github.com/verrazzano/verrazzano@v1.7.1/tests/e2e/clusterapi/capi/templates/cluster-template-addons-new-vcn-securitylist.yaml (about) 1 # Copyright (c) 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 --- 4 apiVersion: v1 5 kind: Namespace 6 metadata: 7 labels: 8 kubernetes.io/metadata.name: ${CLUSTER_NAMESPACE} 9 name: ${CLUSTER_NAMESPACE} 10 --- 11 apiVersion: cluster.x-k8s.io/v1beta1 12 kind: Cluster 13 metadata: 14 labels: 15 cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME} 16 name: ${CLUSTER_NAME} 17 namespace: ${CLUSTER_NAMESPACE} 18 spec: 19 clusterNetwork: 20 pods: 21 cidrBlocks: 22 - ${POD_CIDR=192.168.0.0/16} 23 serviceDomain: cluster.local 24 services: 25 cidrBlocks: 26 - ${CLUSTER_CIDR=10.128.0.0/12} 27 controlPlaneRef: 28 apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 29 kind: OCNEControlPlane 30 name: ${CLUSTER_NAME}-control-plane 31 namespace: ${CLUSTER_NAMESPACE} 32 infrastructureRef: 33 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 34 kind: OCICluster 35 name: ${CLUSTER_NAME} 36 namespace: ${CLUSTER_NAMESPACE} 37 --- 38 apiVersion: v1 39 kind: Secret 40 metadata: 41 name: ${CLUSTER_NAME}-user-credentials 42 namespace: ${CLUSTER_NAMESPACE} 43 type: Opaque 44 data: 45 tenancy: ${OCI_TENANCY_ID_B64} 46 user: ${OCI_USER_ID_B64} 47 key: ${OCI_CREDENTIALS_KEY_B64} 48 fingerprint: ${OCI_CREDENTIALS_FINGERPRINT_B64} 49 passphrase: "" 50 region: ${OCI_REGION_B64} 51 --- 52 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 53 kind: OCIClusterIdentity 54 metadata: 55 name: ${CLUSTER_NAME}-cluster-identity 56 namespace: ${CLUSTER_NAMESPACE} 57 spec: 58 type: UserPrincipal 59 principalSecret: 60 name: ${CLUSTER_NAME}-user-credentials 61 namespace: ${CLUSTER_NAMESPACE} 62 allowedNamespaces: {} 63 --- 64 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 65 kind: OCICluster 66 metadata: 67 labels: 68 cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME} 69 name: ${CLUSTER_NAME} 70 namespace: ${CLUSTER_NAMESPACE} 71 spec: 72 compartmentId: ${OCI_COMPARTMENT_ID} 73 identityRef: 74 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 75 kind: OCIClusterIdentity 76 name: ${CLUSTER_NAME}-cluster-identity 77 namespace: ${CLUSTER_NAMESPACE} 78 networkSpec: 79 vcn: 80 name: ${CLUSTER_NAME} 81 cidr: "10.0.0.0/16" 82 subnets: 83 - cidr: 10.0.0.8/29 84 name: ocne-control-plane-endpoint 85 role: control-plane-endpoint 86 type: public 87 securityList: 88 name: ocne-control-plane-endpoint-security-list 89 egressRules: 90 - description: Kubernetes API traffic to Control Plane 91 destination: 10.0.0.0/29 92 destinationType: CIDR_BLOCK 93 isStateless: false 94 protocol: "6" 95 tcpOptions: 96 destinationPortRange: 97 max: 6443 98 min: 6443 99 ingressRules: 100 - description: External access to Kubernetes API endpoint 101 protocol: "6" 102 source: 0.0.0.0/0 103 sourceType: CIDR_BLOCK 104 tcpOptions: 105 destinationPortRange: 106 max: 6443 107 min: 6443 108 - description: ICMP Peath discovery 109 icmpOptions: 110 code: 4 111 type: 3 112 protocol: "1" 113 source: 10.0.0.0/16 114 sourceType: CIDR_BLOCK 115 - cidr: 10.0.0.0/29 116 name: ocne-control-plane 117 role: control-plane 118 type: private 119 securityList: 120 name: ocne-control-plane-security-list 121 egressRules: 122 - description: Control Plane access to Internet 123 destination: 0.0.0.0/0 124 destinationType: CIDR_BLOCK 125 protocol: all 126 ingressRules: 127 - description: Inbound East-West traffic 128 source: 10.0.0.0/16 129 sourceType: CIDR_BLOCK 130 protocol: all 131 - description: Kubernetes API endpoint to Control Plane(apiserver port) 132 communication 133 protocol: "6" 134 source: 10.0.0.8/29 135 sourceType: CIDR_BLOCK 136 tcpOptions: 137 destinationPortRange: 138 max: 6443 139 min: 6443 140 - description: Control plane node to Control Plane(apiserver port) communication 141 protocol: "6" 142 source: 10.0.0.0/29 143 sourceType: CIDR_BLOCK 144 tcpOptions: 145 destinationPortRange: 146 max: 6443 147 min: 6443 148 - description: Worker Node to Control Plane(apiserver port) communication 149 protocol: "6" 150 source: 10.0.64.0/20 151 sourceType: CIDR_BLOCK 152 tcpOptions: 153 destinationPortRange: 154 max: 6443 155 min: 6443 156 - description: etcd client communication 157 protocol: "6" 158 source: 10.0.0.0/29 159 sourceType: CIDR_BLOCK 160 tcpOptions: 161 destinationPortRange: 162 max: 2379 163 min: 2379 164 - description: etcd peer 165 protocol: "6" 166 source: 10.0.0.0/29 167 sourceType: CIDR_BLOCK 168 tcpOptions: 169 destinationPortRange: 170 max: 2380 171 min: 2380 172 - description: Calico networking (BGP) 173 protocol: "6" 174 source: 10.0.0.0/29 175 sourceType: CIDR_BLOCK 176 tcpOptions: 177 destinationPortRange: 178 max: 179 179 min: 179 180 - description: Calico networking (BGP) 181 protocol: "6" 182 source: 10.0.64.0/20 183 sourceType: CIDR_BLOCK 184 tcpOptions: 185 destinationPortRange: 186 max: 179 187 min: 179 188 - description: Calico networking with IP-in-IP enabled 189 protocol: "4" 190 source: 10.0.0.0/29 191 sourceType: CIDR_BLOCK 192 - description: Calico networking with IP-in-IP enabled 193 protocol: "4" 194 source: 10.0.64.0/20 195 sourceType: CIDR_BLOCK 196 - description: Path discovery 197 icmpOptions: 198 code: 4 199 type: 3 200 protocol: "1" 201 source: 10.0.0.0/16 202 sourceType: CIDR_BLOCK 203 - description: Inbound SSH traffic to Control Plane 204 protocol: "6" 205 source: 0.0.0.0/0 206 sourceType: CIDR_BLOCK 207 tcpOptions: 208 destinationPortRange: 209 max: 22 210 min: 22 211 - description: Control Plane to Control Plane Kubelet Communication 212 protocol: "6" 213 source: 10.0.0.0/29 214 sourceType: CIDR_BLOCK 215 tcpOptions: 216 destinationPortRange: 217 max: 10250 218 min: 10250 219 - cidr: 10.0.0.32/27 220 name: ocne-service-lb 221 role: service-lb 222 type: public 223 securityList: 224 name: ocne-service-lb-security-list 225 egressRules: 226 - description: Service LoadBalancer to default NodePort egress communication 227 destination: 10.0.64.0/20 228 destinationType: CIDR_BLOCK 229 protocol: "6" 230 tcpOptions: 231 destinationPortRange: 232 max: 32767 233 min: 30000 234 ingressRules: 235 - description: Path discovery 236 icmpOptions: 237 code: 4 238 type: 3 239 protocol: "1" 240 source: 10.0.0.0/16 241 sourceType: CIDR_BLOCK 242 - description: Accept http traffic on port 80 243 protocol: "6" 244 source: 0.0.0.0/0 245 sourceType: CIDR_BLOCK 246 tcpOptions: 247 destinationPortRange: 248 max: 80 249 min: 80 250 - description: Accept https traffic on port 443 251 protocol: "6" 252 source: 0.0.0.0/0 253 sourceType: CIDR_BLOCK 254 tcpOptions: 255 destinationPortRange: 256 max: 443 257 min: 443 258 - cidr: 10.0.64.0/20 259 name: ocne-worker 260 role: worker 261 type: private 262 securityList: 263 name: ocne-worker-security-list 264 egressRules: 265 - description: Worker node access to Internet 266 destination: 0.0.0.0/0 267 destinationType: CIDR_BLOCK 268 protocol: all 269 ingressRules: 270 - description: Inbound East-West traffic 271 source: 10.0.0.0/16 272 sourceType: CIDR_BLOCK 273 isStateless: false 274 protocol: all 275 - description: Inbound SSH traffic to worker node 276 protocol: "6" 277 source: 0.0.0.0/0 278 sourceType: CIDR_BLOCK 279 tcpOptions: 280 destinationPortRange: 281 max: 22 282 min: 22 283 - description: Path discovery 284 icmpOptions: 285 code: 4 286 type: 3 287 protocol: "1" 288 source: 10.0.0.0/16 289 sourceType: CIDR_BLOCK 290 - description: Control Plane to worker node Kubelet Communication 291 protocol: "6" 292 source: 10.0.0.0/29 293 sourceType: CIDR_BLOCK 294 tcpOptions: 295 destinationPortRange: 296 max: 10250 297 min: 10250 298 - description: Worker node to worker node Kubelet Communication 299 protocol: "6" 300 source: 10.0.64.0/20 301 sourceType: CIDR_BLOCK 302 tcpOptions: 303 destinationPortRange: 304 max: 10250 305 min: 10250 306 - description: Calico networking (BGP) 307 protocol: "6" 308 source: 10.0.0.0/29 309 sourceType: CIDR_BLOCK 310 tcpOptions: 311 destinationPortRange: 312 max: 179 313 min: 179 314 - description: Calico networking (BGP) 315 protocol: "6" 316 source: 10.0.64.0/20 317 sourceType: CIDR_BLOCK 318 tcpOptions: 319 destinationPortRange: 320 max: 179 321 min: 179 322 - description: Calico networking with IP-in-IP enabled 323 protocol: "4" 324 source: 10.0.0.0/29 325 sourceType: CIDR_BLOCK 326 - description: Calico networking with IP-in-IP enabled 327 protocol: "4" 328 source: 10.0.64.0/20 329 sourceType: CIDR_BLOCK 330 - description: Worker node to default NodePort ingress communication 331 protocol: "6" 332 source: 10.0.64.0/20 333 sourceType: CIDR_BLOCK 334 tcpOptions: 335 destinationPortRange: 336 max: 32767 337 min: 30000 338 --- 339 apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 340 kind: OCNEControlPlane 341 metadata: 342 name: ${CLUSTER_NAME}-control-plane 343 namespace: ${CLUSTER_NAMESPACE} 344 spec: 345 moduleOperator: 346 enabled: true 347 verrazzanoPlatformOperator: 348 enabled: true 349 imagePullSecrets: 350 - name: ${IMAGE_PULL_SECRET=verrazzano-container-registry} 351 image: 352 repository: ${VPO_IMAGE} 353 tag: ${VPO_TAG} 354 controlPlaneConfig: 355 clusterConfiguration: 356 apiServer: 357 certSANs: 358 - localhost 359 - 127.0.0.1 360 dns: 361 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 362 imageTag: ${DNS_TAG=v1.9.3} 363 etcd: 364 local: 365 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 366 imageTag: ${ETCD_TAG=3.5.6} 367 networking: {} 368 scheduler: {} 369 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 370 initConfiguration: 371 nodeRegistration: 372 criSocket: /var/run/crio/crio.sock 373 kubeletExtraArgs: 374 cloud-provider: external 375 provider-id: oci://{{ ds["id"] }} 376 joinConfiguration: 377 discovery: {} 378 nodeRegistration: 379 criSocket: /var/run/crio/crio.sock 380 kubeletExtraArgs: 381 cloud-provider: external 382 provider-id: oci://{{ ds["id"] }} 383 machineTemplate: 384 infrastructureRef: 385 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 386 kind: OCIMachineTemplate 387 name: ${CLUSTER_NAME}-control-plane 388 namespace: ${CLUSTER_NAMESPACE} 389 replicas: ${CONTROL_PLANE_MACHINE_COUNT=1} 390 version: ${KUBERNETES_VERSION=v1.25.7} 391 --- 392 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 393 kind: OCIMachineTemplate 394 metadata: 395 name: ${CLUSTER_NAME}-control-plane 396 namespace: ${CLUSTER_NAMESPACE} 397 spec: 398 template: 399 spec: 400 bootVolumeSizeInGBs: "${OCI_NODE_BOOT_VOLUME=100}" 401 compartmentId: ${OCI_COMPARTMENT_ID} 402 imageId: ${OCI_IMAGE_ID} 403 isPvEncryptionInTransitEnabled: ${OCI_NODE_PV_TRANSIT_ENCRYPTION=false} 404 metadata: 405 ssh_authorized_keys: ${OCI_SSH_KEY} 406 shape: ${OCI_NODE_MACHINE_TYPE=VM.Standard.E4.Flex} 407 shapeConfig: 408 ocpus: "${OCI_NODE_MACHINE_TYPE_OCPUS=4}" 409 memoryInGBs: "${OCI_NODE_MACHINE_MEMORY_GBS=80}" 410 --- 411 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 412 kind: OCIMachineTemplate 413 metadata: 414 name: ${CLUSTER_NAME}-md-0 415 namespace: ${CLUSTER_NAMESPACE} 416 spec: 417 template: 418 spec: 419 bootVolumeSizeInGBs: "${OCI_NODE_BOOT_VOLUME=100}" 420 compartmentId: ${OCI_COMPARTMENT_ID} 421 imageId: ${OCI_IMAGE_ID} 422 isPvEncryptionInTransitEnabled: ${OCI_NODE_PV_TRANSIT_ENCRYPTION=false} 423 metadata: 424 ssh_authorized_keys: ${OCI_SSH_KEY} 425 shape: ${OCI_NODE_MACHINE_TYPE=VM.Standard.E4.Flex} 426 shapeConfig: 427 ocpus: "${OCI_NODE_MACHINE_TYPE_OCPUS=4}" 428 memoryInGBs: "${OCI_NODE_MACHINE_MEMORY_GBS=80}" 429 --- 430 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1 431 kind: OCNEConfigTemplate 432 metadata: 433 name: ${CLUSTER_NAME}-md-0 434 namespace: ${CLUSTER_NAMESPACE} 435 spec: 436 template: 437 spec: 438 clusterConfiguration: 439 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 440 joinConfiguration: 441 nodeRegistration: 442 kubeletExtraArgs: 443 cloud-provider: external 444 provider-id: oci://{{ ds["id"] }} 445 --- 446 apiVersion: cluster.x-k8s.io/v1beta1 447 kind: MachineDeployment 448 metadata: 449 name: ${CLUSTER_NAME}-md-0 450 namespace: ${CLUSTER_NAMESPACE} 451 spec: 452 clusterName: ${CLUSTER_NAME} 453 replicas: ${NODE_MACHINE_COUNT=1} 454 selector: 455 matchLabels: null 456 template: 457 spec: 458 bootstrap: 459 configRef: 460 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1 461 kind: OCNEConfigTemplate 462 name: ${CLUSTER_NAME}-md-0 463 clusterName: ${CLUSTER_NAME} 464 infrastructureRef: 465 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 466 kind: OCIMachineTemplate 467 name: ${CLUSTER_NAME}-md-0 468 version: ${KUBERNETES_VERSION=v1.25.7}