be appended to the RBAC role and the cluster role. for example, additionalRules: - apiGroups: ["infra.contrib.fluxcd.io"] resources: ["terraforms"] verbs: [ "get", "list", "patch" ] | +| rbac.create | bool | `true` | Specifies whether the clusterRole & binding to the service account should be created | +| rbac.impersonationResourceNames | list | `[]` | If non-empty, this limits the resources that the service account can impersonate. This applies to both users and groups, e.g. `['user1@corporation.com', 'user2@corporation.com', 'operations']` | +| rbac.impersonationResources | list | `["users","groups"]` | Limit the type of principal that can be impersonated | +| rbac.viewSecretsResourceNames | list | `["cluster-user-auth","oidc-auth"]` | If non-empty, this limits the secrets that can be accessed by the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| serverTLS.enable | bool | `false` | Enable TLS termination in gitops itself. If you enable this, you need to create a secret, and specify the secretName. Another option is to create an ingress. | +| serverTLS.secretName | string | `"my-secret-tls"` | Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format. See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples | +| service.annotations | object | `{}` | | +| service.create | bool | `true` | | +| service.port | int | `9001` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| tolerations | list | `[]` | | diff --git a/website/versioned_sidebars/version-0.9.1-sidebars.json b/website/versioned_sidebars/version-0.9.1-sidebars.json new file mode 100644 index 0000000000..caea0c03ba --- /dev/null +++ b/website/versioned_sidebars/version-0.9.1-sidebars.json @@ -0,0 +1,8 @@ +{ + "tutorialSidebar": [ + { + "type": "autogenerated", + "dirName": "." + } + ] +} diff --git a/website/versions.json b/website/versions.json index 516f2f2571..4985ec47e6 100644 --- a/website/versions.json +++ b/website/versions.json @@ -1,4 +1,5 @@ [ + "0.9.1", "0.9.0", "0.8.1", "0.8.0",