github.com/verrazzano/verrazzano@v1.7.1/tests/e2e/clusterapi/capi/templates/cluster-template-addons-new-vcn.yaml (about) 1 # Copyright (c) 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 --- 4 apiVersion: v1 5 kind: Namespace 6 metadata: 7 labels: 8 kubernetes.io/metadata.name: ${CLUSTER_NAMESPACE} 9 name: ${CLUSTER_NAMESPACE} 10 --- 11 apiVersion: cluster.x-k8s.io/v1beta1 12 kind: Cluster 13 metadata: 14 labels: 15 cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME} 16 name: ${CLUSTER_NAME} 17 namespace: ${CLUSTER_NAMESPACE} 18 spec: 19 clusterNetwork: 20 pods: 21 cidrBlocks: 22 - ${POD_CIDR=192.168.0.0/16} 23 serviceDomain: cluster.local 24 services: 25 cidrBlocks: 26 - ${CLUSTER_CIDR=10.128.0.0/12} 27 controlPlaneRef: 28 apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 29 kind: OCNEControlPlane 30 name: ${CLUSTER_NAME}-control-plane 31 namespace: ${CLUSTER_NAMESPACE} 32 infrastructureRef: 33 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 34 kind: OCICluster 35 name: ${CLUSTER_NAME} 36 namespace: ${CLUSTER_NAMESPACE} 37 --- 38 apiVersion: v1 39 kind: Secret 40 metadata: 41 name: ${CLUSTER_NAME}-user-credentials 42 namespace: ${CLUSTER_NAMESPACE} 43 type: Opaque 44 data: 45 tenancy: ${OCI_TENANCY_ID_B64} 46 user: ${OCI_USER_ID_B64} 47 key: ${OCI_CREDENTIALS_KEY_B64} 48 fingerprint: ${OCI_CREDENTIALS_FINGERPRINT_B64} 49 passphrase: "" 50 region: ${OCI_REGION_B64} 51 --- 52 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 53 kind: OCIClusterIdentity 54 metadata: 55 name: ${CLUSTER_NAME}-cluster-identity 56 namespace: ${CLUSTER_NAMESPACE} 57 spec: 58 type: UserPrincipal 59 principalSecret: 60 name: ${CLUSTER_NAME}-user-credentials 61 namespace: ${CLUSTER_NAMESPACE} 62 allowedNamespaces: {} 63 --- 64 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 65 kind: OCICluster 66 metadata: 67 labels: 68 cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME} 69 name: ${CLUSTER_NAME} 70 namespace: ${CLUSTER_NAMESPACE} 71 spec: 72 compartmentId: ${OCI_COMPARTMENT_ID} 73 identityRef: 74 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 75 kind: OCIClusterIdentity 76 name: ${CLUSTER_NAME}-cluster-identity 77 namespace: ${CLUSTER_NAMESPACE} 78 networkSpec: 79 vcn: 80 name: ${CLUSTER_NAME} 81 cidr: "10.0.0.0/16" 82 networkSecurityGroup: 83 list: 84 - egressRules: 85 - egressRule: 86 description: Kubernetes API traffic to Control Plane 87 destination: 10.0.0.0/29 88 destinationType: CIDR_BLOCK 89 isStateless: false 90 protocol: "6" 91 tcpOptions: 92 destinationPortRange: 93 max: 6443 94 min: 6443 95 ingressRules: 96 - ingressRule: 97 description: External access to Kubernetes API endpoint 98 isStateless: false 99 protocol: "6" 100 source: 0.0.0.0/0 101 sourceType: CIDR_BLOCK 102 tcpOptions: 103 destinationPortRange: 104 max: 6443 105 min: 6443 106 - ingressRule: 107 description: ICMP Path discovery 108 icmpOptions: 109 code: 4 110 type: 3 111 isStateless: false 112 protocol: "1" 113 source: 10.0.0.0/16 114 sourceType: CIDR_BLOCK 115 name: ocne-control-plane-endpoint 116 role: control-plane-endpoint 117 - egressRules: 118 - egressRule: 119 description: Control Plane access to Internet 120 destination: 0.0.0.0/0 121 destinationType: CIDR_BLOCK 122 isStateless: false 123 protocol: all 124 ingressRules: 125 - ingressRule: 126 description: Inbound East-West traffic 127 source: 10.0.0.0/16 128 sourceType: CIDR_BLOCK 129 isStateless: false 130 protocol: all 131 - ingressRule: 132 description: Kubernetes API endpoint to Control Plane(apiserver port) 133 communication 134 isStateless: false 135 protocol: "6" 136 source: 10.0.0.8/29 137 sourceType: CIDR_BLOCK 138 tcpOptions: 139 destinationPortRange: 140 max: 6443 141 min: 6443 142 - ingressRule: 143 description: Control plane node to Control Plane(apiserver port) communication 144 isStateless: false 145 protocol: "6" 146 source: 10.0.0.0/29 147 sourceType: CIDR_BLOCK 148 tcpOptions: 149 destinationPortRange: 150 max: 6443 151 min: 6443 152 - ingressRule: 153 description: Worker Node to Control Plane(apiserver port) communication 154 isStateless: false 155 protocol: "6" 156 source: 10.0.64.0/20 157 sourceType: CIDR_BLOCK 158 tcpOptions: 159 destinationPortRange: 160 max: 6443 161 min: 6443 162 - ingressRule: 163 description: etcd client communication 164 isStateless: false 165 protocol: "6" 166 source: 10.0.0.0/29 167 sourceType: CIDR_BLOCK 168 tcpOptions: 169 destinationPortRange: 170 max: 2379 171 min: 2379 172 - ingressRule: 173 description: etcd peer 174 isStateless: false 175 protocol: "6" 176 source: 10.0.0.0/29 177 sourceType: CIDR_BLOCK 178 tcpOptions: 179 destinationPortRange: 180 max: 2380 181 min: 2380 182 - ingressRule: 183 description: Calico networking (BGP) 184 isStateless: false 185 protocol: "6" 186 source: 10.0.0.0/29 187 sourceType: CIDR_BLOCK 188 tcpOptions: 189 destinationPortRange: 190 max: 179 191 min: 179 192 - ingressRule: 193 description: Calico networking (BGP) 194 isStateless: false 195 protocol: "6" 196 source: 10.0.64.0/20 197 sourceType: CIDR_BLOCK 198 tcpOptions: 199 destinationPortRange: 200 max: 179 201 min: 179 202 - ingressRule: 203 description: Calico networking with IP-in-IP enabled 204 isStateless: false 205 protocol: "4" 206 source: 10.0.0.0/29 207 sourceType: CIDR_BLOCK 208 - ingressRule: 209 description: Calico networking with IP-in-IP enabled 210 isStateless: false 211 protocol: "4" 212 source: 10.0.64.0/20 213 sourceType: CIDR_BLOCK 214 - ingressRule: 215 description: Path discovery 216 icmpOptions: 217 code: 4 218 type: 3 219 isStateless: false 220 protocol: "1" 221 source: 10.0.0.0/16 222 sourceType: CIDR_BLOCK 223 - ingressRule: 224 description: Inbound SSH traffic to Control Plane 225 isStateless: false 226 protocol: "6" 227 source: 0.0.0.0/0 228 sourceType: CIDR_BLOCK 229 tcpOptions: 230 destinationPortRange: 231 max: 22 232 min: 22 233 - ingressRule: 234 description: Control Plane to Control Plane Kubelet Communication 235 isStateless: false 236 protocol: "6" 237 source: 10.0.0.0/29 238 sourceType: CIDR_BLOCK 239 tcpOptions: 240 destinationPortRange: 241 max: 10250 242 min: 10250 243 name: ocne-control-plane 244 role: control-plane 245 - egressRules: 246 - egressRule: 247 description: Worker node access to Internet 248 destination: 0.0.0.0/0 249 destinationType: CIDR_BLOCK 250 isStateless: false 251 protocol: all 252 ingressRules: 253 - ingressRule: 254 description: Inbound East-West traffic 255 source: 10.0.0.0/16 256 sourceType: CIDR_BLOCK 257 isStateless: false 258 protocol: all 259 - ingressRule: 260 description: Inbound SSH traffic to worker node 261 isStateless: false 262 protocol: "6" 263 source: 0.0.0.0/0 264 sourceType: CIDR_BLOCK 265 tcpOptions: 266 destinationPortRange: 267 max: 22 268 min: 22 269 - ingressRule: 270 description: Path discovery 271 icmpOptions: 272 code: 4 273 type: 3 274 isStateless: false 275 protocol: "1" 276 source: 10.0.0.0/16 277 sourceType: CIDR_BLOCK 278 - ingressRule: 279 description: Control Plane to worker node Kubelet Communication 280 isStateless: false 281 protocol: "6" 282 source: 10.0.0.0/29 283 sourceType: CIDR_BLOCK 284 tcpOptions: 285 destinationPortRange: 286 max: 10250 287 min: 10250 288 - ingressRule: 289 description: Worker node to worker node Kubelet Communication 290 isStateless: false 291 protocol: "6" 292 source: 10.0.64.0/20 293 sourceType: CIDR_BLOCK 294 tcpOptions: 295 destinationPortRange: 296 max: 10250 297 min: 10250 298 - ingressRule: 299 description: Calico networking (BGP) 300 isStateless: false 301 protocol: "6" 302 source: 10.0.0.0/29 303 sourceType: CIDR_BLOCK 304 tcpOptions: 305 destinationPortRange: 306 max: 179 307 min: 179 308 - ingressRule: 309 description: Calico networking (BGP) 310 isStateless: false 311 protocol: "6" 312 source: 10.0.64.0/20 313 sourceType: CIDR_BLOCK 314 tcpOptions: 315 destinationPortRange: 316 max: 179 317 min: 179 318 - ingressRule: 319 description: Calico networking with IP-in-IP enabled 320 isStateless: false 321 protocol: "4" 322 source: 10.0.0.0/29 323 sourceType: CIDR_BLOCK 324 - ingressRule: 325 description: Calico networking with IP-in-IP enabled 326 isStateless: false 327 protocol: "4" 328 source: 10.0.64.0/20 329 sourceType: CIDR_BLOCK 330 - ingressRule: 331 description: Worker node to default NodePort ingress communication 332 isStateless: false 333 protocol: "6" 334 source: 10.0.64.0/20 335 sourceType: CIDR_BLOCK 336 tcpOptions: 337 destinationPortRange: 338 max: 32767 339 min: 30000 340 name: ocne-worker 341 role: worker 342 - egressRules: 343 - egressRule: 344 description: Service LoadBalancer to default NodePort egress communication 345 destination: 10.0.64.0/20 346 destinationType: CIDR_BLOCK 347 isStateless: false 348 protocol: "6" 349 tcpOptions: 350 destinationPortRange: 351 max: 32767 352 min: 30000 353 ingressRules: 354 - ingressRule: 355 description: Path discovery 356 icmpOptions: 357 code: 4 358 type: 3 359 isStateless: false 360 protocol: "1" 361 source: 10.0.0.0/16 362 sourceType: CIDR_BLOCK 363 - ingressRule: 364 description: Accept http traffic on port 80 365 isStateless: false 366 protocol: "6" 367 source: 0.0.0.0/0 368 sourceType: CIDR_BLOCK 369 tcpOptions: 370 destinationPortRange: 371 max: 80 372 min: 80 373 - ingressRule: 374 description: Accept https traffic on port 443 375 isStateless: false 376 protocol: "6" 377 source: 0.0.0.0/0 378 sourceType: CIDR_BLOCK 379 tcpOptions: 380 destinationPortRange: 381 max: 443 382 min: 443 383 name: ocne-service-lb 384 role: service-lb 385 subnets: 386 - cidr: 10.0.0.8/29 387 name: ocne-control-plane-endpoint 388 role: control-plane-endpoint 389 type: public 390 - cidr: 10.0.0.0/29 391 name: ocne-control-plane 392 role: control-plane 393 type: private 394 - cidr: 10.0.0.32/27 395 name: ocne-service-lb 396 role: service-lb 397 type: public 398 - cidr: 10.0.64.0/20 399 name: ocne-worker 400 role: worker 401 type: private 402 --- 403 apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 404 kind: OCNEControlPlane 405 metadata: 406 name: ${CLUSTER_NAME}-control-plane 407 namespace: ${CLUSTER_NAMESPACE} 408 spec: 409 moduleOperator: 410 enabled: true 411 verrazzanoPlatformOperator: 412 enabled: true 413 imagePullSecrets: 414 - name: ${IMAGE_PULL_SECRET=verrazzano-container-registry} 415 image: 416 repository: ${VPO_IMAGE} 417 tag: ${VPO_TAG} 418 controlPlaneConfig: 419 clusterConfiguration: 420 apiServer: 421 certSANs: 422 - localhost 423 - 127.0.0.1 424 dns: 425 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 426 imageTag: ${DNS_TAG=v1.9.3} 427 etcd: 428 local: 429 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 430 imageTag: ${ETCD_TAG=3.5.6} 431 networking: {} 432 scheduler: {} 433 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 434 initConfiguration: 435 nodeRegistration: 436 criSocket: /var/run/crio/crio.sock 437 kubeletExtraArgs: 438 cloud-provider: external 439 provider-id: oci://{{ ds["id"] }} 440 joinConfiguration: 441 discovery: {} 442 nodeRegistration: 443 criSocket: /var/run/crio/crio.sock 444 kubeletExtraArgs: 445 cloud-provider: external 446 provider-id: oci://{{ ds["id"] }} 447 machineTemplate: 448 infrastructureRef: 449 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 450 kind: OCIMachineTemplate 451 name: ${CLUSTER_NAME}-control-plane 452 namespace: ${CLUSTER_NAMESPACE} 453 replicas: ${CONTROL_PLANE_MACHINE_COUNT=1} 454 version: ${KUBERNETES_VERSION=v1.25.7} 455 --- 456 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 457 kind: OCIMachineTemplate 458 metadata: 459 name: ${CLUSTER_NAME}-control-plane 460 namespace: ${CLUSTER_NAMESPACE} 461 spec: 462 template: 463 spec: 464 bootVolumeSizeInGBs: "${OCI_NODE_BOOT_VOLUME=100}" 465 compartmentId: ${OCI_COMPARTMENT_ID} 466 imageId: ${OCI_IMAGE_ID} 467 isPvEncryptionInTransitEnabled: ${OCI_NODE_PV_TRANSIT_ENCRYPTION=false} 468 metadata: 469 ssh_authorized_keys: ${OCI_SSH_KEY} 470 shape: ${OCI_NODE_MACHINE_TYPE=VM.Standard.E4.Flex} 471 shapeConfig: 472 ocpus: "${OCI_NODE_MACHINE_TYPE_OCPUS=4}" 473 memoryInGBs: "${OCI_NODE_MACHINE_MEMORY_GBS=80}" 474 --- 475 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 476 kind: OCIMachineTemplate 477 metadata: 478 name: ${CLUSTER_NAME}-md-0 479 namespace: ${CLUSTER_NAMESPACE} 480 spec: 481 template: 482 spec: 483 bootVolumeSizeInGBs: "${OCI_NODE_BOOT_VOLUME=100}" 484 compartmentId: ${OCI_COMPARTMENT_ID} 485 imageId: ${OCI_IMAGE_ID} 486 isPvEncryptionInTransitEnabled: ${OCI_NODE_PV_TRANSIT_ENCRYPTION=false} 487 metadata: 488 ssh_authorized_keys: ${OCI_SSH_KEY} 489 shape: ${OCI_NODE_MACHINE_TYPE=VM.Standard.E4.Flex} 490 shapeConfig: 491 ocpus: "${OCI_NODE_MACHINE_TYPE_OCPUS=4}" 492 memoryInGBs: "${OCI_NODE_MACHINE_MEMORY_GBS=80}" 493 --- 494 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1 495 kind: OCNEConfigTemplate 496 metadata: 497 name: ${CLUSTER_NAME}-md-0 498 namespace: ${CLUSTER_NAMESPACE} 499 spec: 500 template: 501 spec: 502 clusterConfiguration: 503 imageRepository: ${OCNE_IMAGE_REPOSITORY=container-registry.oracle.com}/${OCNE_IMAGE_PATH=olcne} 504 joinConfiguration: 505 nodeRegistration: 506 kubeletExtraArgs: 507 cloud-provider: external 508 provider-id: oci://{{ ds["id"] }} 509 --- 510 apiVersion: cluster.x-k8s.io/v1beta1 511 kind: MachineDeployment 512 metadata: 513 name: ${CLUSTER_NAME}-md-0 514 namespace: ${CLUSTER_NAMESPACE} 515 spec: 516 clusterName: ${CLUSTER_NAME} 517 replicas: ${NODE_MACHINE_COUNT=1} 518 selector: 519 matchLabels: null 520 template: 521 spec: 522 bootstrap: 523 configRef: 524 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha1 525 kind: OCNEConfigTemplate 526 name: ${CLUSTER_NAME}-md-0 527 clusterName: ${CLUSTER_NAME} 528 infrastructureRef: 529 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 530 kind: OCIMachineTemplate 531 name: ${CLUSTER_NAME}-md-0 532 version: ${KUBERNETES_VERSION=v1.25.7}