sigs.k8s.io/cluster-api@v1.7.1/bootstrap/kubeadm/types/upstreamv1beta3/types.go (about) 1 /* 2 Copyright 2021 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package upstreamv1beta3 18 19 import ( 20 corev1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 ) 23 24 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 25 26 // InitConfiguration contains a list of elements that is specific "kubeadm init"-only runtime 27 // information. 28 type InitConfiguration struct { 29 metav1.TypeMeta `json:",inline"` 30 31 // `kubeadm init`-only information. These fields are solely used the first time `kubeadm init` runs. 32 // After that, the information in the fields IS NOT uploaded to the `kubeadm-config` ConfigMap 33 // that is used by `kubeadm upgrade` for instance. These fields must be omitempty. 34 35 // BootstrapTokens is respected at `kubeadm init` time and describes a set of Bootstrap Tokens to create. 36 // This information IS NOT uploaded to the kubeadm cluster configmap, partly because of its sensitive nature 37 // +optional 38 BootstrapTokens []BootstrapToken `json:"bootstrapTokens,omitempty"` 39 40 // NodeRegistration holds fields that relate to registering the new control-plane node to the cluster 41 // +optional 42 NodeRegistration NodeRegistrationOptions `json:"nodeRegistration,omitempty"` 43 44 // LocalAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node 45 // In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint in the sense that ControlPlaneEndpoint 46 // is the global endpoint for the cluster, which then loadbalances the requests to each individual API server. This 47 // configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible 48 // on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process 49 // fails you may set the desired value here. 50 // +optional 51 LocalAPIEndpoint APIEndpoint `json:"localAPIEndpoint,omitempty"` 52 53 // CertificateKey sets the key with which certificates and keys are encrypted prior to being uploaded in 54 // a secret in the cluster during the uploadcerts init phase. 55 // +optional 56 CertificateKey string `json:"certificateKey,omitempty"` 57 58 // SkipPhases is a list of phases to skip during command execution. 59 // The list of phases can be obtained with the "kubeadm init --help" command. 60 // The flag "--skip-phases" takes precedence over this field. 61 // +optional 62 SkipPhases []string `json:"skipPhases,omitempty"` 63 64 // Patches contains options related to applying patches to components deployed by kubeadm during 65 // "kubeadm init". The minimum kubernetes version needed to support Patches is v1.22 66 // +optional 67 Patches *Patches `json:"patches,omitempty"` 68 } 69 70 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 71 72 // ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster. 73 type ClusterConfiguration struct { 74 metav1.TypeMeta `json:",inline"` 75 76 // Etcd holds configuration for etcd. 77 // +optional 78 Etcd Etcd `json:"etcd,omitempty"` 79 80 // Networking holds configuration for the networking topology of the cluster. 81 // +optional 82 Networking Networking `json:"networking,omitempty"` 83 84 // KubernetesVersion is the target version of the control plane. 85 // +optional 86 KubernetesVersion string `json:"kubernetesVersion,omitempty"` 87 88 // ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it 89 // can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port. 90 // In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort 91 // are used; in case the ControlPlaneEndpoint is specified but without a TCP port, 92 // the BindPort is used. 93 // Possible usages are: 94 // e.g. In a cluster with more than one control plane instances, this field should be 95 // assigned the address of the external load balancer in front of the 96 // control plane instances. 97 // e.g. in environments with enforced node recycling, the ControlPlaneEndpoint 98 // could be used for assigning a stable DNS to the control plane. 99 // +optional 100 ControlPlaneEndpoint string `json:"controlPlaneEndpoint,omitempty"` 101 102 // APIServer contains extra settings for the API server control plane component 103 // +optional 104 APIServer APIServer `json:"apiServer,omitempty"` 105 106 // ControllerManager contains extra settings for the controller manager control plane component 107 // +optional 108 ControllerManager ControlPlaneComponent `json:"controllerManager,omitempty"` 109 110 // Scheduler contains extra settings for the scheduler control plane component 111 // +optional 112 Scheduler ControlPlaneComponent `json:"scheduler,omitempty"` 113 114 // DNS defines the options for the DNS add-on installed in the cluster. 115 // +optional 116 DNS DNS `json:"dns,omitempty"` 117 118 // CertificatesDir specifies where to store or look for all required certificates. 119 // +optional 120 CertificatesDir string `json:"certificatesDir,omitempty"` 121 122 // ImageRepository sets the container registry to pull images from. 123 // If empty, `registry.k8s.io` will be used by default; in case of kubernetes version is a CI build (kubernetes version starts with `ci/` or `ci-cross/`) 124 // `gcr.io/k8s-staging-ci-images` will be used as a default for control plane components and for kube-proxy, while `registry.k8s.io` 125 // will be used for all the other images. 126 // +optional 127 ImageRepository string `json:"imageRepository,omitempty"` 128 129 // FeatureGates enabled by the user. 130 // +optional 131 FeatureGates map[string]bool `json:"featureGates,omitempty"` 132 133 // The cluster name 134 // +optional 135 ClusterName string `json:"clusterName,omitempty"` 136 } 137 138 // ControlPlaneComponent holds settings common to control plane component of the cluster. 139 type ControlPlaneComponent struct { 140 // ExtraArgs is an extra set of flags to pass to the control plane component. 141 // TODO: This is temporary and ideally we would like to switch all components to 142 // use ComponentConfig + ConfigMaps. 143 // +optional 144 ExtraArgs map[string]string `json:"extraArgs,omitempty"` 145 146 // ExtraVolumes is an extra set of host volumes, mounted to the control plane component. 147 // +optional 148 ExtraVolumes []HostPathMount `json:"extraVolumes,omitempty"` 149 } 150 151 // APIServer holds settings necessary for API server deployments in the cluster. 152 type APIServer struct { 153 ControlPlaneComponent `json:",inline"` 154 155 // CertSANs sets extra Subject Alternative Names for the API Server signing cert. 156 // +optional 157 CertSANs []string `json:"certSANs,omitempty"` 158 159 // TimeoutForControlPlane controls the timeout that we use for API server to appear 160 // +optional 161 TimeoutForControlPlane *metav1.Duration `json:"timeoutForControlPlane,omitempty"` 162 } 163 164 // DNSAddOnType defines string identifying DNS add-on types. 165 type DNSAddOnType string 166 167 // DNS defines the DNS addon that should be used in the cluster. 168 type DNS struct { 169 // ImageMeta allows to customize the image used for the DNS component 170 ImageMeta `json:",inline"` 171 } 172 173 // ImageMeta allows to customize the image used for components that are not 174 // originated from the Kubernetes/Kubernetes release process. 175 type ImageMeta struct { 176 // ImageRepository sets the container registry to pull images from. 177 // if not set, the ImageRepository defined in ClusterConfiguration will be used instead. 178 // +optional 179 ImageRepository string `json:"imageRepository,omitempty"` 180 181 // ImageTag allows to specify a tag for the image. 182 // In case this value is set, kubeadm does not change automatically the version of the above components during upgrades. 183 // +optional 184 ImageTag string `json:"imageTag,omitempty"` 185 186 //TODO: evaluate if we need also a ImageName based on user feedbacks 187 } 188 189 // APIEndpoint struct contains elements of API server instance deployed on a node. 190 type APIEndpoint struct { 191 // AdvertiseAddress sets the IP address for the API server to advertise. 192 // +optional 193 AdvertiseAddress string `json:"advertiseAddress,omitempty"` 194 195 // BindPort sets the secure port for the API Server to bind to. 196 // Defaults to 6443. 197 // +optional 198 BindPort int32 `json:"bindPort,omitempty"` 199 } 200 201 // NodeRegistrationOptions holds fields that relate to registering a new control-plane or node to the cluster, either via "kubeadm init" or "kubeadm join". 202 type NodeRegistrationOptions struct { 203 204 // Name is the `.Metadata.Name` field of the Node API object that will be created in this `kubeadm init` or `kubeadm join` operation. 205 // This field is also used in the CommonName field of the kubelet's client certificate to the API server. 206 // Defaults to the hostname of the node if not provided. 207 // +optional 208 Name string `json:"name,omitempty"` 209 210 // CRISocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use 211 // +optional 212 CRISocket string `json:"criSocket,omitempty"` 213 214 // Taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, in the `kubeadm init` process 215 // it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an 216 // empty slice, i.e. `taints: []` in the YAML file. This field is solely used for Node registration. 217 Taints []corev1.Taint `json:"taints"` 218 219 // KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file 220 // kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config-1.X ConfigMap 221 // Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. 222 // +optional 223 KubeletExtraArgs map[string]string `json:"kubeletExtraArgs,omitempty"` 224 225 // IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered. 226 // +optional 227 IgnorePreflightErrors []string `json:"ignorePreflightErrors,omitempty"` 228 229 // ImagePullPolicy specifies the policy for image pulling 230 // during kubeadm "init" and "join" operations. The value of 231 // this field must be one of "Always", "IfNotPresent" or 232 // "Never". Defaults to "IfNotPresent". 233 // +optional 234 ImagePullPolicy string `json:"imagePullPolicy,omitempty"` 235 } 236 237 // Networking contains elements describing cluster's networking configuration. 238 type Networking struct { 239 // ServiceSubnet is the subnet used by k8s services. Defaults to "10.96.0.0/12". 240 // +optional 241 ServiceSubnet string `json:"serviceSubnet,omitempty"` 242 // PodSubnet is the subnet used by pods. 243 // +optional 244 PodSubnet string `json:"podSubnet,omitempty"` 245 // DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local". 246 // +optional 247 DNSDomain string `json:"dnsDomain,omitempty"` 248 } 249 250 // BootstrapToken describes one bootstrap token, stored as a Secret in the cluster. 251 type BootstrapToken struct { 252 // Token is used for establishing bidirectional trust between nodes and control-planes. 253 // Used for joining nodes in the cluster. 254 Token *BootstrapTokenString `json:"token" datapolicy:"token"` 255 // Description sets a human-friendly message why this token exists and what it's used 256 // for, so other administrators can know its purpose. 257 // +optional 258 Description string `json:"description,omitempty"` 259 // TTL defines the time to live for this token. Defaults to 24h. 260 // Expires and TTL are mutually exclusive. 261 // +optional 262 TTL *metav1.Duration `json:"ttl,omitempty"` 263 // Expires specifies the timestamp when this token expires. Defaults to being set 264 // dynamically at runtime based on the TTL. Expires and TTL are mutually exclusive. 265 // +optional 266 Expires *metav1.Time `json:"expires,omitempty"` 267 // Usages describes the ways in which this token can be used. Can by default be used 268 // for establishing bidirectional trust, but that can be changed here. 269 // +optional 270 Usages []string `json:"usages,omitempty"` 271 // Groups specifies the extra groups that this token will authenticate as when/if 272 // used for authentication 273 // +optional 274 Groups []string `json:"groups,omitempty"` 275 } 276 277 // Etcd contains elements describing Etcd configuration. 278 type Etcd struct { 279 280 // Local provides configuration knobs for configuring the local etcd instance 281 // Local and External are mutually exclusive 282 // +optional 283 Local *LocalEtcd `json:"local,omitempty"` 284 285 // External describes how to connect to an external etcd cluster 286 // Local and External are mutually exclusive 287 // +optional 288 External *ExternalEtcd `json:"external,omitempty"` 289 } 290 291 // LocalEtcd describes that kubeadm should run an etcd cluster locally. 292 type LocalEtcd struct { 293 // ImageMeta allows to customize the container used for etcd 294 ImageMeta `json:",inline"` 295 296 // DataDir is the directory etcd will place its data. 297 // Defaults to "/var/lib/etcd". 298 DataDir string `json:"dataDir"` 299 300 // ExtraArgs are extra arguments provided to the etcd binary 301 // when run inside a static pod. 302 // +optional 303 ExtraArgs map[string]string `json:"extraArgs,omitempty"` 304 305 // ServerCertSANs sets extra Subject Alternative Names for the etcd server signing cert. 306 // +optional 307 ServerCertSANs []string `json:"serverCertSANs,omitempty"` 308 // PeerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert. 309 // +optional 310 PeerCertSANs []string `json:"peerCertSANs,omitempty"` 311 } 312 313 // ExternalEtcd describes an external etcd cluster. 314 // Kubeadm has no knowledge of where certificate files live and they must be supplied. 315 type ExternalEtcd struct { 316 // Endpoints of etcd members. Required for ExternalEtcd. 317 Endpoints []string `json:"endpoints"` 318 319 // CAFile is an SSL Certificate Authority file used to secure etcd communication. 320 // Required if using a TLS connection. 321 CAFile string `json:"caFile"` 322 323 // CertFile is an SSL certification file used to secure etcd communication. 324 // Required if using a TLS connection. 325 CertFile string `json:"certFile"` 326 327 // KeyFile is an SSL key file used to secure etcd communication. 328 // Required if using a TLS connection. 329 KeyFile string `json:"keyFile"` 330 } 331 332 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 333 334 // JoinConfiguration contains elements describing a particular node. 335 type JoinConfiguration struct { 336 metav1.TypeMeta `json:",inline"` 337 338 // NodeRegistration holds fields that relate to registering the new control-plane node to the cluster 339 // +optional 340 NodeRegistration NodeRegistrationOptions `json:"nodeRegistration,omitempty"` 341 342 // CACertPath is the path to the SSL certificate authority used to 343 // secure comunications between node and control-plane. 344 // Defaults to "/etc/kubernetes/pki/ca.crt". 345 // +optional 346 CACertPath string `json:"caCertPath,omitempty"` 347 348 // Discovery specifies the options for the kubelet to use during the TLS Bootstrap process 349 Discovery Discovery `json:"discovery"` 350 351 // ControlPlane defines the additional control plane instance to be deployed on the joining node. 352 // If nil, no additional control plane instance will be deployed. 353 // +optional 354 ControlPlane *JoinControlPlane `json:"controlPlane,omitempty"` 355 356 // SkipPhases is a list of phases to skip during command execution. 357 // The list of phases can be obtained with the "kubeadm join --help" command. 358 // The flag "--skip-phases" takes precedence over this field. 359 // +optional 360 SkipPhases []string `json:"skipPhases,omitempty"` 361 362 // Patches contains options related to applying patches to components deployed by kubeadm during 363 // "kubeadm init". The minimum kubernetes version needed to support Patches is v1.22 364 // +optional 365 Patches *Patches `json:"patches,omitempty"` 366 } 367 368 // JoinControlPlane contains elements describing an additional control plane instance to be deployed on the joining node. 369 type JoinControlPlane struct { 370 // LocalAPIEndpoint represents the endpoint of the API server instance to be deployed on this node. 371 // +optional 372 LocalAPIEndpoint APIEndpoint `json:"localAPIEndpoint,omitempty"` 373 374 // CertificateKey is the key that is used for decryption of certificates after they are downloaded from the secret 375 // upon joining a new control plane node. The corresponding encryption key is in the InitConfiguration. 376 // +optional 377 CertificateKey string `json:"certificateKey,omitempty"` 378 } 379 380 // Discovery specifies the options for the kubelet to use during the TLS Bootstrap process. 381 type Discovery struct { 382 // BootstrapToken is used to set the options for bootstrap token based discovery 383 // BootstrapToken and File are mutually exclusive 384 // +optional 385 BootstrapToken *BootstrapTokenDiscovery `json:"bootstrapToken,omitempty"` 386 387 // File is used to specify a file or URL to a kubeconfig file from which to load cluster information 388 // BootstrapToken and File are mutually exclusive 389 // +optional 390 File *FileDiscovery `json:"file,omitempty"` 391 392 // TLSBootstrapToken is a token used for TLS bootstrapping. 393 // If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden. 394 // If .File is set, this field **must be set** in case the KubeConfigFile does not contain any other authentication information 395 // +optional 396 TLSBootstrapToken string `json:"tlsBootstrapToken,omitempty" datapolicy:"token"` 397 398 // Timeout modifies the discovery timeout 399 // +optional 400 Timeout *metav1.Duration `json:"timeout,omitempty"` 401 } 402 403 // BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery. 404 type BootstrapTokenDiscovery struct { 405 // Token is a token used to validate cluster information 406 // fetched from the control-plane. 407 Token string `json:"token" datapolicy:"token"` 408 409 // APIServerEndpoint is an IP or domain name to the API server from which info will be fetched. 410 // +optional 411 APIServerEndpoint string `json:"apiServerEndpoint,omitempty"` 412 413 // CACertHashes specifies a set of public key pins to verify 414 // when token-based discovery is used. The root CA found during discovery 415 // must match one of these values. Specifying an empty set disables root CA 416 // pinning, which can be unsafe. Each hash is specified as "<type>:<value>", 417 // where the only currently supported type is "sha256". This is a hex-encoded 418 // SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded 419 // ASN.1. These hashes can be calculated using, for example, OpenSSL. 420 // +optional 421 CACertHashes []string `json:"caCertHashes,omitempty" datapolicy:"security-key"` 422 423 // UnsafeSkipCAVerification allows token-based discovery 424 // without CA verification via CACertHashes. This can weaken 425 // the security of kubeadm since other nodes can impersonate the control-plane. 426 // +optional 427 UnsafeSkipCAVerification bool `json:"unsafeSkipCAVerification,omitempty"` 428 } 429 430 // FileDiscovery is used to specify a file or URL to a kubeconfig file from which to load cluster information. 431 type FileDiscovery struct { 432 // KubeConfigPath is used to specify the actual file path or URL to the kubeconfig file from which to load cluster information 433 KubeConfigPath string `json:"kubeConfigPath"` 434 } 435 436 // HostPathMount contains elements describing volumes that are mounted from the 437 // host. 438 type HostPathMount struct { 439 // Name of the volume inside the pod template. 440 Name string `json:"name"` 441 // HostPath is the path in the host that will be mounted inside 442 // the pod. 443 HostPath string `json:"hostPath"` 444 // MountPath is the path inside the pod where hostPath will be mounted. 445 MountPath string `json:"mountPath"` 446 // ReadOnly controls write access to the volume 447 // +optional 448 ReadOnly bool `json:"readOnly,omitempty"` 449 // PathType is the type of the HostPath. 450 // +optional 451 PathType corev1.HostPathType `json:"pathType,omitempty"` 452 } 453 454 // Patches contains options related to applying patches to components deployed by kubeadm. 455 type Patches struct { 456 // Directory is a path to a directory that contains files named "target[suffix][+patchtype].extension". 457 // For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of 458 // "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one 459 // of "strategic" "merge" or "json" and they match the patch formats supported by kubectl. 460 // The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". 461 // "suffix" is an optional string that can be used to determine which patches are applied 462 // first alpha-numerically. 463 // +optional 464 Directory string `json:"directory,omitempty"` 465 }