From 8ff1f3819725228f1901e791749b8686aa1d6e28 Mon Sep 17 00:00:00 2001 From: apoger Date: Thu, 24 Nov 2022 16:05:11 +0200 Subject: [PATCH 01/74] Refactor kind configuration file for testing with K8s-v1.25 (#2331) * Fix kind configuration file script Signed-off-by: Apostolos Gerakaris * tests: Refactor kind configuration file Have one file for the KinD configuration instead of version specific ones. Signed-off-by: Apostolos Gerakaris * workflows: Update GH Action workflows - Use the updated KinD configuration file - Trigger the workflows when Kind configuration file changes * Exclude Katib workflow. See: https://github.com/kubeflow/manifests/pull/2273#issuecomment-1233092205 * Exclude Kserve workflow, until we update Knative version to v1.8. See: https://github.com/kubeflow/manifests/issues/2325#issuecomment-1325718698 Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- .github/workflows/centraldb_kind_test.yaml | 3 ++- .github/workflows/dex_kind_test.yaml | 3 ++- .github/workflows/jwa_kind_test.yaml | 3 ++- .github/workflows/katib_kind_test.yaml | 2 +- .github/workflows/kserve_kind_test.yaml | 2 +- .../workflows/nb_controller_kind_test.yaml | 3 ++- .github/workflows/pipeline_kind_test.yaml | 3 ++- .github/workflows/poddefaults_kind_test.yaml | 3 ++- .github/workflows/profiles_kind_test.yaml | 3 ++- .../workflows/tb_controller_kind_test.yaml | 3 ++- .../workflows/train_operator_kind_test.yaml | 3 ++- .github/workflows/twa_kind_test.yaml | 3 ++- .github/workflows/vwa_kind_test.yaml | 3 ++- tests/gh-actions/kind-cluster-1-20.yaml | 24 ------------------ tests/gh-actions/kind-cluster-1-21.yaml | 24 ------------------ tests/gh-actions/kind-cluster-1-22.yaml | 25 ------------------- ...nd-cluster-1.25.yaml => kind-cluster.yaml} | 0 17 files changed, 24 insertions(+), 86 deletions(-) delete mode 100644 tests/gh-actions/kind-cluster-1-20.yaml delete mode 100644 tests/gh-actions/kind-cluster-1-21.yaml delete mode 100644 tests/gh-actions/kind-cluster-1-22.yaml rename tests/gh-actions/{kind-cluster-1.25.yaml => kind-cluster.yaml} (100%) diff --git a/.github/workflows/centraldb_kind_test.yaml b/.github/workflows/centraldb_kind_test.yaml index f87edafd7e..14ce046bfa 100644 --- a/.github/workflows/centraldb_kind_test.yaml +++ b/.github/workflows/centraldb_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/centraldashboard/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/dex_kind_test.yaml b/.github/workflows/dex_kind_test.yaml index a978db0753..bcb72ca78c 100644 --- a/.github/workflows/dex_kind_test.yaml +++ b/.github/workflows/dex_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - common/dex/base/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/jwa_kind_test.yaml b/.github/workflows/jwa_kind_test.yaml index d97def7880..ad3f133e8b 100644 --- a/.github/workflows/jwa_kind_test.yaml +++ b/.github/workflows/jwa_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/jupyter/jupyter-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/katib_kind_test.yaml b/.github/workflows/katib_kind_test.yaml index 9cc7585e34..add691c114 100644 --- a/.github/workflows/katib_kind_test.yaml +++ b/.github/workflows/katib_kind_test.yaml @@ -15,7 +15,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/kserve_kind_test.yaml b/.github/workflows/kserve_kind_test.yaml index dc99df411a..7cded58547 100644 --- a/.github/workflows/kserve_kind_test.yaml +++ b/.github/workflows/kserve_kind_test.yaml @@ -15,7 +15,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/nb_controller_kind_test.yaml b/.github/workflows/nb_controller_kind_test.yaml index c4f89c770c..dcc46674a0 100644 --- a/.github/workflows/nb_controller_kind_test.yaml +++ b/.github/workflows/nb_controller_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/jupyter/notebook-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/pipeline_kind_test.yaml b/.github/workflows/pipeline_kind_test.yaml index f3abd84227..cbdae9330b 100644 --- a/.github/workflows/pipeline_kind_test.yaml +++ b/.github/workflows/pipeline_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/pipeline/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/poddefaults_kind_test.yaml b/.github/workflows/poddefaults_kind_test.yaml index 4afe44d2bb..073779fd4f 100644 --- a/.github/workflows/poddefaults_kind_test.yaml +++ b/.github/workflows/poddefaults_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/admission-webhook/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/profiles_kind_test.yaml b/.github/workflows/profiles_kind_test.yaml index 434e49fc59..66cf038cba 100644 --- a/.github/workflows/profiles_kind_test.yaml +++ b/.github/workflows/profiles_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/profiles/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/tb_controller_kind_test.yaml b/.github/workflows/tb_controller_kind_test.yaml index 897e5adb7b..39e1704e3c 100644 --- a/.github/workflows/tb_controller_kind_test.yaml +++ b/.github/workflows/tb_controller_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/tensorboard/tensorboard-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/train_operator_kind_test.yaml b/.github/workflows/train_operator_kind_test.yaml index cce827f511..ec7f488301 100644 --- a/.github/workflows/train_operator_kind_test.yaml +++ b/.github/workflows/train_operator_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/training-operator/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/twa_kind_test.yaml b/.github/workflows/twa_kind_test.yaml index 2236cf7448..6ac181bee7 100644 --- a/.github/workflows/twa_kind_test.yaml +++ b/.github/workflows/twa_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/tensorboard/tensorboards-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/.github/workflows/vwa_kind_test.yaml b/.github/workflows/vwa_kind_test.yaml index 28e1180469..80dda1266e 100644 --- a/.github/workflows/vwa_kind_test.yaml +++ b/.github/workflows/vwa_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - apps/volumes-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml jobs: build: @@ -15,7 +16,7 @@ jobs: run: ./tests/gh-actions/install_kind.sh - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster-1-25.yaml + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - name: Install kustomize run: ./tests/gh-actions/install_kustomize.sh diff --git a/tests/gh-actions/kind-cluster-1-20.yaml b/tests/gh-actions/kind-cluster-1-20.yaml deleted file mode 100644 index 06d3b7d35b..0000000000 --- a/tests/gh-actions/kind-cluster-1-20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# https://github.com/kubernetes-sigs/kind/issues/1954#issuecomment-737775492 -# https://github.com/istio/istio/blob/e02690fbfb8bda564582b27d22d9e8e6e00422a5/prow/config/trustworthy-jwt.yaml#L1-L13 -# This configs KinD to spin up a k8s cluster with trustworthy jwt (Service Account Token Volume Projection) feature. -# This configuration file should work with KinD v0.14.0 -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -name: manifests-1-20 -nodes: -- role: control-plane - image: kindest/node:v1.20.15@sha256:6f2d011dffe182bad80b85f6c00e8ca9d86b5b8922cdf433d53575c4c5212248 -- role: worker - image: kindest/node:v1.20.15@sha256:6f2d011dffe182bad80b85f6c00e8ca9d86b5b8922cdf433d53575c4c5212248 -- role: worker - image: kindest/node:v1.20.15@sha256:6f2d011dffe182bad80b85f6c00e8ca9d86b5b8922cdf433d53575c4c5212248 -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" diff --git a/tests/gh-actions/kind-cluster-1-21.yaml b/tests/gh-actions/kind-cluster-1-21.yaml deleted file mode 100644 index 90e83236b0..0000000000 --- a/tests/gh-actions/kind-cluster-1-21.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# https://github.com/kubernetes-sigs/kind/issues/1954#issuecomment-737775492 -# https://github.com/istio/istio/blob/e02690fbfb8bda564582b27d22d9e8e6e00422a5/prow/config/trustworthy-jwt.yaml#L1-L13 -# This configs KinD to spin up a k8s cluster with trustworthy jwt (Service Account Token Volume Projection) feature. -# This configuration file should work with KinD v0.14.0 -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -name: manifests-1-21 -nodes: -- role: control-plane - image: kindest/node:v1.21.12@sha256:f316b33dd88f8196379f38feb80545ef3ed44d9197dca1bfd48bcb1583210207 -- role: worker - image: kindest/node:v1.21.12@sha256:f316b33dd88f8196379f38feb80545ef3ed44d9197dca1bfd48bcb1583210207 -- role: worker - image: kindest/node:v1.21.12@sha256:f316b33dd88f8196379f38feb80545ef3ed44d9197dca1bfd48bcb1583210207 -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" diff --git a/tests/gh-actions/kind-cluster-1-22.yaml b/tests/gh-actions/kind-cluster-1-22.yaml deleted file mode 100644 index 8986db2d58..0000000000 --- a/tests/gh-actions/kind-cluster-1-22.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# This configuration file should work with KinD v0.14.0 -apiVersion: kind.x-k8s.io/v1alpha4 -kind: Cluster -# Configure registry for KinD. -containerdConfigPatches: -- |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"] - endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"] -# This is needed in order to support projected volumes with service account tokens. -# See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600 -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" -nodes: -- role: control-plane - image: kindest/node:v1.22.9@sha256:8135260b959dfe320206eb36b3aeda9cffcb262f4b44cda6b33f7bb73f453105 -- role: worker - image: kindest/node:v1.22.9@sha256:8135260b959dfe320206eb36b3aeda9cffcb262f4b44cda6b33f7bb73f453105 diff --git a/tests/gh-actions/kind-cluster-1.25.yaml b/tests/gh-actions/kind-cluster.yaml similarity index 100% rename from tests/gh-actions/kind-cluster-1.25.yaml rename to tests/gh-actions/kind-cluster.yaml From 08228090334c0a0d32e8945d0aa4dc356d95bc74 Mon Sep 17 00:00:00 2001 From: apoger Date: Thu, 24 Nov 2022 16:22:10 +0200 Subject: [PATCH 02/74] common: Add Istio v1.16.0 manifests (#2327) * common: Add Istio v1.16.0 manifests Signed-off-by: Apostolos Gerakaris * Update kustomization file in example to deploy istio-1-16 Signed-off-by: Apostolos Gerakaris * tests: Update install Istio GH action script Use Istio 1.16 for testing Signed-off-by: Apostolos Gerakaris * common: Remove PodDisruptionBudget resources for Istio Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - https://github.com/istio/istio/issues/12602 - https://github.com/istio/istio/issues/24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 - https://github.com/kubernetes-sigs/kustomize/issues/4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: https://github.com/kubeflow/manifests/issues/1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow/manifests#2325 Signed-off-by: Apostolos Gerakaris * Update README Use the --cluster-specific flag when generating Istio 1.16 manifests for K8s-1.25. See: * https://github.com/istio/istio/issues/41220 Signed-off-by: Apostolos Gerakaris * tests: Update GH Action workflows Trigger the workflows when the Istio version changes Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- .github/workflows/centraldb_kind_test.yaml | 1 + .github/workflows/dex_kind_test.yaml | 1 + .github/workflows/jwa_kind_test.yaml | 4 + .../workflows/nb_controller_kind_test.yaml | 1 + .github/workflows/pipeline_kind_test.yaml | 1 + .github/workflows/poddefaults_kind_test.yaml | 1 + .github/workflows/profiles_kind_test.yaml | 1 + .../workflows/tb_controller_kind_test.yaml | 1 + .../workflows/train_operator_kind_test.yaml | 1 + .github/workflows/twa_kind_test.yaml | 4 + .github/workflows/vwa_kind_test.yaml | 1 + .../base/cluster-local-gateway.yaml | 339 -- common/{istio-1-14 => istio-1-16}/README.md | 33 +- .../base/cluster-local-gateway.yaml | 286 ++ .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 6 +- .../base/patches/remove-pdb.yaml | 4 +- .../istio-crds/base/crd.yaml | 1165 +++-- .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 3755 ++++++++--------- .../istio-install/base/kustomization.yaml | 12 +- .../istio-configmap-disable-tracing.yaml | 0 .../base/patches/remove-pdb.yaml | 5 +- .../istio-install/base/patches/service.yaml | 0 .../istio-install/base/x-forwarded-host.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../{istio-1-14 => istio-1-16}/profile.yaml | 15 +- .../split-istio-packages | 0 example/kustomization.yaml | 10 +- tests/gh-actions/install_istio.sh | 2 +- 39 files changed, 2903 insertions(+), 2746 deletions(-) delete mode 100644 common/istio-1-14/cluster-local-gateway/base/cluster-local-gateway.yaml rename common/{istio-1-14 => istio-1-16}/README.md (64%) create mode 100644 common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml rename common/{istio-1-14 => istio-1-16}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-1-14 => istio-1-16}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-1-14 => istio-1-16}/cluster-local-gateway/base/kustomization.yaml (55%) rename common/{istio-1-14 => istio-1-16}/cluster-local-gateway/base/patches/remove-pdb.yaml (60%) rename common/{istio-1-14 => istio-1-16}/istio-crds/base/crd.yaml (89%) rename common/{istio-1-14 => istio-1-16}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/gateway.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/install.yaml (50%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/kustomization.yaml (55%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/patches/remove-pdb.yaml (78%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/patches/service.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-install/base/x-forwarded-host.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-1-14 => istio-1-16}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-1-14 => istio-1-16}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-1-14 => istio-1-16}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-1-14 => istio-1-16}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-1-14 => istio-1-16}/profile-overlay.yaml (100%) rename common/{istio-1-14 => istio-1-16}/profile.yaml (95%) rename common/{istio-1-14 => istio-1-16}/split-istio-packages (100%) diff --git a/.github/workflows/centraldb_kind_test.yaml b/.github/workflows/centraldb_kind_test.yaml index 14ce046bfa..203fcbea99 100644 --- a/.github/workflows/centraldb_kind_test.yaml +++ b/.github/workflows/centraldb_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/centraldashboard/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/dex_kind_test.yaml b/.github/workflows/dex_kind_test.yaml index bcb72ca78c..ba6646f500 100644 --- a/.github/workflows/dex_kind_test.yaml +++ b/.github/workflows/dex_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - common/dex/base/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/jwa_kind_test.yaml b/.github/workflows/jwa_kind_test.yaml index ad3f133e8b..aff7b59bf5 100644 --- a/.github/workflows/jwa_kind_test.yaml +++ b/.github/workflows/jwa_kind_test.yaml @@ -3,7 +3,11 @@ on: pull_request: paths: - apps/jupyter/jupyter-web-app/upstream/** +<<<<<<< HEAD - tests/gh-actions/kind-cluster.yaml +======= + - tests/gh-actions/install_istio.sh +>>>>>>> tests: Update GH Action workflows jobs: build: diff --git a/.github/workflows/nb_controller_kind_test.yaml b/.github/workflows/nb_controller_kind_test.yaml index dcc46674a0..2490b25a94 100644 --- a/.github/workflows/nb_controller_kind_test.yaml +++ b/.github/workflows/nb_controller_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/jupyter/notebook-controller/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/pipeline_kind_test.yaml b/.github/workflows/pipeline_kind_test.yaml index cbdae9330b..94925b72dc 100644 --- a/.github/workflows/pipeline_kind_test.yaml +++ b/.github/workflows/pipeline_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/pipeline/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/poddefaults_kind_test.yaml b/.github/workflows/poddefaults_kind_test.yaml index 073779fd4f..e955b1c98c 100644 --- a/.github/workflows/poddefaults_kind_test.yaml +++ b/.github/workflows/poddefaults_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/admission-webhook/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/profiles_kind_test.yaml b/.github/workflows/profiles_kind_test.yaml index 66cf038cba..9e728fc82b 100644 --- a/.github/workflows/profiles_kind_test.yaml +++ b/.github/workflows/profiles_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/profiles/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/tb_controller_kind_test.yaml b/.github/workflows/tb_controller_kind_test.yaml index 39e1704e3c..d3d42c5d5e 100644 --- a/.github/workflows/tb_controller_kind_test.yaml +++ b/.github/workflows/tb_controller_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/tensorboard/tensorboard-controller/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/train_operator_kind_test.yaml b/.github/workflows/train_operator_kind_test.yaml index ec7f488301..58cbac65f3 100644 --- a/.github/workflows/train_operator_kind_test.yaml +++ b/.github/workflows/train_operator_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/training-operator/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/twa_kind_test.yaml b/.github/workflows/twa_kind_test.yaml index 6ac181bee7..9248c7884e 100644 --- a/.github/workflows/twa_kind_test.yaml +++ b/.github/workflows/twa_kind_test.yaml @@ -3,7 +3,11 @@ on: pull_request: paths: - apps/tensorboard/tensorboards-web-app/upstream/** +<<<<<<< HEAD - tests/gh-actions/kind-cluster.yaml +======= + - tests/gh-actions/install_istio.sh +>>>>>>> tests: Update GH Action workflows jobs: build: diff --git a/.github/workflows/vwa_kind_test.yaml b/.github/workflows/vwa_kind_test.yaml index 80dda1266e..cfe98899a7 100644 --- a/.github/workflows/vwa_kind_test.yaml +++ b/.github/workflows/vwa_kind_test.yaml @@ -4,6 +4,7 @@ on: paths: - apps/volumes-web-app/upstream/** - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/common/istio-1-14/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-14/cluster-local-gateway/base/cluster-local-gateway.yaml deleted file mode 100644 index c7f82d912f..0000000000 --- a/common/istio-1-14/cluster-local-gateway/base/cluster-local-gateway.yaml +++ /dev/null @@ -1,339 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cluster-local-gateway-service-account - namespace: istio-system - labels: - app: cluster-local-gateway - istio: cluster-local-gateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cluster-local-gateway - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: cluster-local-gateway - namespace: istio-system -spec: - selector: - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - prometheus.io/path: /stats/prometheus - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - labels: - app: cluster-local-gateway - chart: gateways - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: cluster-local-gateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: "false" - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: cluster-local-gateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - image: docker.io/istio/proxyv2:1.14.1 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15020 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - fsGroup: 1337 - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: cluster-local-gateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: cluster-local-gateway - namespace: istio-system - labels: - app: cluster-local-gateway - istio: cluster-local-gateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cluster-local-gateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cluster-local-gateway-sds - namespace: istio-system - labels: - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cluster-local-gateway-sds -subjects: -- kind: ServiceAccount - name: cluster-local-gateway-service-account ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - labels: - app: cluster-local-gateway - install.operator.istio.io/owning-resource: unknown - istio: cluster-local-gateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: cluster-local-gateway - namespace: istio-system -spec: - ports: - - name: status-port - port: 15020 - protocol: TCP - targetPort: 15020 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: cluster-local-gateway - istio: cluster-local-gateway - type: ClusterIP diff --git a/common/istio-1-14/README.md b/common/istio-1-16/README.md similarity index 64% rename from common/istio-1-14/README.md rename to common/istio-1-16/README.md index 4619ebb116..6dcfad96a2 100644 --- a/common/istio-1-14/README.md +++ b/common/istio-1-16/README.md @@ -49,7 +49,7 @@ old version is `X1.Y1.Z1`: $ export PATH="$MANIFESTS_SRC/scripts:$PATH" $ cd $ISTIO_NEW - $ istioctl manifest generate -f profile.yaml -f profile-overlay.yaml > dump.yaml + $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml $ split-istio-packages -f dump.yaml $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base @@ -61,8 +61,39 @@ old version is `X1.Y1.Z1`: `split-istio-packages` is a python script in the same folder as this file. The `ruamel.yaml` version used is 0.16.12. + `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically + detect default settings. Ensure you have a target cluster ready before running the above commands. + We set this flag because `istioctl manifest generate` generates manifest files with resources that are no + longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: + - https://github.com/istio/istio/issues/41220 + --- +5. Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. + See https://github.com/istio/istio/issues/12602 and https://github.com/istio/istio/issues/24000 + + Until now we have used two patches: + - `common/istio-1-16/istio-install/base/patches/remove-pdb.yaml` + - `common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml` + + The above patches do not work with kustomize v3.2.0 as it doesn't have the appropriate + openapi schemas for the policy/v1 API version resources. This is fixed in kustomize v4+. + See https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 and + https://github.com/kubernetes-sigs/kustomize/issues/4495 + + A temporary workaround is to use the following instructions to manually delete the PodDisruptionBudget resources with `yq`: + + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "cluster-local-gateway") | not)' common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istio-ingressgateway") | not)' common/istio-1-16/istio-install/base/install.yaml + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istiod") | not)' common/istio-1-16/istio-install/base/install.yaml + + --- + **NOTE** + + NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-16/istio-install/base/install.yaml` and `common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml` files. + + --- + ## Changes to Istio's upstream manifests ### Changes to the upstream IstioOperator profile diff --git a/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml new file mode 100644 index 0000000000..5e699dc5f9 --- /dev/null +++ b/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -0,0 +1,286 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-local-gateway-service-account + namespace: istio-system + labels: + app: cluster-local-gateway + istio: cluster-local-gateway + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: IngressGateways +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: '15020' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' + labels: + app: cluster-local-gateway + chart: gateways + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: cluster-local-gateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: 'false' + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + requiredDuringSchedulingIgnoredDuringExecution: + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: cluster-local-gateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: 'true' + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + image: docker.io/istio/proxyv2:1.16.0 + name: istio-proxy + ports: + - containerPort: 15020 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + fsGroup: 1337 + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: cluster-local-gateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cluster-local-gateway-sds + namespace: istio-system + labels: + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: IngressGateways +rules: + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cluster-local-gateway-sds + namespace: istio-system + labels: + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: IngressGateways +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-local-gateway-sds +subjects: + - kind: ServiceAccount + name: cluster-local-gateway-service-account +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + app: cluster-local-gateway + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15020 + protocol: TCP + targetPort: 15020 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: cluster-local-gateway + istio: cluster-local-gateway + type: ClusterIP diff --git a/common/istio-1-14/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-16/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-1-14/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-1-16/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-1-14/cluster-local-gateway/base/gateway.yaml b/common/istio-1-16/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-1-14/cluster-local-gateway/base/gateway.yaml rename to common/istio-1-16/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-1-14/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml similarity index 55% rename from common/istio-1-14/cluster-local-gateway/base/kustomization.yaml rename to common/istio-1-16/cluster-local-gateway/base/kustomization.yaml index 00d9d84f0e..b01420e648 100644 --- a/common/istio-1-14/cluster-local-gateway/base/kustomization.yaml +++ b/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml @@ -12,5 +12,7 @@ resources: - gateway-authorizationpolicy.yaml - gateway.yaml -patchesStrategicMerge: -- patches/remove-pdb.yaml +# Disable this patch until we upgrade to kustomize to v4+ +# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 +# patchesStrategicMerge: +# - patches/remove-pdb.yaml diff --git a/common/istio-1-14/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 60% rename from common/istio-1-14/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml index fc675a6493..7453e086c5 100644 --- a/common/istio-1-14/cluster-local-gateway/base/patches/remove-pdb.yaml +++ b/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml @@ -1,6 +1,6 @@ $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cluster-local-gateway - namespace: istio-system + namespace: istio-system \ No newline at end of file diff --git a/common/istio-1-14/istio-crds/base/crd.yaml b/common/istio-1-16/istio-crds/base/crd.yaml similarity index 89% rename from common/istio-1-14/istio-crds/base/crd.yaml rename to common/istio-1-16/istio-crds/base/crd.yaml index a7cfbbf49b..c77594403f 100644 --- a/common/istio-1-14/istio-crds/base/crd.yaml +++ b/common/istio-1-16/istio-crds/base/crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -209,7 +209,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -287,12 +287,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -319,6 +318,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -348,50 +350,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -417,8 +447,24 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -535,13 +581,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to - a backend. + description: Maximum number of active requests + to a destination. format: int32 type: integer idleTimeout: @@ -569,6 +613,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -599,50 +646,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -669,8 +744,26 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -877,12 +970,10 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: @@ -909,6 +1000,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -938,50 +1032,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1006,8 +1128,24 @@ spec: httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1121,12 +1259,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -1153,6 +1290,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1182,50 +1322,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1251,8 +1419,24 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1512,12 +1696,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -1544,6 +1727,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1573,50 +1759,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1642,8 +1856,24 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1760,13 +1990,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to - a backend. + description: Maximum number of active requests + to a destination. format: int32 type: integer idleTimeout: @@ -1794,6 +2022,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1824,50 +2055,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1894,8 +2153,26 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -2102,12 +2379,10 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: @@ -2134,6 +2409,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -2163,50 +2441,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -2231,8 +2537,24 @@ spec: httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -2346,12 +2668,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -2378,6 +2699,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -2407,50 +2731,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -2476,8 +2828,24 @@ spec: description: Hash based on a specific HTTP query parameter. type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -2685,7 +3053,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -2923,7 +3291,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3228,7 +3596,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3320,7 +3688,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3385,7 +3753,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3483,7 +3851,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3757,7 +4125,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -3820,7 +4188,8 @@ spec: items: properties: bind: - description: The IP to which the listener should be bound. + description: The IP(IPv4 or IPv6) to which the listener should + be bound. type: string captureMode: enum: @@ -3992,7 +4361,8 @@ spec: items: properties: bind: - description: The IP to which the listener should be bound. + description: The IP(IPv4 or IPv6) to which the listener should + be bound. type: string captureMode: enum: @@ -4125,7 +4495,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -4392,7 +4762,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -4526,6 +4896,35 @@ spec: delegate VirtualService resides. type: string type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. @@ -4548,6 +4947,7 @@ spec: - http2Error properties: grpcStatus: + description: GRPC status code to use to abort the request. type: string http2Error: type: string @@ -4790,6 +5190,10 @@ spec: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string uri: oneOf: - not: @@ -4884,8 +5288,8 @@ spec: description: The name assigned to the route for debugging purposes. type: string redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. oneOf: - not: anyOf: @@ -4951,8 +5355,8 @@ spec: type: string type: object route: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. items: properties: destination: @@ -5275,6 +5679,35 @@ spec: delegate VirtualService resides. type: string type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. @@ -5297,6 +5730,7 @@ spec: - http2Error properties: grpcStatus: + description: GRPC status code to use to abort the request. type: string http2Error: type: string @@ -5539,6 +5973,10 @@ spec: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string uri: oneOf: - not: @@ -5633,8 +6071,8 @@ spec: description: The name assigned to the route for debugging purposes. type: string redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. oneOf: - not: anyOf: @@ -5700,8 +6138,8 @@ spec: type: string type: object route: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. items: properties: destination: @@ -5916,7 +6354,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio @@ -5953,8 +6391,6 @@ spec: WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: imagePullPolicy: - description: The pull behaviour to be applied when fetching an OCI - image. enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -5963,6 +6399,25 @@ spec: imagePullSecret: description: Credentials to use for OCI image pulling. type: string + match: + items: + properties: + mode: + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + items: + properties: + number: + type: integer + type: object + type: array + type: object + type: array phase: description: Determines where in the filter chain this `WasmPlugin` is to be injected. @@ -6033,7 +6488,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - "helm.sh/resource-policy": keep + helm.sh/resource-policy: keep labels: app: istio-pilot chart: istio diff --git a/common/istio-1-14/istio-crds/base/kustomization.yaml b/common/istio-1-16/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-1-14/istio-crds/base/kustomization.yaml rename to common/istio-1-16/istio-crds/base/kustomization.yaml diff --git a/common/istio-1-14/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-16/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-1-16/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-1-14/istio-install/base/gateway.yaml b/common/istio-1-16/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/gateway.yaml rename to common/istio-1-16/istio-install/base/gateway.yaml diff --git a/common/istio-1-14/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-16/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-1-16/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-1-14/istio-install/base/install.yaml b/common/istio-1-16/istio-install/base/install.yaml similarity index 50% rename from common/istio-1-14/istio-install/base/install.yaml rename to common/istio-1-16/istio-install/base/install.yaml index 6b1d9161df..72207c7dd3 100644 --- a/common/istio-1-14/istio-install/base/install.yaml +++ b/common/istio-1-16/istio-install/base/install.yaml @@ -9,7 +9,7 @@ metadata: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" + operator.istio.io/component: IngressGateways --- apiVersion: v1 kind: ServiceAccount @@ -46,42 +46,41 @@ metadata: app: istio-reader release: istio rules: -- apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", - "namespaces", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["workloadentries"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] + - apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + resources: ['*'] + verbs: [get, list, watch] + - apiGroups: [''] + resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets] + verbs: [get, list, watch] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list] + resources: [workloadentries] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, list, watch, create, delete] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, list, watch] + - apiGroups: [apps] + resources: [replicasets] + verbs: [get, list, watch] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -91,42 +90,41 @@ metadata: app: istio-reader release: istio rules: -- apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", - "namespaces", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["workloadentries"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list"] -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] + - apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + resources: ['*'] + verbs: [get, list, watch] + - apiGroups: [''] + resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets] + verbs: [get, list, watch] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list] + resources: [workloadentries] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + - apiGroups: [apps] + resources: [replicasets] + verbs: [get, list, watch] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -137,104 +135,90 @@ metadata: release: istio rules: # sidecar injection controller -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", - "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["workloadentries"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["workloadentries/status"] - - # auto-detect installed CRD definitions -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing -- apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -- apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] -- apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs -- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] -- apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] + - apiGroups: [admissionregistration.k8s.io] + resources: [mutatingwebhookconfigurations] + verbs: [get, list, watch, update, patch] + # configuration validation webhook controller + - apiGroups: [admissionregistration.k8s.io] + resources: [validatingwebhookconfigurations] + verbs: [get, list, watch, update] + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io, extensions.istio.io] + verbs: [get, watch, list] + resources: ['*'] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries/status] + # auto-detect installed CRD definitions + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # discovery and routing + - apiGroups: [''] + resources: [pods, nodes, services, namespaces, endpoints] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + # ingress controller + - apiGroups: [networking.k8s.io] + resources: [ingresses, ingressclasses] + verbs: [get, list, watch] + - apiGroups: [networking.k8s.io] + resources: [ingresses/status] + verbs: ['*'] + # required for CA's namespace controller + - apiGroups: [''] + resources: [configmaps] + verbs: [create, get, list, watch, update] + # Istiod and bootstrap. + - apiGroups: [certificates.k8s.io] + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: [update, create, get, delete, watch] + - apiGroups: [certificates.k8s.io] + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: [approve] + # Used by Istiod to verify the JWT tokens + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + # Used by Istiod to verify gateway SDS + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + # Use for Kubernetes Service APIs + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] + verbs: [get, watch, list] + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] # TODO: should be on just */status but wildcard is not supported + verbs: [update, patch] + - apiGroups: [gateway.networking.k8s.io] + resources: [gatewayclasses] + verbs: [create, update, patch, delete] + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] + # Used for MCS serviceexport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list, create, delete] + # Used for MCS serviceimport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -244,12 +228,12 @@ metadata: app: istiod release: istio rules: -- apiGroups: ["apps"] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["deployments"] -- apiGroups: [""] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["services"] + - apiGroups: [apps] + verbs: [get, watch, list, update, patch, create, delete] + resources: [deployments] + - apiGroups: [''] + verbs: [get, watch, list, update, patch, create, delete] + resources: [services] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -260,104 +244,90 @@ metadata: release: istio rules: # sidecar injection controller -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", - "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["workloadentries"] -- apiGroups: ["networking.istio.io"] - verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - resources: ["workloadentries/status"] - - # auto-detect installed CRD definitions -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing -- apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -- apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] -- apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs -- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] -- apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management -- apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] + - apiGroups: [admissionregistration.k8s.io] + resources: [mutatingwebhookconfigurations] + verbs: [get, list, watch, update, patch] + # configuration validation webhook controller + - apiGroups: [admissionregistration.k8s.io] + resources: [validatingwebhookconfigurations] + verbs: [get, list, watch, update] + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io] + verbs: [get, watch, list] + resources: ['*'] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries/status] + # auto-detect installed CRD definitions + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # discovery and routing + - apiGroups: [''] + resources: [pods, nodes, services, namespaces, endpoints] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + # ingress controller + - apiGroups: [networking.k8s.io] + resources: [ingresses, ingressclasses] + verbs: [get, list, watch] + - apiGroups: [networking.k8s.io] + resources: [ingresses/status] + verbs: ['*'] + # required for CA's namespace controller + - apiGroups: [''] + resources: [configmaps] + verbs: [create, get, list, watch, update] + # Istiod and bootstrap. + - apiGroups: [certificates.k8s.io] + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: [update, create, get, delete, watch] + - apiGroups: [certificates.k8s.io] + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: [approve] + # Used by Istiod to verify the JWT tokens + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + # Used by Istiod to verify gateway SDS + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + # Use for Kubernetes Service APIs + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] + verbs: [get, watch, list] + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] # TODO: should be on just */status but wildcard is not supported + verbs: [update] + - apiGroups: [gateway.networking.k8s.io] + resources: [gatewayclasses] + verbs: [create, update, patch, delete] + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] + # Used for MCS serviceexport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list, create, delete] + # Used for MCS serviceimport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -371,9 +341,9 @@ roleRef: kind: ClusterRole name: istio-reader-clusterrole-istio-system subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -387,9 +357,9 @@ roleRef: kind: ClusterRole name: istio-reader-istio-system subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -403,9 +373,9 @@ roleRef: kind: ClusterRole name: istiod-clusterrole-istio-system subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -419,9 +389,9 @@ roleRef: kind: ClusterRole name: istiod-gateway-controller-istio-system subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -435,9 +405,9 @@ roleRef: kind: ClusterRole name: istiod-istio-system subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -451,284 +421,38 @@ metadata: webhooks: # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks # are rejecting invalid configs on a per-revision basis. -- name: rev.validation.istio.io - clientConfig: + - name: rev.validation.istio.io + clientConfig: # Should change from base but cannot for API compat - service: - name: istiod - namespace: istio-system - path: "/validate" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.11 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.12 - namespace: istio-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + service: + name: istiod + namespace: istio-system + path: /validate + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - '*' + resources: + - '*' + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: [v1beta1, v1] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -740,118 +464,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -863,118 +579,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -986,693 +694,653 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.11 + name: stats-filter-1.16 namespace: istio-system labels: istio.io/rev: default spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.12 + name: tcp-stats-filter-1.13 namespace: istio-system labels: istio.io/rev: default spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.12.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.13 + name: tcp-stats-filter-1.14 namespace: istio-system labels: istio.io/rev: default spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.14 + name: tcp-stats-filter-1.15 namespace: istio-system labels: istio.io/rev: default spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.15 + name: tcp-stats-filter-1.16 namespace: istio-system labels: istio.io/rev: default spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: v1 kind: ConfigMap @@ -1682,14 +1350,12 @@ metadata: labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" + operator.istio.io/component: Pilot release: istio data: - # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- networks: {} - mesh: |- accessLogFile: /dev/stdout defaultConfig: @@ -1702,7 +1368,7 @@ data: extensionProviders: - envoyOtelAls: port: 4317 - service: otel-collector.istio-system.svc.cluster.local + service: opentelemetry-collector.istio-system.svc.cluster.local name: otel rootNamespace: istio-system tcpKeepalive: @@ -1719,10 +1385,9 @@ metadata: labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" + operator.istio.io/component: Pilot release: istio data: - values: |- { "global": { @@ -1743,7 +1408,7 @@ data: "enabled": true, "externalIstiod": false, "hub": "docker.io/istio", - "imagePullPolicy": "IfNotPresent", + "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "istio-system", "istiod": { @@ -1821,7 +1486,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.14.1", + "tag": "1.16.0", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -1840,7 +1505,8 @@ data: "address": "" } }, - "useMCP": false + "useMCP": false, + "variant": "" }, "istio_cni": { "enabled": false @@ -1856,7 +1522,6 @@ data: "templates": {} } } - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching # and istiod webhook functionality. # @@ -1905,6 +1570,9 @@ data: metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { @@ -1932,6 +1600,7 @@ data: traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} {{- end }} } spec: @@ -1981,6 +1650,14 @@ data: {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" {{ end -}} {{ if .Values.istio_cni.enabled -}} - "--run-validation" @@ -2238,6 +1915,8 @@ data: volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials @@ -2285,6 +1964,8 @@ data: volumes: - emptyDir: name: workload-socket + - emptyDir: + name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: @@ -2356,7 +2037,7 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} securityContext: fsGroup: 1337 {{- end }} @@ -2496,6 +2177,8 @@ data: volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate mountPath: /var/run/secrets/workload-spiffe-credentials @@ -2528,6 +2211,8 @@ data: volumes: - emptyDir: {} name: workload-socket + - emptyDir: {} + name: credential-socket {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - name: gke-workload-certificate csi: @@ -2582,7 +2267,7 @@ data: - name: {{ . }} {{- end }} {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} securityContext: fsGroup: 1337 {{- end }} @@ -2652,48 +2337,69 @@ data: - name: grpc-io-proxyless-bootstrap emptyDir: {} grpc-agent: | + {{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + {{- end }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - {{- if eq (len $containers) 1 }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} + {{- end }} + {{- end }} sidecar.istio.io/rewriteAppHTTPProbers: "false", } spec: containers: - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- end }} - {{- end }} - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} @@ -2701,6 +2407,13 @@ data: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready env: - name: ISTIO_META_GENERATOR value: grpc @@ -2760,8 +2473,6 @@ data: value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" @@ -2799,42 +2510,24 @@ data: readinessProbe: httpGet: path: /healthz/ready - port: {{ .Values.global.proxy.statusPort }} + port: 15020 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} + {{ template "resources" . }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} - name: workload-certs mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert @@ -2848,20 +2541,62 @@ data: - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- end }} + {{- end }} volumes: - - emptyDir: {} + - emptyDir: name: workload-socket - - emptyDir: {} + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: name: workload-certs - # UDS channel between istioagent and gRPC client for XDS/SDS + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-xds @@ -2876,7 +2611,7 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -2884,18 +2619,39 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} + {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: name: istio-ca-root-cert {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -2904,126 +2660,126 @@ metadata: labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" + operator.istio.io/component: Pilot app: sidecar-injector release: istio webhooks: -- name: rev.namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: ["CREATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: rev.object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: ["CREATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "default" -- name: namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: ["CREATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: ["CREATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - 'true' + - key: istio.io/rev + operator: DoesNotExist --- apiVersion: apps/v1 kind: Deployment @@ -3050,9 +2806,9 @@ spec: metadata: annotations: prometheus.io/path: /stats/prometheus - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" + prometheus.io/port: '15020' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istio-ingressgateway chart: gateways @@ -3064,171 +2820,135 @@ spec: release: istio service.istio.io/canonical-name: istio-ingressgateway service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: 'false' spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - image: docker.io/istio/proxyv2:1.14.1 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 31400 - protocol: TCP - - containerPort: 15443 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: 'true' + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + image: docker.io/istio/proxyv2:1.16.0 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 31400 + protocol: TCP + - containerPort: 15443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true securityContext: fsGroup: 1337 runAsGroup: 1337 @@ -3236,45 +2956,47 @@ spec: runAsUser: 1337 serviceAccountName: istio-ingressgateway-service-account volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs --- apiVersion: apps/v1 kind: Deployment @@ -3300,164 +3022,140 @@ spec: template: metadata: annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" + prometheus.io/port: '15014' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' labels: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default operator.istio.io/component: Pilot - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: 'false' spec: containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: REVISION - value: default - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: PILOT_TRACE_SAMPLING - value: "100" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "true" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "true" - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "false" - - name: CLUSTER_ID - value: Kubernetes - image: gcr.io/arrikto/istio/pilot:1.14.1-1-g19df463bb - imagePullPolicy: IfNotPresent - name: discovery - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - requests: - cpu: 10m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/run/secrets/istio-dns - name: local-certs - - mountPath: /etc/cacerts - name: cacerts - readOnly: true - - mountPath: /var/run/secrets/remote - name: istio-kubeconfig - readOnly: true + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: REVISION + value: default + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: '100' + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: 'true' + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: 'true' + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: 'false' + - name: CLUSTER_ID + value: Kubernetes + image: docker.io/istio/pilot:1.16.0 + name: discovery + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + resources: + requests: + cpu: 10m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts + readOnly: true + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig + readOnly: true + - mountPath: /var/run/secrets/istiod/tls + name: istio-csr-dns-cert + readOnly: true + - mountPath: /var/run/secrets/istiod/ca + name: istio-csr-ca-configmap + readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod volumes: - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: cacerts - secret: - optional: true - secretName: cacerts - - name: istio-kubeconfig - secret: - optional: true - secretName: istio-kubeconfig ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: cacerts + secret: + optional: true + secretName: cacerts + - name: istio-kubeconfig + secret: + optional: true + secretName: istio-kubeconfig + - name: istio-csr-dns-cert + secret: + optional: true + secretName: istiod-tls + - configMap: + defaultMode: 420 + name: istio-ca-root-cert + optional: true + name: istio-csr-ca-configmap --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3468,11 +3166,11 @@ metadata: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" + operator.istio.io/component: IngressGateways rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3483,14 +3181,16 @@ metadata: app: istiod release: istio rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: [networking.istio.io] + verbs: [create] + resources: [gateways] + - apiGroups: [''] + resources: [secrets] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: [create, get, watch, list, update, delete] + - apiGroups: [''] + resources: [configmaps] + verbs: [delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3501,14 +3201,13 @@ metadata: app: istiod release: istio rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: [networking.istio.io] + verbs: [create] + resources: [gateways] + - apiGroups: [''] + resources: [secrets] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: [create, get, watch, list, update, delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3519,14 +3218,14 @@ metadata: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "IngressGateways" + operator.istio.io/component: IngressGateways roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-ingressgateway-sds subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3541,9 +3240,9 @@ roleRef: kind: Role name: istiod subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3558,9 +3257,9 @@ roleRef: kind: Role name: istiod-istio-system subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system --- apiVersion: v1 kind: Service @@ -3577,26 +3276,26 @@ metadata: namespace: istio-system spec: ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: tcp - port: 31400 - protocol: TCP - targetPort: 31400 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: tcp + port: 31400 + protocol: TCP + targetPort: 31400 + - name: tls + port: 15443 + protocol: TCP + targetPort: 15443 selector: app: istio-ingressgateway istio: ingressgateway @@ -3610,25 +3309,25 @@ metadata: labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" + operator.istio.io/component: Pilot app: istiod istio: pilot release: istio spec: ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP selector: app: istiod # Label used by the 'default' service. For versioned deployments we match with app and version. diff --git a/common/istio-1-14/istio-install/base/kustomization.yaml b/common/istio-1-16/istio-install/base/kustomization.yaml similarity index 55% rename from common/istio-1-14/istio-install/base/kustomization.yaml rename to common/istio-1-16/istio-install/base/kustomization.yaml index ebcc1cd804..70db91ae80 100644 --- a/common/istio-1-14/istio-install/base/kustomization.yaml +++ b/common/istio-1-16/istio-install/base/kustomization.yaml @@ -1,5 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +namespace: istio-system + resources: - install.yaml - gateway_authorizationpolicy.yaml @@ -7,9 +10,10 @@ resources: - gateway.yaml - x-forwarded-host.yaml -namespace: istio-system - patchesStrategicMerge: - patches/service.yaml -- patches/remove-pdb.yaml -- patches/istio-configmap-disable-tracing.yaml \ No newline at end of file +- patches/istio-configmap-disable-tracing.yaml +# Disable this patch until we upgrade to kustomize to v4+ +# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 +# - patches/remove-pdb.yaml + diff --git a/common/istio-1-14/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-16/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-1-16/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-1-14/istio-install/base/patches/remove-pdb.yaml b/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml similarity index 78% rename from common/istio-1-14/istio-install/base/patches/remove-pdb.yaml rename to common/istio-1-16/istio-install/base/patches/remove-pdb.yaml index 2ee65a61a7..94b555efd6 100644 --- a/common/istio-1-14/istio-install/base/patches/remove-pdb.yaml +++ b/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml @@ -1,12 +1,13 @@ +--- $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: istio-ingressgateway namespace: istio-system --- $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: istiod diff --git a/common/istio-1-14/istio-install/base/patches/service.yaml b/common/istio-1-16/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/patches/service.yaml rename to common/istio-1-16/istio-install/base/patches/service.yaml diff --git a/common/istio-1-14/istio-install/base/x-forwarded-host.yaml b/common/istio-1-16/istio-install/base/x-forwarded-host.yaml similarity index 100% rename from common/istio-1-14/istio-install/base/x-forwarded-host.yaml rename to common/istio-1-16/istio-install/base/x-forwarded-host.yaml diff --git a/common/istio-1-14/istio-namespace/base/kustomization.yaml b/common/istio-1-16/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-1-14/istio-namespace/base/kustomization.yaml rename to common/istio-1-16/istio-namespace/base/kustomization.yaml diff --git a/common/istio-1-14/istio-namespace/base/namespace.yaml b/common/istio-1-16/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-1-14/istio-namespace/base/namespace.yaml rename to common/istio-1-16/istio-namespace/base/namespace.yaml diff --git a/common/istio-1-14/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-16/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-1-14/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-1-16/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-1-14/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-16/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-1-14/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-1-16/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-1-14/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-16/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-1-14/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-1-16/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-1-14/profile-overlay.yaml b/common/istio-1-16/profile-overlay.yaml similarity index 100% rename from common/istio-1-14/profile-overlay.yaml rename to common/istio-1-16/profile-overlay.yaml diff --git a/common/istio-1-14/profile.yaml b/common/istio-1-16/profile.yaml similarity index 95% rename from common/istio-1-14/profile.yaml rename to common/istio-1-16/profile.yaml index 6a17a26d36..99454cedfc 100644 --- a/common/istio-1-14/profile.yaml +++ b/common/istio-1-16/profile.yaml @@ -57,12 +57,18 @@ spec: defaultConfig: proxyMetadata: {} enablePrometheusMerge: true + extensionProviders: + - envoyOtelAls: + port: 4317 + service: opentelemetry-collector.istio-system.svc.cluster.local + name: otel profile: demo - tag: 1.9.6 + tag: 1.16.0 values: base: enableCRDTemplates: false validationURL: "" + defaultRevision: "" gateways: istio-egressgateway: autoscaleEnabled: false @@ -76,7 +82,6 @@ spec: name: egressgateway-ca-certs secretName: istio-egressgateway-ca-certs type: ClusterIP - zvpn: {} istio-ingressgateway: autoscaleEnabled: false env: {} @@ -89,12 +94,7 @@ spec: name: ingressgateway-ca-certs secretName: istio-ingressgateway-ca-certs type: LoadBalancer - zvpn: {} global: - arch: - amd64: 2 - ppc64le: 2 - s390x: 2 configValidation: true defaultNodeSelector: {} defaultPodDisruptionBudget: @@ -181,6 +181,7 @@ spec: image: pilot keepaliveMaxServerConnectionAge: 30m nodeSelector: {} + podLabels: {} replicaCount: 1 traceSampling: 1 telemetry: diff --git a/common/istio-1-14/split-istio-packages b/common/istio-1-16/split-istio-packages similarity index 100% rename from common/istio-1-14/split-istio-packages rename to common/istio-1-16/split-istio-packages diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 34ba90e2af..172e9bf9e1 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -6,9 +6,9 @@ resources: - ../common/cert-manager/cert-manager/base - ../common/cert-manager/kubeflow-issuer/base # Istio -- ../common/istio-1-14/istio-crds/base -- ../common/istio-1-14/istio-namespace/base -- ../common/istio-1-14/istio-install/base +- ../common/istio-1-16/istio-crds/base +- ../common/istio-1-16/istio-namespace/base +- ../common/istio-1-16/istio-install/base # OIDC Authservice - ../common/oidc-authservice/base # Dex @@ -16,13 +16,13 @@ resources: # KNative - ../common/knative/knative-serving/overlays/gateways - ../common/knative/knative-eventing/base -- ../common/istio-1-14/cluster-local-gateway/base +- ../common/istio-1-16/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base # Kubeflow Roles - ../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../common/istio-1-14/kubeflow-istio-resources/base +- ../common/istio-1-16/kubeflow-istio-resources/base # Kubeflow Pipelines diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh index 098bc6dbd1..eb817a9bc0 100755 --- a/tests/gh-actions/install_istio.sh +++ b/tests/gh-actions/install_istio.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio ..." -cd common/istio-1-14 +cd common/istio-1-16 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/base | kubectl apply -f - \ No newline at end of file From 0ecbc735e39d065f5e688038cd18490c95254fb2 Mon Sep 17 00:00:00 2001 From: apoger Date: Fri, 25 Nov 2022 11:52:11 +0200 Subject: [PATCH 03/74] common: Upgate cert-manager manifests to v1.10.1 (#2330) * common: Update cert-manager manifests to v1.10.1 Signed-off-by: Apostolos Gerakaris * Remove preserveUnknownFields patch The spec.preserveUnknownFields field is deprecated in v1 CRR API. Signed-off-by: Apostolos Gerakaris * testing: Update GH workflows Trigger the test workflow of each component, that uses Cert Manager, when Cert Manager manifests are changed Signed-off-by: Apostolos Gerakaris * Update README file Reference version of Cert Manager component Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- .github/workflows/pipeline_kind_test.yaml | 1 + .github/workflows/poddefaults_kind_test.yaml | 1 + README.md | 1 + .../cert-manager/base/cert-manager.yaml | 15691 ++-------------- .../cert-manager/base/kustomization.yaml | 11 +- .../patches/crd-preserve-unknown-fields.yaml | 3 - 6 files changed, 2011 insertions(+), 13697 deletions(-) delete mode 100644 common/cert-manager/cert-manager/base/patches/crd-preserve-unknown-fields.yaml diff --git a/.github/workflows/pipeline_kind_test.yaml b/.github/workflows/pipeline_kind_test.yaml index 94925b72dc..2b9cf9129d 100644 --- a/.github/workflows/pipeline_kind_test.yaml +++ b/.github/workflows/pipeline_kind_test.yaml @@ -5,6 +5,7 @@ on: - apps/pipeline/upstream/** - tests/gh-actions/kind-cluster.yaml - tests/gh-actions/install_istio.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/poddefaults_kind_test.yaml b/.github/workflows/poddefaults_kind_test.yaml index e955b1c98c..758a72bd6a 100644 --- a/.github/workflows/poddefaults_kind_test.yaml +++ b/.github/workflows/poddefaults_kind_test.yaml @@ -5,6 +5,7 @@ on: - apps/admission-webhook/upstream/** - tests/gh-actions/kind-cluster.yaml - tests/gh-actions/install_istio.sh + - common/cert-manager/** jobs: build: diff --git a/README.md b/README.md index bcb36aca27..edcb58bfb3 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ used from the different projects of Kubeflow: | - | - | - | | Istio | common/istio-1-14 | [1.14.1](https://github.com/istio/istio/releases/tag/1.14.1) | | Knative | common/knative | [0.22.1](https://github.com/knative/serving/releases/tag/v0.22.1) | +| Cert Manager | common/cert-manager | [1.10.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.10.1) | ## Installation diff --git a/common/cert-manager/cert-manager/base/cert-manager.yaml b/common/cert-manager/cert-manager/base/cert-manager.yaml index bc2cc5b737..be0bd0f605 100644 --- a/common/cert-manager/cert-manager/base/cert-manager.yaml +++ b/common/cert-manager/cert-manager/base/cert-manager.yaml @@ -1,4 +1,4 @@ -# Copyright The cert-manager Authors. +# Copyright 2022 The cert-manager Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,73 +12,40 @@ # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager --- -# Source: cert-manager/templates/templates.out +# Source: cert-manager/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: certificaterequests.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + name: clusterissuers.cert-manager.io labels: app: 'cert-manager' app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: group: cert-manager.io names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer categories: - cert-manager - scope: Namespaced - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # + scope: Cluster versions: - - name: v1alpha2 + - name: v1 subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - jsonPath: .status.conditions[?(@.type=="Ready")].message name: Status priority: 1 @@ -89,8 +56,10 @@ spec: type: date schema: openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. type: object + required: + - spec properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' @@ -101,11900 +70,72 @@ spec: metadata: type: object spec: - description: Desired state of the CertificateRequest resource. + description: Desired state of the ClusterIssuer resource. type: object - required: - - csr - - issuerRef properties: - csr: - description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. - type: string - format: byte - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. type: object required: - - name + - privateKeySecretRef + - server properties: - group: - description: Group of the resource being referred to. + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string - kind: - description: Kind of the resource being referred to. + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' type: string - name: - description: Name of the resource being referred to. - type: string - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: Status of the CertificateRequest. This is set and managed automatically. - type: object - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: false - - name: v1alpha3 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - type: object - required: - - csr - - issuerRef - properties: - csr: - description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. - type: string - format: byte - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: Status of the CertificateRequest. This is set and managed automatically. - type: object - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: false - - name: v1beta1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - type: object - required: - - issuerRef - - request - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. - type: string - format: byte - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: Status of the CertificateRequest. This is set and managed automatically. - type: object - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: false - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - type: object - required: - - issuerRef - - request - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. - type: string - format: byte - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: Status of the CertificateRequest. This is set and managed automatically. - type: object - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: cert-manager/templates/templates.out -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificates.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.5.0" -spec: - group: cert-manager.io - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - categories: - - cert-manager - scope: Namespaced - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # - versions: - - name: v1alpha2 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - type: object - required: - - issuerRef - - secretName - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. - type: array - items: - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set on the Certificate. - type: array - items: - type: string - encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest - type: boolean - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keyAlgorithm: - description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm. - type: string - enum: - - rsa - - ecdsa - keyEncoding: - description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default. - type: string - enum: - - pkcs1 - - pkcs8 - keySize: - description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed. - type: integer - keystores: - description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - organization: - description: Organization is a list of organizations to be used on the Certificate. - type: array - items: - type: string - privateKey: - description: Options to control private keys used for the Certificate. - type: object - properties: - rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. - type: string - renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. - type: integer - format: int32 - secretName: - description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. - type: string - secretTemplate: - description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292 - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on the Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: Status of the Certificate. This is set and managed automatically. - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: false - - name: v1alpha3 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - type: object - required: - - issuerRef - - secretName - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. - type: array - items: - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set on the Certificate. - type: array - items: - type: string - encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest - type: boolean - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keyAlgorithm: - description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm. - type: string - enum: - - rsa - - ecdsa - keyEncoding: - description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default. - type: string - enum: - - pkcs1 - - pkcs8 - keySize: - description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed. - type: integer - keystores: - description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - privateKey: - description: Options to control private keys used for the Certificate. - type: object - properties: - rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. - type: string - renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. - type: integer - format: int32 - secretName: - description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. - type: string - secretTemplate: - description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292 - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on the Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: Status of the Certificate. This is set and managed automatically. - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: false - - name: v1beta1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - type: object - required: - - issuerRef - - secretName - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. - type: array - items: - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set on the Certificate. - type: array - items: - type: string - encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest - type: boolean - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keystores: - description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - privateKey: - description: Options to control private keys used for the Certificate. - type: object - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. - type: string - enum: - - RSA - - ECDSA - encoding: - description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. - type: string - enum: - - PKCS1 - - PKCS8 - rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. - type: string - size: - description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed. - type: integer - renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. - type: integer - format: int32 - secretName: - description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. - type: string - secretTemplate: - description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292 - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on the Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: Status of the Certificate. This is set and managed automatically. - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: false - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - type: object - required: - - issuerRef - - secretName - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. - type: array - items: - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - emailAddresses: - description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. - type: array - items: - type: string - encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest - type: boolean - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keystores: - description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - privateKey: - description: Options to control private keys used for the Certificate. - type: object - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. - type: string - enum: - - RSA - - ECDSA - - Ed25519 - encoding: - description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. - type: string - enum: - - PKCS1 - - PKCS8 - rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. - type: string - size: - description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. - type: integer - renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration - type: string - revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. - type: integer - format: int32 - secretName: - description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. - type: string - secretTemplate: - description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292 - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uris: - description: URIs is a list of URI subjectAltNames to be set on the Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: Status of the Certificate. This is set and managed automatically. - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: cert-manager/templates/templates.out -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: challenges.acme.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.5.0" -spec: - group: acme.cert-manager.io - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authzURL: - description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Solver contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01". - type: string - enum: - - http-01 - - dns-01 - url: - description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Reason contains human readable information on why the Challenge is in the current state. - type: string - state: - description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authzURL: - description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Solver contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01". - type: string - enum: - - http-01 - - dns-01 - url: - description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Reason contains human readable information on why the Challenge is in the current state. - type: string - state: - description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". - type: string - enum: - - HTTP-01 - - DNS-01 - url: - description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". - type: string - enum: - - HTTP-01 - - DNS-01 - url: - description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: cert-manager/templates/templates.out -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.5.0" -spec: - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - categories: - - cert-manager - scope: Cluster - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # - versions: - - name: v1alpha2 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: false - - name: v1alpha3 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: false - - name: v1beta1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: false - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: cert-manager/templates/templates.out -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: issuers.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.5.0" -spec: - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - categories: - - cert-manager - scope: Namespaced - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # - versions: - - name: v1alpha2 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the Issuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: false - - name: v1alpha3 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. @@ -12003,14 +144,14 @@ spec: description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' type: array items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. type: object properties: dns01: description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. type: object properties: - acmedns: + acmeDNS: description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. type: object required: @@ -12078,7 +219,7 @@ spec: type: string serviceConsumerDomain: type: string - azuredns: + azureDNS: description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. type: object required: @@ -12101,6 +242,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -12108,15 +250,28 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed type: string - clouddns: + cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. type: object required: @@ -12228,8 +383,20 @@ spec: - region properties: accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. type: string @@ -12240,7 +407,7 @@ spec: description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: object required: - name @@ -12276,12 +443,57 @@ spec: type: object properties: labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. type: object additionalProperties: type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. type: string ingress: description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. @@ -12291,7 +503,7 @@ spec: description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. type: string ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. type: object properties: metadata: @@ -12397,6 +609,7 @@ spec: type: array items: type: string + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. type: integer @@ -12456,6 +669,8 @@ spec: type: array items: type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic podAffinity: description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). type: object @@ -12506,8 +721,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -12536,8 +752,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -12587,8 +804,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -12617,8 +835,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -12675,8 +894,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -12705,8 +925,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -12756,8 +977,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -12786,8 +1008,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -12829,7 +1052,7 @@ spec: description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. type: string selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. @@ -12954,9 +1177,21 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. type: string format: byte + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string namespace: description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' type: string @@ -13020,7 +1255,7 @@ spec: description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. type: string status: - description: Status of the Issuer. This is set and managed automatically. + description: Status of the ClusterIssuer. This is set and managed automatically. type: object properties: acme: @@ -13067,28 +1302,57 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map served: true - storage: false - - name: v1beta1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.1" +spec: + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason priority: 1 type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp name: Age type: date + name: v1 schema: openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. + description: Challenge is a type to represent a Challenge request with an ACME server type: object required: + - metadata - spec properties: apiVersion: @@ -13100,1115 +1364,1179 @@ spec: metadata: type: object spec: - description: Desired state of the Issuer resource. type: object + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + authorizationURL: + description: The URL to the ACME Authorization resource that this challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. type: object required: - - privateKeySecretRef - - server + - name properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + group: + description: Group of the resource being referred to. type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + key: + description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' + type: string + solver: + description: Contains the domain solving configuration that should be used to solve this challenge resource. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. type: object - required: - - keyID - - keySecretRef properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. type: string enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. type: object required: - - name + - tokenSecretRef properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." type: object required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. - type: object - additionalProperties: - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object + - name properties: - class: - description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). type: object + required: + - preference + - weight properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: A list of node selector requirements by node's labels. + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. type: array items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. type: array items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. type: object - required: - - nodeSelectorTerms properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. + matchExpressions: + description: A list of node selector requirements by node's labels. type: array items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: A list of node selector requirements by node's labels. + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. type: array items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. type: array items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) type: object + required: + - podAffinityTerm + - weight properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. type: object + required: + - key + - operator properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. type: array items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: type: string - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. - type: string - format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. type: object - required: - - credentialsRef - - url properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string + additionalProperties: + type: string + token: + description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". + type: string + enum: + - HTTP-01 + - DNS-01 + url: + description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. + type: boolean status: - description: Status of the Issuer. This is set and managed automatically. type: object properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + presented: + description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + served: true + storage: true + subresources: + status: {} +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.1" +spec: + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + type: object + required: + - issuerRef + - request + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. + type: string + extra: + description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: object + additionalProperties: + type: array + items: + type: string + groups: + description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: array + items: + type: string + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. type: object + required: + - name properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + group: + description: Group of the resource being referred to. type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. type: string + request: + description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. + type: string + format: byte + uid: + description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + username: + description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + status: + description: Status of the CertificateRequest. This is set and managed automatically. + type: object + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: + description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. + type: string + format: byte conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. type: array items: - description: IssuerCondition contains condition information for an Issuer. + description: CertificateRequestCondition contains condition information for a CertificateRequest. type: object required: - status @@ -14221,10 +2549,6 @@ spec: message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string @@ -14236,10 +2560,40 @@ spec: - "False" - Unknown type: - description: Type of the condition, known values are (`Ready`). + description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. + type: string + format: date-time served: true - storage: false + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.1" +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + categories: + - cert-manager + scope: Namespaced + versions: - name: v1 subresources: status: {} @@ -14443,6 +2797,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -14450,10 +2805,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -14570,8 +2938,20 @@ spec: - region properties: accessKeyID: - description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. type: string @@ -14582,7 +2962,7 @@ spec: description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: object required: - name @@ -14618,12 +2998,57 @@ spec: type: object properties: labels: - description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. type: object additionalProperties: type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. type: string ingress: description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. @@ -14739,6 +3164,7 @@ spec: type: array items: type: string + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. type: integer @@ -14798,6 +3224,8 @@ spec: type: array items: type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic podAffinity: description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). type: object @@ -14848,8 +3276,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -14878,8 +3307,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -14929,8 +3359,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -14959,8 +3390,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -15017,8 +3449,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -15047,8 +3480,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -15098,8 +3532,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object properties: matchExpressions: @@ -15128,8 +3563,9 @@ spec: type: object additionalProperties: type: string + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". type: array items: type: string @@ -15171,7 +3607,7 @@ spec: description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP (default). + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. type: string selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. @@ -15296,500 +3732,178 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. type: string format: byte - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. type: object required: - - credentialsRef - - url + - name properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the Issuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: cert-manager/templates/templates.out -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: orders.acme.cert-manager.io - annotations: - cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.5.0" -spec: - group: acme.cert-manager.io - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - conversion: - # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. - strategy: Webhook - # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. - webhook: - # We don't actually support `v1beta1` but is listed here as it is a - # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The - # API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). - # When we no longer support v1.16 we can remove `v1beta1` from this list. - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - # - service: - name: 'cert-manager-webhook' - namespace: "cert-manager" - path: /convert - # - versions: - - name: v1alpha2 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - csr - - issuerRef - properties: - commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. - type: string - csr: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte - dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' type: string - kind: - description: Kind of the resource being referred to. + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' type: string - name: - description: Name of the resource being referred to. + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. - type: array - items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. - type: object - required: - - url - properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. type: object required: - - token - - type - - url + - name properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed - type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. - type: string - served: true - storage: false - - name: v1alpha3 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the Issuer. This is set and managed automatically. type: object - required: - - csr - - issuerRef properties: - commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. - type: string - csr: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte - dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. type: object - required: - - name properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer type: string - name: - description: Name of the resource being referred to. + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA type: string - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. type: array items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. + description: IssuerCondition contains condition information for an Issuer. type: object required: - - url + - status + - type properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). type: string enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. - type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map served: true - storage: false - - name: v1beta1 + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.1" +spec: + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.state - name: State + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret type: string - jsonPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - - jsonPath: .status.reason - name: Reason + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status priority: 1 type: string - jsonPath: .metadata.creationTimestamp @@ -15798,10 +3912,9 @@ spec: type: date schema: openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server + description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." type: object required: - - metadata - spec properties: apiVersion: @@ -15813,128 +3926,339 @@ spec: metadata: type: object spec: + description: Desired state of the Certificate resource. type: object required: - issuerRef - - request + - secretName properties: + additionalOutputFormats: + description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. + type: object + required: + - type + properties: + type: + description: Type is the name of the format type that should be written to the Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. + description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' type: string dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. + type: array + items: + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + emailAddresses: + description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. + type: array + items: + type: string + encodeUsagesInRequest: + description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest + type: boolean + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + keystores: + description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: + description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string + enum: + - Never + - Always + size: + description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + renewBefore: + description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + type: integer + format: int32 + secretName: + description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: URIs is a list of URI subjectAltNames to be set on the Certificate. type: array items: type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + usages: + description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. type: array items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc status: + description: Status of the Certificate. This is set and managed automatically. type: object properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. + conditions: + description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. type: array items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. + description: CertificateCondition contains condition information for an Certificate. type: object required: - - url + - status + - type properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). type: string enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. type: string format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. + notAfter: + description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' + format: date-time + notBefore: + description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. + format: date-time + renewalTime: + description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." + type: integer served: true - storage: false + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.1" +spec: + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: - name: v1 subresources: status: {} @@ -16093,17 +4417,6 @@ spec: type: string served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager --- # Source: cert-manager/templates/cainjector-serviceaccount.yaml apiVersion: v1 @@ -16111,13 +4424,13 @@ kind: ServiceAccount automountServiceAccountToken: true metadata: name: cert-manager-cainjector - namespace: "cert-manager" + namespace: cert-manager labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" --- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 @@ -16125,13 +4438,13 @@ kind: ServiceAccount automountServiceAccountToken: true metadata: name: cert-manager - namespace: "cert-manager" + namespace: cert-manager labels: app: cert-manager app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" --- # Source: cert-manager/templates/webhook-serviceaccount.yaml apiVersion: v1 @@ -16139,13 +4452,26 @@ kind: ServiceAccount automountServiceAccountToken: true metadata: name: cert-manager-webhook - namespace: "cert-manager" + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.10.1" +--- +# Source: cert-manager/templates/webhook-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: cert-manager-webhook + namespace: cert-manager labels: app: webhook app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" +data: --- # Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -16157,7 +4483,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] @@ -16177,9 +4503,6 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "update"] - - apiGroups: ["auditregistration.k8s.io"] - resources: ["auditsinks"] - verbs: ["get", "list", "watch", "update"] --- # Source: cert-manager/templates/rbac.yaml # Issuer controller role @@ -16192,11 +4515,11 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["issuers", "issuers/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["issuers"] verbs: ["get", "list", "watch"] @@ -16218,11 +4541,11 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "clusterissuers/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["clusterissuers"] verbs: ["get", "list", "watch"] @@ -16244,11 +4567,11 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] verbs: ["get", "list", "watch"] @@ -16263,7 +4586,7 @@ rules: verbs: ["create", "delete", "get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] @@ -16279,11 +4602,11 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "orders/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "challenges"] verbs: ["get", "list", "watch"] @@ -16317,12 +4640,12 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: # Use to update challenge resource status - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "challenges/status"] - verbs: ["update"] + verbs: ["update", "patch"] # Used to watch challenge resources - apiGroups: ["acme.cert-manager.io"] resources: ["challenges"] @@ -16346,7 +4669,7 @@ rules: - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch", "create", "delete", "update"] - - apiGroups: [ "networking.x-k8s.io" ] + - apiGroups: [ "gateway.networking.k8s.io" ] resources: [ "httproutes" ] verbs: ["get", "list", "watch", "create", "delete", "update"] # We require the ability to specify a custom hostname when we are creating @@ -16377,7 +4700,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests"] @@ -16394,11 +4717,11 @@ rules: - apiGroups: ["networking.k8s.io"] resources: ["ingresses/finalizers"] verbs: ["update"] - - apiGroups: ["networking.x-k8s.io"] + - apiGroups: ["gateway.networking.k8s.io"] resources: ["gateways", "httproutes"] verbs: ["get", "list", "watch"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["gateways/finalizers", "httproutes/finalisers"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] verbs: ["update"] - apiGroups: [""] resources: ["events"] @@ -16414,7 +4737,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -16436,13 +4759,16 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates/status"] + verbs: ["update"] - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "orders"] verbs: ["create", "delete", "deletecollection", "patch", "update"] @@ -16458,7 +4784,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] @@ -16478,14 +4804,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/status"] - verbs: ["update"] + verbs: ["update", "patch"] - apiGroups: ["certificates.k8s.io"] resources: ["signers"] resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] @@ -16504,7 +4830,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] @@ -16520,14 +4846,14 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-cainjector subjects: - name: cert-manager-cainjector - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16540,14 +4866,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-issuers subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16560,14 +4886,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-clusterissuers subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16580,14 +4906,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-certificates subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16600,14 +4926,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-orders subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16620,14 +4946,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-challenges subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16640,14 +4966,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-ingress-shim subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16660,14 +4986,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-approve:cert-manager-io subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml @@ -16680,14 +5006,14 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-certificatesigningrequests subjects: - name: cert-manager - namespace: "cert-manager" + namespace: cert-manager kind: ServiceAccount --- # Source: cert-manager/templates/webhook-rbac.yaml @@ -16700,7 +5026,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -16723,21 +5049,13 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: # Used for leader election by the controller # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller # see cmd/cainjector/start.go#L113 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller # see cmd/cainjector/start.go#L137 - # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] @@ -16757,17 +5075,8 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - # Used for leader election by the controller - # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] resourceNames: ["cert-manager-controller"] @@ -16781,13 +5090,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cert-manager-webhook:dynamic-serving - namespace: "cert-manager" + namespace: cert-manager labels: app: webhook app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" rules: - apiGroups: [""] resources: ["secrets"] @@ -16812,7 +5121,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16835,7 +5144,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16851,13 +5160,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager-webhook:dynamic-serving - namespace: "cert-manager" + namespace: cert-manager labels: app: webhook app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16873,20 +5182,20 @@ apiVersion: v1 kind: Service metadata: name: cert-manager - namespace: "cert-manager" + namespace: cert-manager labels: app: cert-manager app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: type: ClusterIP ports: - - protocol: TCP - port: 9402 - name: tcp-prometheus-servicemonitor - targetPort: 9402 + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: 9402 selector: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager @@ -16897,20 +5206,20 @@ apiVersion: v1 kind: Service metadata: name: cert-manager-webhook - namespace: "cert-manager" + namespace: cert-manager labels: app: webhook app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: type: ClusterIP ports: - name: https port: 443 protocol: TCP - targetPort: 10250 + targetPort: "https" selector: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager @@ -16921,13 +5230,13 @@ apiVersion: apps/v1 kind: Deployment metadata: name: cert-manager-cainjector - namespace: "cert-manager" + namespace: cert-manager labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: replicas: 1 selector: @@ -16942,14 +5251,16 @@ spec: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: serviceAccountName: cert-manager-cainjector securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-cainjector:v1.5.0" + - name: cert-manager-cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v1.10.1" imagePullPolicy: IfNotPresent args: - --v=2 @@ -16959,21 +5270,26 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - resources: - {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux --- # Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: cert-manager - namespace: "cert-manager" + namespace: cert-manager labels: app: cert-manager app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: replicas: 1 selector: @@ -16988,7 +5304,7 @@ spec: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' @@ -16997,9 +5313,11 @@ spec: serviceAccountName: cert-manager securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-controller:v1.5.0" + - name: cert-manager-controller + image: "quay.io/jetstack/cert-manager-controller:v1.10.1" imagePullPolicy: IfNotPresent args: - --v=2 @@ -17007,27 +5325,33 @@ spec: - --leader-election-namespace=kube-system ports: - containerPort: 9402 + name: http-metrics protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - resources: - {} + nodeSelector: + kubernetes.io/os: linux --- # Source: cert-manager/templates/webhook-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: cert-manager-webhook - namespace: "cert-manager" + namespace: cert-manager labels: app: webhook app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: replicas: 1 selector: @@ -17042,25 +5366,33 @@ spec: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" spec: serviceAccountName: cert-manager-webhook securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-webhook:v1.5.0" + - name: cert-manager-webhook + image: "quay.io/jetstack/cert-manager-webhook:v1.10.1" imagePullPolicy: IfNotPresent args: - --v=2 - --secure-port=10250 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc + - --dynamic-serving-dns-names=cert-manager-webhook + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc + ports: - name: https protocol: TCP containerPort: 10250 + - name: healthcheck + protocol: TCP + containerPort: 6080 livenessProbe: httpGet: path: /livez @@ -17081,13 +5413,18 @@ spec: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - resources: - {} + nodeSelector: + kubernetes.io/os: linux --- # Source: cert-manager/templates/webhook-mutating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1 @@ -17099,7 +5436,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: @@ -17115,15 +5452,7 @@ webhooks: - UPDATE resources: - "*/*" - # We don't actually support `v1beta1` but is listed here as it is a - # required value for - # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). - # The API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). When we no longer - # support v1.16 we can remove `v1beta1` from this list. - admissionReviewVersions: ["v1", "v1beta1"] + admissionReviewVersions: ["v1"] # This webhook only accepts v1 cert-manager resources. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to # this webhook (after the resources have been converted to v1). @@ -17135,7 +5464,7 @@ webhooks: clientConfig: service: name: cert-manager-webhook - namespace: "cert-manager" + namespace: cert-manager path: /mutate --- # Source: cert-manager/templates/webhook-validating-webhook.yaml @@ -17148,7 +5477,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.5.0" + app.kubernetes.io/version: "v1.10.1" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: @@ -17174,15 +5503,7 @@ webhooks: - UPDATE resources: - "*/*" - # We don't actually support `v1beta1` but is listed here as it is a - # required value for - # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). - # The API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). When we no longer - # support v1.16 we can remove `v1beta1` from this list. - admissionReviewVersions: ["v1", "v1beta1"] + admissionReviewVersions: ["v1"] # This webhook only accepts v1 cert-manager resources. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to # this webhook (after the resources have been converted to v1). @@ -17193,5 +5514,5 @@ webhooks: clientConfig: service: name: cert-manager-webhook - namespace: "cert-manager" + namespace: cert-manager path: /validate diff --git a/common/cert-manager/cert-manager/base/kustomization.yaml b/common/cert-manager/cert-manager/base/kustomization.yaml index 2fbbd28562..4e224efc77 100644 --- a/common/cert-manager/cert-manager/base/kustomization.yaml +++ b/common/cert-manager/cert-manager/base/kustomization.yaml @@ -3,16 +3,9 @@ kind: Kustomization resources: # Manifests downloaded from: -# https://github.com/jetstack/cert-manager/releases/download/v1.5.0/cert-manager.yaml +# https://github.com/jetstack/cert-manager/releases/download/v1.10.1/cert-manager.yaml - cert-manager.yaml # XXX: Do NOT use the namespace transformer, as cert-manager defines resources # in two namespaces, 'cert-manager' and 'kube-system'. -# For more information, see https://github.com/jetstack/cert-manager/issues/4102. - -# Patch upstream manifests to explicitly disable 'preserveUnknownFields', -# otherwise upgrade with 'kubectl apply' fails. -patches: -- path: patches/crd-preserve-unknown-fields.yaml - target: - kind: CustomResourceDefinition +# For more information, see https://github.com/jetstack/cert-manager/issues/4102. \ No newline at end of file diff --git a/common/cert-manager/cert-manager/base/patches/crd-preserve-unknown-fields.yaml b/common/cert-manager/cert-manager/base/patches/crd-preserve-unknown-fields.yaml deleted file mode 100644 index 5d9d04e7a7..0000000000 --- a/common/cert-manager/cert-manager/base/patches/crd-preserve-unknown-fields.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: add - path: /spec/preserveUnknownFields - value: false From f24b944c3d6b720d95d6d53c2d4f1599759bda13 Mon Sep 17 00:00:00 2001 From: apoger Date: Fri, 25 Nov 2022 13:16:11 +0200 Subject: [PATCH 04/74] Update Istio version references to v1.16 (#2332) * Update Istio version in README file Signed-off-by: Apostolos Gerakaris * Fix GH action workflows Signed-off-by: Apostolos Gerakaris * Update README install instructions for Istio-1-16 Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- .github/workflows/jwa_kind_test.yaml | 3 --- .github/workflows/twa_kind_test.yaml | 3 --- README.md | 12 ++++++------ common/istio-1-16/README.md | 3 +-- hack/setup-kubeflow-light.sh | 8 ++++---- tests/gh-actions/install_knative.sh | 2 +- 6 files changed, 12 insertions(+), 19 deletions(-) diff --git a/.github/workflows/jwa_kind_test.yaml b/.github/workflows/jwa_kind_test.yaml index aff7b59bf5..dfb7bb18b1 100644 --- a/.github/workflows/jwa_kind_test.yaml +++ b/.github/workflows/jwa_kind_test.yaml @@ -3,11 +3,8 @@ on: pull_request: paths: - apps/jupyter/jupyter-web-app/upstream/** -<<<<<<< HEAD - tests/gh-actions/kind-cluster.yaml -======= - tests/gh-actions/install_istio.sh ->>>>>>> tests: Update GH Action workflows jobs: build: diff --git a/.github/workflows/twa_kind_test.yaml b/.github/workflows/twa_kind_test.yaml index 9248c7884e..24eed6bfb9 100644 --- a/.github/workflows/twa_kind_test.yaml +++ b/.github/workflows/twa_kind_test.yaml @@ -3,11 +3,8 @@ on: pull_request: paths: - apps/tensorboard/tensorboards-web-app/upstream/** -<<<<<<< HEAD - tests/gh-actions/kind-cluster.yaml -======= - tests/gh-actions/install_istio.sh ->>>>>>> tests: Update GH Action workflows jobs: build: diff --git a/README.md b/README.md index edcb58bfb3..9f572c51b8 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Istio | common/istio-1-14 | [1.14.1](https://github.com/istio/istio/releases/tag/1.14.1) | +| Istio | common/istio-1-16 | [1.16.0](https://github.com/istio/istio/releases/tag/1.16.0) | | Knative | common/knative | [0.22.1](https://github.com/knative/serving/releases/tag/v0.22.1) | | Cert Manager | common/cert-manager | [1.10.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.10.1) | @@ -137,9 +137,9 @@ network authorization and implement routing policies. Install Istio: ```sh -kustomize build common/istio-1-14/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-14/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-14/istio-install/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-crds/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-install/base | kubectl apply -f - ``` #### Dex @@ -168,7 +168,7 @@ Install Knative Serving: ```sh kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - -kustomize build common/istio-1-14/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-16/cluster-local-gateway/base | kubectl apply -f - ``` Optionally, you can install Knative Eventing which can be used for inference request logging: @@ -210,7 +210,7 @@ well. Install istio resources: ```sh -kustomize build common/istio-1-14/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-1-16/kubeflow-istio-resources/base | kubectl apply -f - ``` #### Kubeflow Pipelines diff --git a/common/istio-1-16/README.md b/common/istio-1-16/README.md index 6dcfad96a2..9974434002 100644 --- a/common/istio-1-16/README.md +++ b/common/istio-1-16/README.md @@ -64,8 +64,7 @@ old version is `X1.Y1.Z1`: `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically detect default settings. Ensure you have a target cluster ready before running the above commands. We set this flag because `istioctl manifest generate` generates manifest files with resources that are no - longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: - - https://github.com/istio/istio/issues/41220 + longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220 --- diff --git a/hack/setup-kubeflow-light.sh b/hack/setup-kubeflow-light.sh index 1be9fe80b0..65785e079a 100755 --- a/hack/setup-kubeflow-light.sh +++ b/hack/setup-kubeflow-light.sh @@ -30,9 +30,9 @@ sleep 5 kubectl wait --timeout=${TIMEOUT} -n cert-manager --all --for=condition=Ready pod echo "Deploying Istio." -kustomize build common/istio-1-14/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-14/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-14/istio-install/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-crds/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-1-16/istio-install/base | kubectl apply -f - echo "Waiting for istio-system Pods to become ready..." sleep 5 @@ -50,7 +50,7 @@ do done kustomize build common/knative/knative-eventing/base | kubectl apply -f - -kustomize build common/istio-1-14/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-16/cluster-local-gateway/base | kubectl apply -f - echo "Waiting for knative-serving Pods to become ready..." sleep 5 diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh index 8dbb5a5864..8c88c6a953 100755 --- a/tests/gh-actions/install_knative.sh +++ b/tests/gh-actions/install_knative.sh @@ -6,4 +6,4 @@ kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply set -e kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - kustomize build common/knative/knative-eventing/base | kubectl apply -f - -kustomize build common/istio-1-14/kubeflow-istio-resources/base | kubectl apply -f - \ No newline at end of file +kustomize build common/istio-1-16/kubeflow-istio-resources/base | kubectl apply -f - \ No newline at end of file From a345823426f5c6161c3f483d331ab712db4b269c Mon Sep 17 00:00:00 2001 From: Anna Date: Tue, 29 Nov 2022 13:28:42 -0500 Subject: [PATCH 05/74] Add unmaintained notice to contrib tektoncd (#2321) * Add unmaintained notice to contrib tektoncd Signed-off-by: Anna Jung (VMware) * Update contrib/tektoncd/README.md Co-authored-by: Tommy Li * Update message Signed-off-by: Anna Jung (VMware) Signed-off-by: Anna Jung (VMware) Co-authored-by: Tommy Li --- contrib/tektoncd/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 contrib/tektoncd/README.md diff --git a/contrib/tektoncd/README.md b/contrib/tektoncd/README.md new file mode 100644 index 0000000000..fe85361c58 --- /dev/null +++ b/contrib/tektoncd/README.md @@ -0,0 +1,8 @@ +Please note: This component is **unmaintained and out-of-date**. + +The latest tektoncd distribution is now maintained as part of the `kfp-tekton` component release. To deploy tektoncd standalone with kustomize, please use the latest tektoncd kustomization.yaml over [here](/apps/kfp-tekton/upstream/third-party/tekton/base/kustomization.yaml). + +Any components that fails to meet [contrib requirements](https://github.com/kubeflow/manifests/blob/master/proposals/20220926-contrib-component-guidelines.md#component-requirements) + by the next Kubeflow release ([1.7](https://github.com/kubeflow/community/tree/master/releases/release-1.7#timeline)) will be removed from the [`manifest`](https://github.com/kubeflow/manifests) repository. + +Updates to the `/contrib` components can be found in the [tracking issue](https://github.com/kubeflow/manifests/issues/2311). \ No newline at end of file From f40fefafab30834515889d712697e915eeca123b Mon Sep 17 00:00:00 2001 From: Alejandro Saucedo Date: Thu, 1 Dec 2022 11:55:45 +0000 Subject: [PATCH 06/74] Updated and tested Seldon Core 1.15.0 (#2326) * Updated and tested Seldon Core 1.15.0 Signed-off-by: Alejandro Saucedo * Added testing section Signed-off-by: Alejandro Saucedo * Added upgrading reference Signed-off-by: Alejandro Saucedo * Added automated test Signed-off-by: Alejandro Saucedo * Added automated tests and documentation Signed-off-by: Alejandro Saucedo * Added upgrade documentation * Added description of product Signed-off-by: Alejandro Saucedo * Updated contrib to ensure group maps correctly Signed-off-by: Alejandro Saucedo * Added updated instructions for non-linux Signed-off-by: Alejandro Saucedo * Added gh action for seldon test Signed-off-by: Alejandro Saucedo * Added gh action for seldon test Signed-off-by: Alejandro Saucedo * Added description of product Signed-off-by: Alejandro Saucedo * Updating path for kind Signed-off-by: Alejandro Saucedo * Updating path for kind Signed-off-by: Alejandro Saucedo * Updating path for kind Signed-off-by: Alejandro Saucedo * Added kind cluster and rebase Signed-off-by: Alejandro Saucedo * Updated back to running kind script Signed-off-by: Alejandro Saucedo * Fixed typo Signed-off-by: Alejandro Saucedo * Updated to include latest manifests Signed-off-by: Alejandro Saucedo * Create namespace if not exists Signed-off-by: Alejandro Saucedo * Adding certmanager Signed-off-by: Alejandro Saucedo * Added namespaces Signed-off-by: Alejandro Saucedo * Added waiting for resources Signed-off-by: Alejandro Saucedo * Updating to path Signed-off-by: Alejandro Saucedo * Added wait for condition Signed-off-by: Alejandro Saucedo * Added wait for condition Signed-off-by: Alejandro Saucedo * Added wait for condition Signed-off-by: Alejandro Saucedo * Added wait for condition Signed-off-by: Alejandro Saucedo * Added wait for condition Signed-off-by: Alejandro Saucedo * Added 1.24 kind tests plus note in the readme Signed-off-by: Alejandro Saucedo * Extending timeout of wait for Signed-off-by: Alejandro Saucedo * Update contrib/seldon/README.md Co-authored-by: Anna * Reverted update on readme Signed-off-by: Alejandro Saucedo Signed-off-by: Alejandro Saucedo Co-authored-by: Anna --- .github/workflows/seldon_kind_test.yaml | 32 + contrib/seldon/Makefile | 46 +- contrib/seldon/README.md | 82 +- contrib/seldon/UPGRADE.md | 33 + contrib/seldon/example.yaml | 15 + contrib/seldon/kustomization.tpl | 14 +- .../base/kubeflow-edit-seldon.yaml | 17 - .../base/kustomization.yaml | 15 +- .../seldon-core-operator/base/resources.yaml | 4810 +---------------- contrib/seldon/values.yaml | 194 +- example/kustomization.yaml | 2 +- tests/gh-actions/kind-cluster-1-24.yaml | 25 + 12 files changed, 418 insertions(+), 4867 deletions(-) create mode 100644 .github/workflows/seldon_kind_test.yaml create mode 100644 contrib/seldon/UPGRADE.md create mode 100644 contrib/seldon/example.yaml delete mode 100644 contrib/seldon/seldon-core-operator/base/kubeflow-edit-seldon.yaml create mode 100644 tests/gh-actions/kind-cluster-1-24.yaml diff --git a/.github/workflows/seldon_kind_test.yaml b/.github/workflows/seldon_kind_test.yaml new file mode 100644 index 0000000000..14f3e38f22 --- /dev/null +++ b/.github/workflows/seldon_kind_test.yaml @@ -0,0 +1,32 @@ +name: Build & Apply Seldon manifests in KinD +on: + pull_request: + paths: + - contrib/seldon/** + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh + + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster-1-24.yaml + + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh + + - name: Install Istio + run: ./tests/gh-actions/install_istio.sh + + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh + + - name: Build & Apply manifests + run: | + cd contrib/seldon/ + make test diff --git a/contrib/seldon/Makefile b/contrib/seldon/Makefile index 2383de895f..27c9c68f32 100644 --- a/contrib/seldon/Makefile +++ b/contrib/seldon/Makefile @@ -1,22 +1,13 @@ -# Copy values.yaml from desired seldon-core release and modify -# If updating values.yaml -# certManager: true -# Istio.enabled: true -# istio gateway -# kubeflow: true - -# Presently need to remove generated status field from resources.yaml file manually +SELDON_VERSION ?= 1.15.0 seldon-core-operator/base: clean-kustomize mkdir -p seldon-core-operator/base - cd seldon-core-operator/base && helm template -f ../../values.yaml seldon-core seldon-core-operator --repo https://storage.googleapis.com/seldon-charts --namespace kubeflow --version 1.6.0 > resources.yaml - #kfctl strangeness means these variables don't always get resolved see https://github.com/kubeflow/manifests/issues/1660 - #sed -i 's#cert-manager.io/inject-ca-from:.*#cert-manager.io/inject-ca-from: $$(CERTIFICATE_NAMESPACE)/$$(CERTIFICATE_NAME)#g' seldon-core-operator/base/resources.yaml + cd seldon-core-operator/base && helm template -f ../../values.yaml seldon-core seldon-core-operator --repo https://storage.googleapis.com/seldon-charts --namespace kubeflow --version ${SELDON_VERSION} > resources.yaml sed -i 's#cert-manager.io/inject-ca-from:.*#cert-manager.io/inject-ca-from: kubeflow/seldon-serving-cert#g' seldon-core-operator/base/resources.yaml - sed -i "s#'seldon-webhook-service.kubeflow.svc.cluster.local'#"'$$(SERVICE_NAME).$$(SERVICE_NAMESPACE).svc.cluster.local#' seldon-core-operator/base/resources.yaml - sed -i "s#commonName: 'seldon-webhook-service.kubeflow.svc'#"'commonName: $$(SERVICE_NAME).$$(CERTIFICATE_NAMESPACE).svc#' seldon-core-operator/base/resources.yaml - sed -i "s#'seldon-webhook-service.kubeflow.svc'#"'$$(SERVICE_NAME).$$(SERVICE_NAMESPACE).svc#' seldon-core-operator/base/resources.yaml + sed -i "s#'seldon-webhook-service.kubeflow.svc.cluster.local'#"'seldon-webhook-service.$$(SERVICE_NAMESPACE).svc.cluster.local#' seldon-core-operator/base/resources.yaml + sed -i "s#commonName: 'seldon-webhook-service.kubeflow.svc'#"'commonName: seldon-webhook-service.$$(CERTIFICATE_NAMESPACE).svc#' seldon-core-operator/base/resources.yaml + sed -i "s#'seldon-webhook-service.kubeflow.svc'#"'seldon-webhook-service.$$(SERVICE_NAMESPACE).svc#' seldon-core-operator/base/resources.yaml sed -i 's#kubeflow/kubeflow-gateway#$$(SERVICE_NAMESPACE)/kubeflow-gateway#' seldon-core-operator/base/resources.yaml cp kustomization.tpl seldon-core-operator/base/kustomization.yaml cp kustomizeconfig.tpl seldon-core-operator/base/kustomizeconfig.yaml @@ -24,3 +15,30 @@ seldon-core-operator/base: clean-kustomize .PHONY:clean-kustomize clean-kustomize: rm -rf seldon-core-operator/base + +test: + # Create seldon namespace + kubectl create namespace seldon || echo "seldon namespace exists" + # Create kubeflow namespace if not exists + kubectl create namespace kubeflow || echo "kubeflow namespace exists" + # Creating resources + kustomize build seldon-core-operator/base | kubectl apply -n kubeflow -f - + # Waiting for resources + kubectl wait --for condition=Available -n kubeflow deployment/seldon-controller-manager + # Wait for manager resources to be created + sleep 5 + # Create example deployment + kubectl apply -n seldon -f example.yaml + # Wait for manager resources to be created + sleep 5 + kubectl get deploy -A + sleep 5 + kubectl logs -n kubeflow deployment/seldon-controller-manager + sleep 5 + kubectl get deploy -A + # Wait for deployment + kubectl wait --for condition=Available -n seldon deployment/echo-default-0-classifier --timeout=360s + # Remove deployment + kubectl delete -n seldon -f example.yaml + # Cleaning resources + kustomize build seldon-core-operator/base | kubectl delete -n kubeflow -f - diff --git a/contrib/seldon/README.md b/contrib/seldon/README.md index ac14782e45..1fdfac5165 100644 --- a/contrib/seldon/README.md +++ b/contrib/seldon/README.md @@ -1,6 +1,14 @@ -# Seldon Kustomize +# Seldon Core -## Install Seldon Operator +[Seldon Core](https://github.com/SeldonIO/seldon-core/) is a framework to deploy your machine learning models on Kubernetes at scale. + +# Requirements + +* Kubernetes 1.18 - 1.24 + +Support for Kubernetes 1.25 is currently part of [SeldonIO/seldon-core#4172](https://github.com/SeldonIO/seldon-core/pull/4172) + +## Install Seldon Core Operator * The yaml assumes you will install in kubeflow namespace * You need to have installed istio first @@ -11,8 +19,74 @@ kustomize build seldon-core-operator/base | kubectl apply -n kubeflow -f - ## Updating -This kustomize spec was created from the seldon-core-operator helm chart with: +See [UPGRADE.md](UPGRADE.md) + +## Testing + +``` +make test +``` + +# Overview + +We can create a test model once the "Install Seldon Operator" is configured + +``` +# Create namespace for model +kubectl create namespace seldon +``` + +We can create an echo model with the following command: ``` -make clean seldon-core-operator/base +kubectl apply -f - << ENDapiVersion: machinelearning.seldon.io/v1 +kind: SeldonDeployment +metadata: + name: echo + namespace: seldon +spec: + predictors: + - name: default + replicas: 1 + graph: + name: classifier + type: MODEL + componentSpecs: + - spec: + containers: + - image: seldonio/echo-model:1.15.0-dev + name: classifier +END ``` + +We can verify that model is running: + +``` +kubectl get pods -n seldon + +NAME READY STATUS RESTARTS AGE +echo-default-0-classifier-679cb5fb68-qd4nm 2/2 Running 0 25m +``` + +Also we can verify that the correct virtualservice was created: + +``` +kubectl get virtualservice -n seldon + +NAME GATEWAYS HOSTS AGE +echo ["kubeflow/kubeflow-gateway"] ["*"] 42m +``` + +Finally we can send a request (you will need to fetch the Dex Auth Token / Cookie): + +``` +export CLUSTER_IP=# Your cluster IP +export SESSION=# Your dex session + +curl -H "Content-Type: application/json" -H "Cookie: authservice_session=${SESSION}" \ + -d '{"data": {"ndarray":[[1.0, 2.0, 5.0]]}}' \ + http://{CLUSTER_IP}/seldon/seldon/echo/api/v1.0/predictions + +{"data":{"names":["t:0","t:1","t:2"],"ndarray":[[1.0,2.0,5.0]]},"meta":{"metrics":[{"key":"mycounter","type":"COUNTER","value":1},{"key":"mygauge","type":"GAUGE","value":100},{"key":"mytimer","type":"TIMER","value":20.2}],"requestPath":{"classifier":"seldonio/echo-model:1.15.0-dev"}}} +``` + diff --git a/contrib/seldon/UPGRADE.md b/contrib/seldon/UPGRADE.md new file mode 100644 index 0000000000..734da26dea --- /dev/null +++ b/contrib/seldon/UPGRADE.md @@ -0,0 +1,33 @@ +# Upgrading Documentation + +## Updating manifests + +In order to update manifests make sure you are running the commands in linux. + +If you are running in another OS, please make sure to update the Makefile commands. + +You can refresh the configuration by running: + +``` +make seldon-core-operator/base +``` + +## Updating to specific version + +Upgrading the version can be done by setting the `SELDON_VERSION` environment variable, such as: + +``` +# Set the desired version +export SELDON_VERSION=1.14.0 + +# Rebuild the kustomize base +make seldon-core-operator/base + +# Run new manifests against cluster +kustomize build seldon-core-operator/base | kubectl apply -f - +``` + +## Instructions for breaking changes + +The [core upgrading docs](https://docs.seldon.io/projects/seldon-core/en/latest/reference/upgrading.html.) provide step by step overview of breaking changes across minor and patch versions. + diff --git a/contrib/seldon/example.yaml b/contrib/seldon/example.yaml new file mode 100644 index 0000000000..26cdb109b0 --- /dev/null +++ b/contrib/seldon/example.yaml @@ -0,0 +1,15 @@ +apiVersion: machinelearning.seldon.io/v1 +kind: SeldonDeployment +metadata: + name: echo +spec: + predictors: + - name: default + graph: + name: classifier + type: MODEL + componentSpecs: + - spec: + containers: + - image: seldonio/echo-model:1.15.0-dev + name: classifier diff --git a/contrib/seldon/kustomization.tpl b/contrib/seldon/kustomization.tpl index f1b9e245ba..46434de5ee 100644 --- a/contrib/seldon/kustomization.tpl +++ b/contrib/seldon/kustomization.tpl @@ -11,7 +11,7 @@ vars: objref: kind: Certificate group: cert-manager.io - version: v1alpha2 + version: v1 name: seldon-serving-cert # this name should match the one in certificate.yaml fieldref: fieldpath: metadata.namespace @@ -19,17 +19,13 @@ vars: objref: kind: Certificate group: cert-manager.io - version: v1alpha2 + version: v1 name: seldon-serving-cert # this name should match the one in certificate.yaml - name: SERVICE_NAMESPACE # namespace of the service objref: - kind: Service + kind: Deployment version: v1 - name: seldon-webhook-service + group: apps + name: seldon-controller-manager fieldref: fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: seldon-webhook-service diff --git a/contrib/seldon/seldon-core-operator/base/kubeflow-edit-seldon.yaml b/contrib/seldon/seldon-core-operator/base/kubeflow-edit-seldon.yaml deleted file mode 100644 index e584a05dc3..0000000000 --- a/contrib/seldon/seldon-core-operator/base/kubeflow-edit-seldon.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Kubeflow builds clusterrole kubeflow-edit by aggreagating multiple other clusterroles -# So i add a clusterrole that allows seldon deployments and it will be aggreagted because -# of its "aggregate-to-kubeflow-edit" label -# kubeflow-edit is the default role, that is available in each user namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: kubeflow-edit-seldon -rules: -- apiGroups: - - machinelearning.seldon.io - verbs: - - '*' - resources: - - '*' diff --git a/contrib/seldon/seldon-core-operator/base/kustomization.yaml b/contrib/seldon/seldon-core-operator/base/kustomization.yaml index c56112e126..46434de5ee 100644 --- a/contrib/seldon/seldon-core-operator/base/kustomization.yaml +++ b/contrib/seldon/seldon-core-operator/base/kustomization.yaml @@ -2,7 +2,6 @@ # and emits as a YAML string resources: - resources.yaml -- kubeflow-edit-seldon.yaml configurations: - kustomizeconfig.yaml @@ -12,7 +11,7 @@ vars: objref: kind: Certificate group: cert-manager.io - version: v1alpha2 + version: v1 name: seldon-serving-cert # this name should match the one in certificate.yaml fieldref: fieldpath: metadata.namespace @@ -20,17 +19,13 @@ vars: objref: kind: Certificate group: cert-manager.io - version: v1alpha2 + version: v1 name: seldon-serving-cert # this name should match the one in certificate.yaml - name: SERVICE_NAMESPACE # namespace of the service objref: - kind: Service + kind: Deployment version: v1 - name: seldon-webhook-service + group: apps + name: seldon-controller-manager fieldref: fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: seldon-webhook-service diff --git a/contrib/seldon/seldon-core-operator/base/resources.yaml b/contrib/seldon/seldon-core-operator/base/resources.yaml index d146b84ffd..177d30b2f8 100644 --- a/contrib/seldon/seldon-core-operator/base/resources.yaml +++ b/contrib/seldon/seldon-core-operator/base/resources.yaml @@ -7,4464 +7,10 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: 'seldon-manager' namespace: 'kubeflow' --- -# Source: seldon-core-operator/templates/configmap_seldon-config.yaml -apiVersion: v1 -data: - credentials: '{"gcs":{"gcsCredentialFileName":"gcloud-application-credentials.json"},"s3":{"s3AccessKeyIDName":"awsAccessKeyID","s3SecretAccessKeyName":"awsSecretAccessKey"}}' - explainer: '{"image":"seldonio/alibiexplainer:1.9.0"}' - predictor_servers: '{"MLFLOW_SERVER":{"protocols":{"seldon":{"defaultImageVersion":"1.9.0","image":"seldonio/mlflowserver"}}},"SKLEARN_SERVER":{"protocols":{"kfserving":{"defaultImageVersion":"0.3.2","image":"seldonio/mlserver"},"seldon":{"defaultImageVersion":"1.9.0","image":"seldonio/sklearnserver"}}},"TEMPO_SERVER":{"protocols":{"kfserving":{"defaultImageVersion":"0.3.2","image":"seldonio/mlserver"}}},"TENSORFLOW_SERVER":{"protocols":{"seldon":{"defaultImageVersion":"1.9.0","image":"seldonio/tfserving-proxy"},"tensorflow":{"defaultImageVersion":"2.1.0","image":"tensorflow/serving"}}},"TRITON_SERVER":{"protocols":{"kfserving":{"defaultImageVersion":"20.08-py3","image":"nvcr.io/nvidia/tritonserver"}}},"XGBOOST_SERVER":{"protocols":{"kfserving":{"defaultImageVersion":"0.3.2","image":"seldonio/mlserver"},"seldon":{"defaultImageVersion":"1.9.0","image":"seldonio/xgboostserver"}}}}' - storageInitializer: '{"cpuLimit":"1","cpuRequest":"100m","image":"seldonio/rclone-storage-initializer:1.9.0","memoryLimit":"1Gi","memoryRequest":"100Mi"}' -kind: ConfigMap -metadata: - labels: - app: seldon - app.kubernetes.io/instance: 'seldon-core' - app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' - control-plane: seldon-controller-manager - name: seldon-config - namespace: 'kubeflow' ---- -# Source: seldon-core-operator/templates/customresourcedefinition_seldondeployments.machinelearning.seldon.io.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubeflow/seldon-serving-cert - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - labels: - app: seldon - app.kubernetes.io/instance: 'seldon-core' - app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' - name: seldondeployments.machinelearning.seldon.io -spec: - group: machinelearning.seldon.io - names: - kind: SeldonDeployment - listKind: SeldonDeploymentList - plural: seldondeployments - shortNames: - - sdep - singular: seldondeployment - scope: Namespaced - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} - validation: - openAPIV3Schema: - description: SeldonDeployment is the Schema for the seldondeployments API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SeldonDeploymentSpec defines the desired state of SeldonDeployment - properties: - annotations: - additionalProperties: - type: string - type: object - name: - description: Name is Deprecated will be removed in future - type: string - oauth_key: - type: string - oauth_secret: - type: string - predictors: - items: - properties: - annotations: - additionalProperties: - type: string - type: object - componentSpecs: - items: - properties: - hpaSpec: - properties: - maxReplicas: - format: int32 - type: integer - metrics: - items: - description: MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once). - properties: - external: - description: external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). - properties: - metricName: - description: metricName is the name of the metric in question. - type: string - metricSelector: - description: metricSelector is used to identify a specific time series within a given metric. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - targetAverageValue: - anyOf: - - type: integer - - type: string - description: targetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - targetValue: - anyOf: - - type: integer - - type: string - description: targetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - metricName - type: object - object: - description: object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). - properties: - averageValue: - anyOf: - - type: integer - - type: string - description: averageValue is the target value of the average of the metric across all relevant pods (as a quantity) - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - metricName: - description: metricName is the name of the metric in question. - type: string - selector: - description: selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - target: - description: target is the described Kubernetes object. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' - type: string - name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - required: - - kind - - name - type: object - targetValue: - anyOf: - - type: integer - - type: string - description: targetValue is the target value of the metric (as a quantity). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - metricName - - target - - targetValue - type: object - pods: - description: pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. - properties: - metricName: - description: metricName is the name of the metric in question - type: string - selector: - description: selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - targetAverageValue: - anyOf: - - type: integer - - type: string - description: targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity) - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - metricName - - targetAverageValue - type: object - resource: - description: resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. - properties: - name: - description: name is the name of the resource in question. - type: string - targetAverageUtilization: - description: targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. - format: int32 - type: integer - targetAverageValue: - anyOf: - - type: integer - - type: string - description: targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - name - type: object - type: - description: type is the type of metric source. It should be one of "Object", "Pods" or "Resource", each mapping to a matching field in the object. - type: string - required: - - type - type: object - type: array - minReplicas: - format: int32 - type: integer - required: - - maxReplicas - type: object - kedaSpec: - description: SeldonScaledObjectSpec is the spec for a KEDA ScaledObject resource - properties: - advanced: - description: AdvancedConfig specifies advance scaling options - properties: - horizontalPodAutoscalerConfig: - description: HorizontalPodAutoscalerConfig specifies horizontal scale config - properties: - behavior: - description: HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). - properties: - scaleDown: - description: scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used). - properties: - policies: - description: policies is a list of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy which must hold true for a specified past interval. - properties: - periodSeconds: - description: PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: Type is used to specify the scaling policy. - type: string - value: - description: Value contains the amount of change which is permitted by the policy. It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - selectPolicy: - description: selectPolicy is used to specify which policy should be used. If not set, the default value MaxPolicySelect is used. - type: string - stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).' - format: int32 - type: integer - type: object - scaleUp: - description: 'scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of: * increase no more than 4 pods per 60 seconds * double the number of pods per 60 seconds No stabilization is used.' - properties: - policies: - description: policies is a list of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy which must hold true for a specified past interval. - properties: - periodSeconds: - description: PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: Type is used to specify the scaling policy. - type: string - value: - description: Value contains the amount of change which is permitted by the policy. It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - selectPolicy: - description: selectPolicy is used to specify which policy should be used. If not set, the default value MaxPolicySelect is used. - type: string - stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).' - format: int32 - type: integer - type: object - type: object - resourceMetrics: - items: - description: ResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). The values will be averaged together before being compared to the target. Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. Only one "target" type should be set. - properties: - name: - description: name is the name of the resource in question. - type: string - target: - description: target specifies the target value for the given metric - properties: - averageUtilization: - description: averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type - format: int32 - type: integer - averageValue: - anyOf: - - type: integer - - type: string - description: averageValue is the target value of the average of the metric across all relevant pods (as a quantity) - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: - description: type represents whether the metric type is Utilization, Value, or AverageValue - type: string - value: - anyOf: - - type: integer - - type: string - description: value is the target value of the metric (as a quantity). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - type - type: object - required: - - name - - target - type: object - type: array - type: object - restoreToOriginalReplicaCount: - type: boolean - type: object - cooldownPeriod: - format: int32 - type: integer - maxReplicaCount: - format: int32 - type: integer - minReplicaCount: - format: int32 - type: integer - pollingInterval: - format: int32 - type: integer - triggers: - items: - description: ScaleTriggers reference the scaler that will be used - properties: - authenticationRef: - description: ScaledObjectAuthRef points to the TriggerAuthentication object that is used to authenticate the scaler with the environment - properties: - name: - type: string - required: - - name - type: object - metadata: - additionalProperties: - type: string - type: object - name: - type: string - type: - type: string - required: - - metadata - - type - type: object - type: array - required: - - triggers - type: object - metadata: - type: object - pdbSpec: - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at most "maxUnavailable" pods in the deployment corresponding to a componentSpec are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. MaxUnavailable and MinAvailable are mutually exclusive. - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at least "minAvailable" pods in the deployment corresponding to a componentSpec will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". - x-kubernetes-int-or-string: true - type: object - replicas: - format: int32 - type: integer - spec: - description: PodSpec is a description of a pod. - properties: - activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. - format: int64 - type: integer - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containers: - description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. - items: - description: A single application container that you want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is a beta feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. - properties: - nameservers: - description: A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. - items: - type: string - type: array - options: - description: A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options of a pod. - properties: - name: - description: Required. - type: string - value: - type: string - type: object - type: array - searches: - description: A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. - items: - type: string - type: array - type: object - dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' - type: boolean - ephemeralContainers: - description: List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature. - items: - description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Lifecycle is not allowed for ephemeral containers. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers. - type: string - ports: - description: Ports are not allowed for ephemeral containers. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - readinessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: SecurityContext is not allowed for ephemeral containers. - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - targetContainerName: - description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. - type: string - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - hostAliases: - description: HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods. - items: - description: HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file. - properties: - hostnames: - description: Hostnames for the above IP address. - items: - type: string - type: array - ip: - description: IP address of the host file entry. - type: string - type: object - type: array - hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default to false.' - type: boolean - hostNetwork: - description: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false. - type: boolean - hostPID: - description: 'Use the host''s pid namespace. Optional: Default to false.' - type: boolean - hostname: - description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value. - type: string - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - type: array - initContainers: - description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' - items: - description: A single application container that you want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is a beta feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - nodeName: - description: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements. - type: string - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.' - type: object - preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature. - type: string - priority: - description: The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority. - format: int32 - type: integer - priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. - type: string - readinessGates: - description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' - items: - description: PodReadinessGate contains the reference to a pod condition - properties: - conditionType: - description: ConditionType refers to a condition in the pod's condition list with matching type. - type: string - required: - - conditionType - type: object - type: array - restartPolicy: - description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' - type: string - runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.' - type: string - schedulerName: - description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. - type: string - securityContext: - description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.' - properties: - fsGroup: - description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume." - format: int64 - type: integer - fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always".' - type: string - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - supplementalGroups: - description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. - items: - format: int64 - type: integer - type: array - sysctls: - description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - shareProcessNamespace: - description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.' - type: boolean - subdomain: - description: If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all. - type: string - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. - format: int64 - type: integer - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is only honored by clusters that enable the EvenPodsSpread feature. All topologySpreadConstraints are ANDed. - items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. - properties: - labelSelector: - description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - maxSkew: - description: 'MaxSkew describes the degree to which pods may be unevenly distributed. It''s the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. It''s a required field. Default value is 1 and 0 is not allowed.' - format: int32 - type: integer - topologyKey: - description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. It's a required field. - type: string - whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It''s considered as "Unsatisfiable" if and only if placing incoming pod on any topology violates "MaxSkew". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.' - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - x-kubernetes-list-map-keys: - - topologyKey - - whenUnsatisfiable - x-kubernetes-list-type: map - volumes: - description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - items: - type: object - type: array - required: - - containers - type: object - type: object - type: array - engineResources: - description: ResourceRequirements describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - explainer: - properties: - config: - additionalProperties: - type: string - type: object - containerSpec: - description: A single application container that you want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is a beta feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - modelUri: - type: string - serviceAccountName: - type: string - type: - type: string - type: object - graph: - properties: - children: - items: - properties: - children: - items: - properties: - children: - items: - properties: - children: - items: - properties: - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - implementation: - type: string - logger: - description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. - properties: - mode: - description: What payloads to log - type: string - url: - description: URL to send request logging CloudEvents - type: string - type: object - methods: - items: - type: string - type: array - modelUri: - type: string - name: - type: string - parameters: - items: - properties: - name: - type: string - type: - type: string - value: - type: string - type: object - type: array - serviceAccountName: - type: string - type: - type: string - type: object - type: array - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - implementation: - type: string - logger: - description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. - properties: - mode: - description: What payloads to log - type: string - url: - description: URL to send request logging CloudEvents - type: string - type: object - methods: - items: - type: string - type: array - modelUri: - type: string - name: - type: string - parameters: - items: - properties: - name: - type: string - type: - type: string - value: - type: string - type: object - type: array - serviceAccountName: - type: string - type: - type: string - type: object - type: array - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - implementation: - type: string - logger: - description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. - properties: - mode: - description: What payloads to log - type: string - url: - description: URL to send request logging CloudEvents - type: string - type: object - methods: - items: - type: string - type: array - modelUri: - type: string - name: - type: string - parameters: - items: - properties: - name: - type: string - type: - type: string - value: - type: string - type: object - type: array - serviceAccountName: - type: string - type: - type: string - type: object - type: array - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - implementation: - type: string - logger: - description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. - properties: - mode: - description: What payloads to log - type: string - url: - description: URL to send request logging CloudEvents - type: string - type: object - methods: - items: - type: string - type: array - modelUri: - type: string - name: - type: string - parameters: - items: - properties: - name: - type: string - type: - type: string - value: - type: string - type: object - type: array - serviceAccountName: - type: string - type: - type: string - type: object - type: array - endpoint: - properties: - grpcPort: - format: int32 - type: integer - httpPort: - format: int32 - type: integer - service_host: - type: string - service_port: - format: int32 - type: integer - type: - type: string - type: object - envSecretRefName: - type: string - implementation: - type: string - logger: - description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. - properties: - mode: - description: What payloads to log - type: string - url: - description: URL to send request logging CloudEvents - type: string - type: object - methods: - items: - type: string - type: array - modelUri: - type: string - name: - type: string - parameters: - items: - properties: - name: - type: string - type: - type: string - value: - type: string - required: - - name - - type - - value - type: object - type: array - serviceAccountName: - type: string - type: - type: string - required: - - name - type: object - labels: - additionalProperties: - type: string - type: object - name: - type: string - replicas: - format: int32 - type: integer - shadow: - type: boolean - ssl: - properties: - certSecretName: - type: string - type: object - svcOrchSpec: - properties: - env: - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - replicas: - format: int32 - type: integer - resources: - description: ResourceRequirements describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - type: object - traffic: - format: int32 - type: integer - required: - - graph - - name - type: object - type: array - protocol: - type: string - replicas: - format: int32 - type: integer - serverType: - type: string - transport: - type: string - required: - - predictors - type: object - status: - description: SeldonDeploymentStatus defines the observed state of SeldonDeployment - properties: - address: - description: 'Addressable placeholder until duckv1 issue is fixed: https://github.com/kubernetes-sigs/controller-tools/issues/391' - properties: - url: - type: string - type: object - deploymentStatus: - additionalProperties: - properties: - availableReplicas: - format: int32 - type: integer - description: - type: string - explainerFor: - type: string - name: - type: string - replicas: - format: int32 - type: integer - status: - type: string - type: object - type: object - description: - type: string - replicas: - format: int32 - type: integer - serviceStatus: - additionalProperties: - properties: - explainerFor: - type: string - grpcEndpoint: - type: string - httpEndpoint: - type: string - svcName: - type: string - type: object - type: object - state: - type: string - type: object - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1alpha2 - served: true - storage: false - - name: v1alpha3 - served: true - storage: false ---- # Source: seldon-core-operator/templates/clusterrole_seldon-manager-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -4474,7 +20,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-manager-role-kubeflow rules: - apiGroups: @@ -4544,6 +90,46 @@ rules: - get - patch - update +- apiGroups: + - getambassador.io + resources: + - mappings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - getambassador.io + resources: + - mappings/status + verbs: + - get + - patch + - update +- apiGroups: + - getambassador.io + resources: + - tlscontexts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - getambassador.io + resources: + - tlscontexts/status + verbs: + - get + - patch + - update - apiGroups: - keda.sh resources: @@ -4702,7 +288,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-manager-sas-role-kubeflow rules: - apiGroups: @@ -4730,6 +316,54 @@ rules: - list - watch --- +# Source: seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.15.0' + name: seldon-webhook-role-kubeflow +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - create + - delete + - update +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/finalizers + verbs: + - get + - patch + - update +--- # Source: seldon-core-operator/templates/clusterrolebinding_seldon-manager-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -4738,7 +372,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-manager-rolebinding-kubeflow roleRef: apiGroup: rbac.authorization.k8s.io @@ -4757,7 +391,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-manager-sas-rolebinding-kubeflow roleRef: apiGroup: rbac.authorization.k8s.io @@ -4768,6 +402,25 @@ subjects: name: seldon-manager namespace: 'kubeflow' --- +# Source: seldon-core-operator/templates/clusterrolebinding_seldon-webhook-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.15.0' + name: seldon-webhook-rolebinding-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: seldon-webhook-role-kubeflow +subjects: +- kind: ServiceAccount + name: seldon-manager + namespace: 'kubeflow' +--- # Source: seldon-core-operator/templates/role_seldon-leader-election-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -4776,14 +429,22 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-leader-election-role namespace: 'kubeflow' rules: - apiGroups: - '' resources: - - configmaps + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases verbs: - get - list @@ -4795,17 +456,22 @@ rules: - apiGroups: - '' resources: - - configmaps/status + - configmaps verbs: - get + - list + - watch + - create - update - patch + - delete - apiGroups: - '' resources: - events verbs: - create + - patch --- # Source: seldon-core-operator/templates/rolebinding_seldon-leader-election-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -4815,7 +481,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-leader-election-rolebinding namespace: 'kubeflow' roleRef: @@ -4824,30 +490,8 @@ roleRef: name: seldon-leader-election-role subjects: - kind: ServiceAccount - name: seldon-manager - namespace: 'kubeflow' ---- -# Source: seldon-core-operator/templates/service_seldon-webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: seldon - app.kubernetes.io/instance: 'seldon-core' - app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' - name: seldon-webhook-service + name: 'seldon-manager' namespace: 'kubeflow' -spec: - ports: - - port: 443 - targetPort: 4443 - selector: - app: seldon - app.kubernetes.io/instance: seldon1 - app.kubernetes.io/name: seldon - app.kubernetes.io/version: v0.5 - control-plane: seldon-controller-manager --- # Source: seldon-core-operator/templates/deployment_seldon-controller-manager.yaml apiVersion: apps/v1 @@ -4857,7 +501,7 @@ metadata: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' control-plane: seldon-controller-manager name: seldon-controller-manager namespace: 'kubeflow' @@ -4873,6 +517,7 @@ spec: template: metadata: annotations: + prometheus.io/port: '8080' prometheus.io/scrape: 'true' sidecar.istio.io/inject: 'false' labels: @@ -4887,34 +532,58 @@ spec: - --enable-leader-election - --webhook-port=4443 - --create-resources=$(MANAGER_CREATE_RESOURCES) + - --log-level=$(MANAGER_LOG_LEVEL) + - --leader-election-id=$(MANAGER_LEADER_ELECTION_ID) + - --leader-election-resource-lock=$(MANAGER_LEADER_ELECTION_RESOURCE_LOCK) + - --leader-election-lease-duration-secs=$(MANAGER_LEADER_ELECTION_LEASE_DURATION_SECS) + - --leader-election-renew-deadline-secs=$(MANAGER_LEADER_ELECTION_RENEW_DEADLINE_SECS) + - --leader-election-retry-period-secs=$(MANAGER_LEADER_ELECTION_RETRY_PERIOD_SECS) - '' command: - /manager env: + - name: MANAGER_LEADER_ELECTION_ID + value: 'a33bd623.machinelearning.seldon.io' + - name: MANAGER_LEADER_ELECTION_RESOURCE_LOCK + value: '' + - name: MANAGER_LEADER_ELECTION_LEASE_DURATION_SECS + value: '15' + - name: MANAGER_LEADER_ELECTION_RENEW_DEADLINE_SECS + value: '10' + - name: MANAGER_LEADER_ELECTION_RETRY_PERIOD_SECS + value: '2' + - name: MANAGER_LOG_LEVEL + value: 'INFO' - name: WATCH_NAMESPACE value: '' - name: RELATED_IMAGE_EXECUTOR value: '' - - name: RELATED_IMAGE_ENGINE - value: '' - name: RELATED_IMAGE_STORAGE_INITIALIZER value: '' - name: RELATED_IMAGE_SKLEARNSERVER value: '' + - name: RELATED_IMAGE_SKLEARNSERVER_V2 + value: '' - name: RELATED_IMAGE_XGBOOSTSERVER value: '' + - name: RELATED_IMAGE_XGBOOSTSERVER_V2 + value: '' - name: RELATED_IMAGE_MLFLOWSERVER value: '' + - name: RELATED_IMAGE_MLFLOWSERVER_V2 + value: '' - name: RELATED_IMAGE_TFPROXY value: '' - name: RELATED_IMAGE_TENSORFLOW value: '' - name: RELATED_IMAGE_EXPLAINER value: '' + - name: RELATED_IMAGE_EXPLAINER_V2 + value: '' - name: RELATED_IMAGE_MOCK_CLASSIFIER value: '' - name: MANAGER_CREATE_RESOURCES - value: 'false' + value: 'true' - name: POD_NAMESPACE valueFrom: fieldRef: @@ -4922,31 +591,19 @@ spec: - name: CONTROLLER_ID value: '' - name: AMBASSADOR_ENABLED - value: 'true' - - name: AMBASSADOR_SINGLE_NAMESPACE value: 'false' - - name: ENGINE_CONTAINER_IMAGE_AND_VERSION - value: 'docker.io/seldonio/engine:1.9.0' - - name: ENGINE_CONTAINER_IMAGE_PULL_POLICY - value: 'IfNotPresent' - - name: ENGINE_CONTAINER_SERVICE_ACCOUNT_NAME - value: 'default' - - name: ENGINE_CONTAINER_USER - value: '8888' - - name: ENGINE_LOG_MESSAGES_EXTERNALLY + - name: AMBASSADOR_VERSION + value: 'v2' + - name: AMBASSADOR_SINGLE_NAMESPACE value: 'false' - - name: PREDICTIVE_UNIT_SERVICE_PORT + - name: PREDICTIVE_UNIT_HTTP_SERVICE_PORT value: '9000' + - name: PREDICTIVE_UNIT_GRPC_SERVICE_PORT + value: '9500' - name: PREDICTIVE_UNIT_DEFAULT_ENV_SECRET_REF_NAME value: '' - name: PREDICTIVE_UNIT_METRICS_PORT_NAME value: 'metrics' - - name: ENGINE_SERVER_GRPC_PORT - value: '5001' - - name: ENGINE_SERVER_PORT - value: '8000' - - name: ENGINE_PROMETHEUS_PATH - value: '/prometheus' - name: ISTIO_ENABLED value: 'true' - name: KEDA_ENABLED @@ -4958,7 +615,7 @@ spec: - name: USE_EXECUTOR value: 'true' - name: EXECUTOR_CONTAINER_IMAGE_AND_VERSION - value: 'docker.io/seldonio/seldon-core-executor:1.9.0' + value: 'docker.io/seldonio/seldon-core-executor:1.15.0' - name: EXECUTOR_CONTAINER_IMAGE_PULL_POLICY value: 'IfNotPresent' - name: EXECUTOR_PROMETHEUS_PATH @@ -4973,6 +630,10 @@ spec: value: 'metrics' - name: EXECUTOR_REQUEST_LOGGER_DEFAULT_ENDPOINT value: 'http://default-broker' + - name: EXECUTOR_REQUEST_LOGGER_WORK_QUEUE_SIZE + value: '10000' + - name: EXECUTOR_REQUEST_LOGGER_WRITE_TIMEOUT_MS + value: '2000' - name: DEFAULT_USER_ID value: '8888' - name: EXECUTOR_DEFAULT_CPU_REQUEST @@ -4983,15 +644,11 @@ spec: value: '500m' - name: EXECUTOR_DEFAULT_MEMORY_LIMIT value: '512Mi' - - name: ENGINE_DEFAULT_CPU_REQUEST - value: '500m' - - name: ENGINE_DEFAULT_MEMORY_REQUEST - value: '512Mi' - - name: ENGINE_DEFAULT_CPU_LIMIT - value: '500m' - - name: ENGINE_DEFAULT_MEMORY_LIMIT - value: '512Mi' - image: 'docker.io/seldonio/seldon-core-operator:1.9.0' + - name: DEPLOYMENT_NAME_AS_PREFIX + value: 'false' + - name: EXECUTOR_FULL_HEALTH_CHECKS + value: 'false' + image: 'docker.io/seldonio/seldon-core-operator:1.15.0' imagePullPolicy: 'IfNotPresent' name: manager ports: @@ -5008,143 +665,44 @@ spec: requests: cpu: '100m' memory: '200Mi' - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true + hostNetwork: false + priorityClassName: '' securityContext: runAsUser: 8888 serviceAccountName: 'seldon-manager' terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: seldon-webhook-server-cert --- # Source: seldon-core-operator/templates/certificate_seldon-serving-cert.yaml -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-serving-cert namespace: 'kubeflow' spec: - commonName: $(SERVICE_NAME).$(CERTIFICATE_NAMESPACE).svc + commonName: seldon-webhook-service.$(CERTIFICATE_NAMESPACE).svc dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - seldon-webhook-service.$(SERVICE_NAMESPACE).svc.cluster.local + - seldon-webhook-service.$(SERVICE_NAMESPACE).svc issuerRef: kind: Issuer name: seldon-selfsigned-issuer secretName: seldon-webhook-server-cert --- # Source: seldon-core-operator/templates/issuer_seldon-selfsigned-issuer.yaml -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: app: seldon app.kubernetes.io/instance: 'seldon-core' app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' + app.kubernetes.io/version: '1.15.0' name: seldon-selfsigned-issuer namespace: 'kubeflow' spec: selfSigned: {} ---- -# Source: seldon-core-operator/templates/webhook.yaml ---- - -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: kubeflow/seldon-serving-cert - creationTimestamp: null - labels: - app: seldon - app.kubernetes.io/instance: 'seldon-core' - app.kubernetes.io/name: 'seldon-core-operator' - app.kubernetes.io/version: '1.6.0' - name: seldon-validating-webhook-configuration-kubeflow -webhooks: -- clientConfig: - caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lSQU5sU0g0RzU4UEpMRnd4TmVpSGM2bE13RFFZSktvWklodmNOQVFFTEJRQXcKSERFYU1CZ0dBMVVFQXhNUlkzVnpkRzl0TFcxbGRISnBZM010WTJFd0hoY05NakV3TmpJeE1UTXlPVE15V2hjTgpNakl3TmpJeE1UTXlPVE15V2pBY01Sb3dHQVlEVlFRREV4RmpkWE4wYjIwdGJXVjBjbWxqY3kxallUQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKOXJnOGVrN2lXc3cxYWt1WHh0TWJxU1FKbnYKUFR4S1FKTGFseGZmWUZ0ZGxtMnN6ZWhMK3I2V0w0ZDdZM2R2d2lwZFc4U2o1TkMrQ0NBT0grK0RPT2FNVkF0SApuYzA1V3VkV1ZucGxIeDRtdnFWeEgrWWpudzRhSjFISS9XVW16dDVmYkp3aWx6dFJGYWV5NU81ZGJibTd5SkxmCmdhMDdkRFJHOExQbVR3NkFyR1oyMkt4djF3c202Rks1WlczcHpTL0VvSHZoNUtvME5lNTI0V28rem9JWWtuNlgKWmNuSlBaNFk5d01rR3FVKzBqRnk5TU9maFNJSTE2TlB0U2QraDAyS292VVQ5U3pxSVNrNUFmUkN5V0ZSeE9NYQpoUEtqZWRmV1gzOENzT2NETGdxWk1wbHJxdy9pQmZYY2tZVmpJakpEUk1mL3oxQWhpTnJMQm1UbXRIMENBd0VBCkFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlZveFNzcWtoVwpyRnNhRldSSTFsVEpKSlRLRkFHalkwSXM1QlBieHpNbGVtK3dpRzdKWVg1NUJDeUlMWkVoNlJxbWJaQlpuRng4CmlDSzNVT3lUdmZoQmN0RUpiUGd4WldtTnFCd04ra2lYWE5maWNjdmQwSEs3eTBJRnEvU2FqSklyMkJMbHBiMHEKWk5WRzYvSUlmNXJJWlpZTmdsVThPbmtRblZmVVJsandPL3NlTHVOTzAyNWZ5MmNzV2R1MFRwb2pNRDJhdjBEdwp2Wm9LMUtjSFFLZ2t5eDhZakRXQ1dpbFl2OXpHWDRzejRsaDV2QW01d2owRW5nVGhCclg4a2gvK3JNNFpiQmIwCmlsaSt1OTNpaXVTcHFjVU1UV3lWUU1lU1NBU2dobnZyMytJL3lnNE00OGRRUk1ubkI2dkJHejJ6K2JaUGhFa0QKMTdMaDg3K3ZCSERzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' - service: - name: seldon-webhook-service - namespace: 'kubeflow' - path: /validate-machinelearning-seldon-io-v1-seldondeployment - failurePolicy: Fail - name: v1.vseldondeployment.kb.io - namespaceSelector: - matchExpressions: - - key: seldon.io/controller-id - operator: DoesNotExist - matchLabels: - serving.kubeflow.org/inferenceservice: enabled - rules: - - apiGroups: - - machinelearning.seldon.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - seldondeployments - sideEffects: None -- clientConfig: - caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lSQU5sU0g0RzU4UEpMRnd4TmVpSGM2bE13RFFZSktvWklodmNOQVFFTEJRQXcKSERFYU1CZ0dBMVVFQXhNUlkzVnpkRzl0TFcxbGRISnBZM010WTJFd0hoY05NakV3TmpJeE1UTXlPVE15V2hjTgpNakl3TmpJeE1UTXlPVE15V2pBY01Sb3dHQVlEVlFRREV4RmpkWE4wYjIwdGJXVjBjbWxqY3kxallUQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKOXJnOGVrN2lXc3cxYWt1WHh0TWJxU1FKbnYKUFR4S1FKTGFseGZmWUZ0ZGxtMnN6ZWhMK3I2V0w0ZDdZM2R2d2lwZFc4U2o1TkMrQ0NBT0grK0RPT2FNVkF0SApuYzA1V3VkV1ZucGxIeDRtdnFWeEgrWWpudzRhSjFISS9XVW16dDVmYkp3aWx6dFJGYWV5NU81ZGJibTd5SkxmCmdhMDdkRFJHOExQbVR3NkFyR1oyMkt4djF3c202Rks1WlczcHpTL0VvSHZoNUtvME5lNTI0V28rem9JWWtuNlgKWmNuSlBaNFk5d01rR3FVKzBqRnk5TU9maFNJSTE2TlB0U2QraDAyS292VVQ5U3pxSVNrNUFmUkN5V0ZSeE9NYQpoUEtqZWRmV1gzOENzT2NETGdxWk1wbHJxdy9pQmZYY2tZVmpJakpEUk1mL3oxQWhpTnJMQm1UbXRIMENBd0VBCkFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlZveFNzcWtoVwpyRnNhRldSSTFsVEpKSlRLRkFHalkwSXM1QlBieHpNbGVtK3dpRzdKWVg1NUJDeUlMWkVoNlJxbWJaQlpuRng4CmlDSzNVT3lUdmZoQmN0RUpiUGd4WldtTnFCd04ra2lYWE5maWNjdmQwSEs3eTBJRnEvU2FqSklyMkJMbHBiMHEKWk5WRzYvSUlmNXJJWlpZTmdsVThPbmtRblZmVVJsandPL3NlTHVOTzAyNWZ5MmNzV2R1MFRwb2pNRDJhdjBEdwp2Wm9LMUtjSFFLZ2t5eDhZakRXQ1dpbFl2OXpHWDRzejRsaDV2QW01d2owRW5nVGhCclg4a2gvK3JNNFpiQmIwCmlsaSt1OTNpaXVTcHFjVU1UV3lWUU1lU1NBU2dobnZyMytJL3lnNE00OGRRUk1ubkI2dkJHejJ6K2JaUGhFa0QKMTdMaDg3K3ZCSERzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' - service: - name: seldon-webhook-service - namespace: 'kubeflow' - path: /validate-machinelearning-seldon-io-v1alpha2-seldondeployment - failurePolicy: Fail - name: v1alpha2.vseldondeployment.kb.io - namespaceSelector: - matchExpressions: - - key: seldon.io/controller-id - operator: DoesNotExist - matchLabels: - serving.kubeflow.org/inferenceservice: enabled - rules: - - apiGroups: - - machinelearning.seldon.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - seldondeployments - sideEffects: None -- clientConfig: - caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lSQU5sU0g0RzU4UEpMRnd4TmVpSGM2bE13RFFZSktvWklodmNOQVFFTEJRQXcKSERFYU1CZ0dBMVVFQXhNUlkzVnpkRzl0TFcxbGRISnBZM010WTJFd0hoY05NakV3TmpJeE1UTXlPVE15V2hjTgpNakl3TmpJeE1UTXlPVE15V2pBY01Sb3dHQVlEVlFRREV4RmpkWE4wYjIwdGJXVjBjbWxqY3kxallUQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKOXJnOGVrN2lXc3cxYWt1WHh0TWJxU1FKbnYKUFR4S1FKTGFseGZmWUZ0ZGxtMnN6ZWhMK3I2V0w0ZDdZM2R2d2lwZFc4U2o1TkMrQ0NBT0grK0RPT2FNVkF0SApuYzA1V3VkV1ZucGxIeDRtdnFWeEgrWWpudzRhSjFISS9XVW16dDVmYkp3aWx6dFJGYWV5NU81ZGJibTd5SkxmCmdhMDdkRFJHOExQbVR3NkFyR1oyMkt4djF3c202Rks1WlczcHpTL0VvSHZoNUtvME5lNTI0V28rem9JWWtuNlgKWmNuSlBaNFk5d01rR3FVKzBqRnk5TU9maFNJSTE2TlB0U2QraDAyS292VVQ5U3pxSVNrNUFmUkN5V0ZSeE9NYQpoUEtqZWRmV1gzOENzT2NETGdxWk1wbHJxdy9pQmZYY2tZVmpJakpEUk1mL3oxQWhpTnJMQm1UbXRIMENBd0VBCkFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlZveFNzcWtoVwpyRnNhRldSSTFsVEpKSlRLRkFHalkwSXM1QlBieHpNbGVtK3dpRzdKWVg1NUJDeUlMWkVoNlJxbWJaQlpuRng4CmlDSzNVT3lUdmZoQmN0RUpiUGd4WldtTnFCd04ra2lYWE5maWNjdmQwSEs3eTBJRnEvU2FqSklyMkJMbHBiMHEKWk5WRzYvSUlmNXJJWlpZTmdsVThPbmtRblZmVVJsandPL3NlTHVOTzAyNWZ5MmNzV2R1MFRwb2pNRDJhdjBEdwp2Wm9LMUtjSFFLZ2t5eDhZakRXQ1dpbFl2OXpHWDRzejRsaDV2QW01d2owRW5nVGhCclg4a2gvK3JNNFpiQmIwCmlsaSt1OTNpaXVTcHFjVU1UV3lWUU1lU1NBU2dobnZyMytJL3lnNE00OGRRUk1ubkI2dkJHejJ6K2JaUGhFa0QKMTdMaDg3K3ZCSERzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' - service: - name: seldon-webhook-service - namespace: 'kubeflow' - path: /validate-machinelearning-seldon-io-v1alpha3-seldondeployment - failurePolicy: Fail - name: v1alpha3.vseldondeployment.kb.io - namespaceSelector: - matchExpressions: - - key: seldon.io/controller-id - operator: DoesNotExist - matchLabels: - serving.kubeflow.org/inferenceservice: enabled - rules: - - apiGroups: - - machinelearning.seldon.io - apiVersions: - - v1alpha3 - operations: - - CREATE - - UPDATE - resources: - - seldondeployments - sideEffects: None diff --git a/contrib/seldon/values.yaml b/contrib/seldon/values.yaml index 01820e5528..88d6cd6a7e 100644 --- a/contrib/seldon/values.yaml +++ b/contrib/seldon/values.yaml @@ -1,200 +1,22 @@ # # Seldon Core Operator -# Below are the default values when installing Seldon Core +# Below are the overrides for kubeflow defaults -# Defaults to .Release.Namespace -namespaceOverride: "" - -# ## Ingress Options -# You are able to choose between Istio and Ambassador - -# If you have ambassador installed you can just use the enabled flag -ambassador: - enabled: true - singleNamespace: false -# When activating Istio, respecive virtual services will be created -# You must make sure you create the seldon-gateway as well +# Istio gateway must be set to the kubeflow default istio: enabled: true gateway: kubeflow/kubeflow-gateway tlsMode: "" -# If you have KEDA installed you can use it for autoscaling -keda: - enabled: false -# ## Install with Cert Manager -# See installation page in documentation for more information + +# Certmanager using existing cert certManager: enabled: true -# ## Install with limited namespace visibility -# If you want to ensure seldon-core-controller can only have visibility -# to specifci namespaces you can set the controllerId -controllerId: "" - -# Whether operator should create the webhooks and configmap on startup (false means created from chart) -managerCreateResources: false - -# Default user id to add to all Pod Security Context as the default -# Use this to ensure all container run as non-root by default -# For openshift leave blank as usually this will be injected automatically on an openshift cluster -# to all pods. -defaultUserID: "8888" - -# runtime user to use for manager -managerUserID: 8888 +# Creation of resources automated as CRD too large for apply +managerCreateResources: true -# ## Service Orchestrator (Executor) -# The executor is the default service orchestrator which has superceeded the "Java Engine" -executor: - port: 8000 - metricsPortName: metrics - image: - pullPolicy: IfNotPresent - registry: docker.io - repository: seldonio/seldon-core-executor - tag: 1.9.0 - resources: - cpuLimit: 500m - cpuRequest: 500m - memoryLimit: 512Mi - memoryRequest: 512Mi - prometheus: - path: /prometheus - serviceAccount: - name: default - user: 8888 -# If you want to make available your own request logger for ELK integration you can set this -# For more information see the Production Integration for Payload Request Logging with ELK in the docs - requestLogger: - defaultEndpoint: 'http://default-broker' - -# ## Seldon Core Controller Manager Options -image: - pullPolicy: IfNotPresent - registry: docker.io - repository: seldonio/seldon-core-operator - tag: 1.9.0 -manager: - cpuLimit: 500m - cpuRequest: 100m - memoryLimit: 300Mi - memoryRequest: 200Mi - logLevel: INFO -rbac: - configmap: - create: true - create: true -serviceAccount: - create: true - name: seldon-manager -singleNamespace: false -storageInitializer: - cpuLimit: "1" - cpuRequest: 100m - image: seldonio/rclone-storage-initializer:1.9.0 - memoryLimit: 1Gi - memoryRequest: 100Mi -usageMetrics: - enabled: false -webhook: - port: 4443 - -# ## Predictive Unit Values -predictiveUnit: - httpPort: 9000 - grpcPort: 9500 - metricsPortName: metrics - # If you would like to add extra environment variables to the init container to make available - # secrets such as cloud credentials, you can provide a default secret name that will be loaded - # to all the containers. You can then override this using the envSecretRefName in SeldonDeployments - defaultEnvSecretRefName: "" -predictor_servers: - MLFLOW_SERVER: - protocols: - seldon: - defaultImageVersion: "1.9.0" - image: seldonio/mlflowserver - SKLEARN_SERVER: - protocols: - seldon: - defaultImageVersion: "1.9.0" - image: seldonio/sklearnserver - kfserving: - defaultImageVersion: "0.3.2" - image: seldonio/mlserver - TENSORFLOW_SERVER: - protocols: - seldon: - defaultImageVersion: "1.9.0" - image: seldonio/tfserving-proxy - tensorflow: - defaultImageVersion: 2.1.0 - image: tensorflow/serving - XGBOOST_SERVER: - protocols: - seldon: - defaultImageVersion: "1.9.0" - image: seldonio/xgboostserver - kfserving: - defaultImageVersion: "0.3.2" - image: seldonio/mlserver - TRITON_SERVER: - protocols: - kfserving: - defaultImageVersion: "20.08-py3" - image: nvcr.io/nvidia/tritonserver - TEMPO_SERVER: - protocols: - kfserving: - defaultImageVersion: "0.3.2" - image: seldonio/mlserver - -# ## Other -# You can choose the crds to not be installed if you already installed them -# This applies to just the yaml template. If you set managerCreateResources=true then -# it will try to create the CRD but only if it does not exist +# Disable CRD in helm charts as manager creates resources crd: - create: true - # Whether to force the use of the v1beta1 or v1 CRD. - forceV1: false - forceV1beta1: false - -# Warning: credentials will be depricated soon, please use defaultEnvSecretRefName above -# For more info please check the documentation -credentials: - gcs: - gcsCredentialFileName: gcloud-application-credentials.json - s3: - s3AccessKeyIDName: awsAccessKeyID - s3SecretAccessKeyName: awsSecretAccessKey + create: false kubeflow: true -# ## Engine parameters -# Warning: Engine is being depricated in favour of Orchestrator -# FOr more information please read the Upgrading section in the documentation -engine: - grpc: - port: 5001 - image: - pullPolicy: IfNotPresent - registry: docker.io - repository: seldonio/engine - tag: 1.9.0 - resources: - cpuLimit: 500m - cpuRequest: 500m - memoryLimit: 512Mi - memoryRequest: 512Mi - logMessagesExternally: false - port: 8000 - prometheus: - path: /prometheus - serviceAccount: - name: default - user: 8888 - - -# Explainer image -explainer: - image: seldonio/alibiexplainer:1.9.0 - diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 172e9bf9e1..4e95c29358 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -38,7 +38,7 @@ resources: # Notebook Controller - ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow # Profiles + KFAM -- ../apps/profiles/upstream/overlays/kubeflow +# - ../apps/profiles/upstream/overlays/kubeflow # Volumes Web App - ../apps/volumes-web-app/upstream/overlays/istio # Tensorboards Controller diff --git a/tests/gh-actions/kind-cluster-1-24.yaml b/tests/gh-actions/kind-cluster-1-24.yaml new file mode 100644 index 0000000000..eca9d4a34e --- /dev/null +++ b/tests/gh-actions/kind-cluster-1-24.yaml @@ -0,0 +1,25 @@ +# This testing option is available for testing projects that don't yet support k8s 1.25 +apiVersion: kind.x-k8s.io/v1alpha4 +kind: Cluster +# Configure registry for KinD. +containerdConfigPatches: +- |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"] + endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"] +# This is needed in order to support projected volumes with service account tokens. +# See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600 +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + "service-account-issuer": "kubernetes.default.svc" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" +nodes: +- role: control-plane + image: kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 +- role: worker + image: kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 From 66e24847aca692917dcadf2ba430f23474f64f42 Mon Sep 17 00:00:00 2001 From: gkcalat <35157096+gkcalat@users.noreply.github.com> Date: Mon, 12 Dec 2022 06:50:27 -0800 Subject: [PATCH 07/74] Fix contrib/metacontroller folder (#2341) * Add tests and update docs * Add other rules to readme * Address comments * Update kind cluster to 1.25 --- .../workflows/metacontroller_kind_test.yaml | 32 ++++++++++ contrib/metacontroller/Makefile | 63 +++++++++++++++++++ contrib/metacontroller/README.md | 36 +++++++++-- contrib/metacontroller/UPDGRADE.md | 9 +++ contrib/metacontroller/base/stateful-set.yaml | 2 +- .../test/catset-controller.yaml | 27 ++++++++ 6 files changed, 162 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/metacontroller_kind_test.yaml create mode 100644 contrib/metacontroller/Makefile create mode 100644 contrib/metacontroller/UPDGRADE.md create mode 100644 contrib/metacontroller/test/catset-controller.yaml diff --git a/.github/workflows/metacontroller_kind_test.yaml b/.github/workflows/metacontroller_kind_test.yaml new file mode 100644 index 0000000000..1bb0c3d6d7 --- /dev/null +++ b/.github/workflows/metacontroller_kind_test.yaml @@ -0,0 +1,32 @@ +name: Build & Apply contrib/metacontroller in KinD +on: + pull_request: + paths: + - contrib/metacontroller/** + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh + + - name: Create KinD Cluster + run: kind create cluster --config ./tests/gh-actions/kind-cluster.yaml + + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh + + - name: Install Istio + run: ./tests/gh-actions/install_istio.sh + + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh + + - name: Build & Apply manifests + run: | + cd contrib/metacontroller/ + make test diff --git a/contrib/metacontroller/Makefile b/contrib/metacontroller/Makefile new file mode 100644 index 0000000000..03010eee2d --- /dev/null +++ b/contrib/metacontroller/Makefile @@ -0,0 +1,63 @@ +BUILD_DIR=./build + +.PHONY: hydrate +hydrate: + rm -r -f "${BUILD_DIR}" + mkdir -p "${BUILD_DIR}" + kustomize build -o "${BUILD_DIR}" ./base + echo "Succesfully built into ${BUILD_DIR}." + +.PHONY: clean-build +clean-build: + rm -r -f "${BUILD_DIR}" + echo "Succesfully cleaned ${BUILD_DIR}." + +.PHONY: apply +apply: hydrate + kubectl apply -f "${BUILD_DIR}" + echo "Succesfully applied from ${BUILD_DIR}." + +.PHONY: delete +delete: hydrate + kubectl delete -f "${BUILD_DIR}" + echo "Succesfully deleted metacontroller." + +.PHONY: test +test: test-deploy test-catset-controller test-deploy-cleanup + +.PHONY: test-deploy +test-deploy: + kubectl create namespace kubeflow || echo "Found 'kubeflow' namespace" + kustomize build ./base | kubectl apply -f - + sleep 30 + # Check CRDs + kubectl -n kubeflow wait --for=condition=established --timeout=60s crd/compositecontrollers.metacontroller.k8s.io + kubectl -n kubeflow wait --for=condition=established --timeout=60s crd/controllerrevisions.metacontroller.k8s.io + kubectl -n kubeflow wait --for=condition=established --timeout=60s crd/decoratorcontrollers.metacontroller.k8s.io + # Check ServiceAccount + kubectl get -n kubeflow serviceaccount/meta-controller-service + kubectl get -n kubeflow clusterrolebinding/meta-controller-cluster-role-binding + # Check StatefulSet + kubectl -n kubeflow rollout status --watch --timeout=60s StatefulSet/metacontroller + echo "[Test] contrib/metacontroller deployment PASSED" + +.PHONY: test-deploy-cleanup +test-deploy-cleanup: + # Cleanup + kustomize build ./base | kubectl delete -f - + +.PHONY: test-catset-controller +test-catset-controller: + # Create a sample CRD + kubectl apply -f test/catset-controller.yaml + sleep 30 + # Check a custom CRD + kubectl -n kubeflow get compositecontrollers/catset-controller + # Cleanup + kubectl delete compositecontrollers/catset-controller + echo "[Test] contrib/metacontroller catset-controller PASSED" + +.PHONY: pull +pull: + # Check ./UPGRADE.md for instructions on how to pull updated manifests + kpt pkg update .@${KFP_VERSION} diff --git a/contrib/metacontroller/README.md b/contrib/metacontroller/README.md index 956c9f74d2..bc2e7e15ac 100644 --- a/contrib/metacontroller/README.md +++ b/contrib/metacontroller/README.md @@ -1,16 +1,40 @@ # Metacontroller - [Official documentation](https://metacontroller.github.io/metacontroller/) -- [Official repoitory](https://github.com/metacontroller/metacontroller) +- [Official repository](https://github.com/metacontroller/metacontroller) -## Upgrade +Metacontroller is an add-on for Kubernetes that makes it easy to write and deploy custom controllers. -Metacontroller is pulled from [Kubeflow Pipelines third-party folder](https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/third-party/metacontroller). To update this component specify the desired KFP version and run the following command in console from the root directory **/**: +## Prerequisites + +- Kubernetes v1.16+ (because of maintainability, e2e test suite might not cover all releases). +- You should have `kubectl` available and configured to talk to the desired cluster. +- `kustomize`. + +## Compile manifests + +```bash +make hydrate +``` + +## Install Metacontroller + +```bash +make apply +``` + +## Verify deployment + +```bash +make test +``` + +## Uninstall Metacontroller ```bash -export KFP_VERSION=2.0.0-alpha.3 # specify KFP version -kpt pkg update ./contrib/metacontroller@${KFP_VERSION} +make delete ``` -Alternatively, you can copy the content from [Kubeflow Pipelines third-party folder](https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/third-party/metacontroller) by choosing the appropriate `TAG` in that repository. +## Upgrade Metacontroller +To upgrade to the lates version used in Kubeflow, follow the steps in [UPGRADE.md](./UPDGRADE.md). diff --git a/contrib/metacontroller/UPDGRADE.md b/contrib/metacontroller/UPDGRADE.md new file mode 100644 index 0000000000..0f7df233cc --- /dev/null +++ b/contrib/metacontroller/UPDGRADE.md @@ -0,0 +1,9 @@ +# Upgrade Metacontroller + +Metacontroller is pulled from [Kubeflow Pipelines's (KFP) third-party folder](https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/third-party/metacontroller). To update this component specify the desired Kubeflow Pipelines version as `KFP_VERSION` environment variable and run `make pull` in console: + +```bash +KFP_VERSION=2.0.0-alpha.3 make pull +``` + +Alternatively, you can copy the content from [Kubeflow Pipelines third-party folder](https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/third-party/metacontroller) by choosing the appropriate `TAG` in that repository. diff --git a/contrib/metacontroller/base/stateful-set.yaml b/contrib/metacontroller/base/stateful-set.yaml index 3f8b94c634..1df4ed7086 100644 --- a/contrib/metacontroller/base/stateful-set.yaml +++ b/contrib/metacontroller/base/stateful-set.yaml @@ -32,7 +32,7 @@ spec: securityContext: capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 diff --git a/contrib/metacontroller/test/catset-controller.yaml b/contrib/metacontroller/test/catset-controller.yaml new file mode 100644 index 0000000000..ea6f4e9688 --- /dev/null +++ b/contrib/metacontroller/test/catset-controller.yaml @@ -0,0 +1,27 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: # kpt-merge: /catset-controller + name: catset-controller +spec: + parentResource: + apiVersion: ctl.enisoc.com/v1 + resource: catsets + revisionHistory: + fieldPaths: + - spec.template + childResources: + - apiVersion: v1 + resource: pods + updateStrategy: + method: RollingRecreate + statusChecks: + conditions: + - type: Ready + status: "True" + - apiVersion: v1 + resource: persistentvolumeclaims + hooks: + sync: + webhook: + url: http://catset-controller.metacontroller/sync + timeout: 10s From d8faeb73988101f1013330e22e6777c568f0b5b1 Mon Sep 17 00:00:00 2001 From: Anna Date: Wed, 14 Dec 2022 09:23:29 -0500 Subject: [PATCH 08/74] Add unmaintained notice to contrib dex-auth (#2316) Signed-off-by: Anna Jung (VMware) Signed-off-by: Anna Jung (VMware) --- contrib/dex-auth/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/contrib/dex-auth/README.md b/contrib/dex-auth/README.md index 3ef8cf3f7d..0f464041a6 100644 --- a/contrib/dex-auth/README.md +++ b/contrib/dex-auth/README.md @@ -1,3 +1,12 @@ +Please note: This component is **unmaintained and out-of-date**. + +If the component fails to meet the [contrib requirements](https://github.com/kubeflow/manifests/blob/master/proposals/20220926-contrib-component-guidelines.md#component-requirements) + by the next Kubeflow release ([1.7](https://github.com/kubeflow/community/tree/master/releases/release-1.7#timeline)), + it will be removed from the [`manifest`](https://github.com/kubeflow/manifests) repository. + +Updates to the `/contrib` components can be found in the [tracking issue](https://github.com/kubeflow/manifests/issues/2311). + + # Kubeflow Authentication and Authorization Prototype This implementation's target platforms are Kubernetes clusters with access to modify Kubernetes' API config file, which is generally possible with on Premise installations of Kubernetes. From 610f97049c6258ec687cc9043903e15adf88e1a5 Mon Sep 17 00:00:00 2001 From: Anna Date: Wed, 14 Dec 2022 09:24:29 -0500 Subject: [PATCH 09/74] Add unmaintained notice to contrib flink (#2319) Signed-off-by: Anna Jung (VMware) Signed-off-by: Anna Jung (VMware) --- contrib/flink/README.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 contrib/flink/README.md diff --git a/contrib/flink/README.md b/contrib/flink/README.md new file mode 100644 index 0000000000..642106f637 --- /dev/null +++ b/contrib/flink/README.md @@ -0,0 +1,7 @@ +Please note: This component is **unmaintained and out-of-date**. + +If the component fails to meet the [contrib requirements](https://github.com/kubeflow/manifests/blob/master/proposals/20220926-contrib-component-guidelines.md#component-requirements) + by the next Kubeflow release ([1.7](https://github.com/kubeflow/community/tree/master/releases/release-1.7#timeline)), + it will be removed from the [`manifest`](https://github.com/kubeflow/manifests) repository. + +Updates to the `/contrib` components can be found in the [tracking issue](https://github.com/kubeflow/manifests/issues/2311). \ No newline at end of file From 53b3308990d196e05d59e9e7feaf285989cd738e Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Mon, 16 Jan 2023 17:47:02 +0100 Subject: [PATCH 10/74] Update README.md (#2348) * Update README.md * Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9f572c51b8..c2df9bcbf5 100644 --- a/README.md +++ b/README.md @@ -220,14 +220,14 @@ Install the [Multi-User Kubeflow Pipelines](https://www.kubeflow.org/docs/compon ```sh kustomize build apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user | kubectl apply -f - ``` +This installs argo with the safe-to use runasnonroot emissary executor. Please note that the installer is still responsible to analyze the security issues that arise when containers are run with root access and to decide if the kubeflow pipeline main containers are run as runasnonroot. It is strongly recommended that the pipelines main containers are installed and run as runasnonroot and without any special capabilities to mitigate security risks. -If your container runtime is not docker, use pns executor instead: - +Do not use the deprecated and insecure PNS executor anymore ```sh kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user-pns | kubectl apply -f - ``` -Refer to [argo workflow executor documentation](https://argoproj.github.io/argo-workflows/workflow-executors/#process-namespace-sharing-pns) for their pros and cons. +Refer to [argo workflow executor documentation](https://argoproj.github.io/argo-workflows/workflow-executors) for further reasoning. **Multi-User Kubeflow Pipelines dependencies** From d82081f8c6f34723f8e32bdc7c5421b9da5e6102 Mon Sep 17 00:00:00 2001 From: Anna Date: Mon, 16 Jan 2023 12:12:00 -0500 Subject: [PATCH 11/74] Add unmaintained notice to contrib feast (#2318) Signed-off-by: Anna Jung (VMware) Signed-off-by: Anna Jung (VMware) --- contrib/feast/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/contrib/feast/README.md b/contrib/feast/README.md index b95266f850..0688e9a0ba 100644 --- a/contrib/feast/README.md +++ b/contrib/feast/README.md @@ -1,3 +1,12 @@ +Please note: This component is **unmaintained and out-of-date**. + +If the component fails to meet the [contrib requirements](https://github.com/kubeflow/manifests/blob/master/proposals/20220926-contrib-component-guidelines.md#component-requirements) + by the next Kubeflow release ([1.7](https://github.com/kubeflow/community/tree/master/releases/release-1.7#timeline)), + it will be removed from the [`manifest`](https://github.com/kubeflow/manifests) repository. + +Updates to the `/contrib` components can be found in the [tracking issue](https://github.com/kubeflow/manifests/issues/2311). + + # Feast Kustomize ## Installing with Kustomize From 943be75d504bd870c245ea0370f444e5fb3979da Mon Sep 17 00:00:00 2001 From: Anna Date: Tue, 17 Jan 2023 12:10:21 -0500 Subject: [PATCH 12/74] Add unmaintained notice to contrib spark (#2320) Signed-off-by: Anna Jung (VMware) Signed-off-by: Anna Jung (VMware) --- contrib/README.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 contrib/README.md diff --git a/contrib/README.md b/contrib/README.md new file mode 100644 index 0000000000..642106f637 --- /dev/null +++ b/contrib/README.md @@ -0,0 +1,7 @@ +Please note: This component is **unmaintained and out-of-date**. + +If the component fails to meet the [contrib requirements](https://github.com/kubeflow/manifests/blob/master/proposals/20220926-contrib-component-guidelines.md#component-requirements) + by the next Kubeflow release ([1.7](https://github.com/kubeflow/community/tree/master/releases/release-1.7#timeline)), + it will be removed from the [`manifest`](https://github.com/kubeflow/manifests) repository. + +Updates to the `/contrib` components can be found in the [tracking issue](https://github.com/kubeflow/manifests/issues/2311). \ No newline at end of file From 858dfc75dda77c5350bf0ca4e21c61741c52a10c Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Fri, 20 Jan 2023 15:42:23 +0100 Subject: [PATCH 13/74] Harden the istio 1.16 configuration (#2357) * Update service.yaml * Update kustomization.yaml * Create disable-debugging.yaml * Update service.yaml --- common/dex/base/service.yaml | 3 +-- .../istio-install/base/kustomization.yaml | 1 + .../base/patches/disable-debugging.yaml | 17 +++++++++++++++++ .../istio-install/base/patches/service.yaml | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 common/istio-1-16/istio-install/base/patches/disable-debugging.yaml diff --git a/common/dex/base/service.yaml b/common/dex/base/service.yaml index 7f0088208f..7c865c8f0f 100644 --- a/common/dex/base/service.yaml +++ b/common/dex/base/service.yaml @@ -3,12 +3,11 @@ kind: Service metadata: name: dex spec: - type: NodePort + type: ClusterIP ports: - name: dex port: 5556 protocol: TCP targetPort: 5556 - nodePort: 32000 selector: app: dex diff --git a/common/istio-1-16/istio-install/base/kustomization.yaml b/common/istio-1-16/istio-install/base/kustomization.yaml index 70db91ae80..647755c6a2 100644 --- a/common/istio-1-16/istio-install/base/kustomization.yaml +++ b/common/istio-1-16/istio-install/base/kustomization.yaml @@ -13,6 +13,7 @@ resources: patchesStrategicMerge: - patches/service.yaml - patches/istio-configmap-disable-tracing.yaml +- patches/disable-debugging.yaml # Disable this patch until we upgrade to kustomize to v4+ # see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 # - patches/remove-pdb.yaml diff --git a/common/istio-1-16/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-16/istio-install/base/patches/disable-debugging.yaml new file mode 100644 index 0000000000..2b3f43dd1d --- /dev/null +++ b/common/istio-1-16/istio-install/base/patches/disable-debugging.yaml @@ -0,0 +1,17 @@ +# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010 +# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) | +# We have a secure network layer and only XDS is served. +# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access". +# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + env: + - name: ENABLE_DEBUG_ON_HTTP diff --git a/common/istio-1-16/istio-install/base/patches/service.yaml b/common/istio-1-16/istio-install/base/patches/service.yaml index 7b46a35d81..5d2faff985 100644 --- a/common/istio-1-16/istio-install/base/patches/service.yaml +++ b/common/istio-1-16/istio-install/base/patches/service.yaml @@ -4,4 +4,4 @@ metadata: name: istio-ingressgateway namespace: istio-system spec: - type: NodePort + type: ClusterIP From ded35ed725ff24fd24ccf25ac339fb62700b52c6 Mon Sep 17 00:00:00 2001 From: apoger Date: Tue, 24 Jan 2023 17:30:26 +0200 Subject: [PATCH 14/74] common: Upgrade Knative Serving manifests to version 1.8.1 (#2335) * common: Upgrade knative-serving manifests to v1.8.1 Signed-off-by: Apostolos Gerakaris * Update README files * Update instructions - No need to explicitly change the `portLevelMtls.8443` keys to be string as this is fixed in upstream (https://github.com/knative-sandbox/net-istio/pull/841) * Update version references of knative-serving Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- README.md | 2 +- common/knative/README.md | 13 +- .../base/serving-post-install-jobs.yaml | 12 +- .../base/upstream/net-istio.yaml | 78 +- .../base/upstream/serving-core.yaml | 1627 +++++++++++++---- 5 files changed, 1302 insertions(+), 430 deletions(-) diff --git a/README.md b/README.md index c2df9bcbf5..654ebdb09a 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | | Istio | common/istio-1-16 | [1.16.0](https://github.com/istio/istio/releases/tag/1.16.0) | -| Knative | common/knative | [0.22.1](https://github.com/knative/serving/releases/tag/v0.22.1) | +| Knative | common/knative/knative-serving
common/knative/knative-eventing | [1.8.1](https://github.com/knative/serving/releases/tag/knative-v1.8.1)
[1.8.1](https://github.com/knative/eventing/releases/tag/knative-v1.8.1) | | Cert Manager | common/cert-manager | [1.10.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.10.1) | ## Installation diff --git a/common/knative/README.md b/common/knative/README.md index 514a3d331d..1d8dc912bd 100644 --- a/common/knative/README.md +++ b/common/knative/README.md @@ -4,8 +4,8 @@ The manifests for Knative Serving are based off the following: - - [Knative serving (v1.2.5)](https://github.com/knative/serving/releases/download/knative-v1.2.5/serving-core.yaml) - - [Knative ingress controller for Istio (v1.2.0)](https://github.com/knative-sandbox/net-istio/releases/download/knative-v1.2.0/net-istio.yaml) + - [Knative serving (v1.8.1)](https://github.com/knative/serving/releases/tag/knative-v1.8.1) + - [Knative ingress controller for Istio (v1.8.0)](https://github.com/knative-sandbox/net-istio/releases/tag/knative-v1.8.0) 1. Download the knative-serving manifests with the following commands: @@ -13,9 +13,9 @@ The manifests for Knative Serving are based off the following: ```sh # No need to install serving-crds. # See: https://github.com/knative/serving/issues/9945 - wget -O knative-serving/base/upstream/serving-core.yaml 'https://github.com/knative/serving/releases/download/knative-v1.2.5/serving-core.yaml' - wget -O knative-serving/base/upstream/net-istio.yaml 'https://github.com/knative-sandbox/net-istio/releases/download/knative-v1.2.0/net-istio.yaml' - wget -O knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml https://github.com/knative/serving/releases/download/knative-v1.2.5/serving-post-install-jobs.yaml + wget -O knative-serving/base/upstream/serving-core.yaml 'https://github.com/knative/serving/releases/download/knative-v1.8.1/serving-core.yaml' + wget -O knative-serving/base/upstream/net-istio.yaml 'https://github.com/knative-sandbox/net-istio/releases/download/knative-v1.8.0/net-istio.yaml' + wget -O knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml 'https://github.com/knative/serving/releases/download/knative-v1.8.1/serving-post-install-jobs.yaml' ``` 1. Remove all comments, since `yq` does not handle them correctly. See: @@ -67,9 +67,6 @@ NOTE: You'll need to remove a redundant `{}` at the end of the `knative-serving/ - In `config-istio`, the Knative gateway is set to use `gateway.kubeflow.kubeflow-gateway`. - In `config-deployment`, `progressDeadline` is set to `600s` as sometimes large models need longer than the default of `120s` to start the containers. -- In `knative-serving/base/upstream/net-istio.yaml` we explicitly changed the - `portLevelMtls.8443` keys to be string. This was necessary to make these - manifests work with kustomize 4.2 https://github.com/kubernetes-sigs/kustomize/issues/3446 ## Knative-Eventing diff --git a/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml b/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml index c2bbc7396f..5471990977 100644 --- a/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml +++ b/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml @@ -7,8 +7,7 @@ metadata: app: storage-version-migration-serving app.kubernetes.io/name: knative-serving app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.1" name: storage-version-migration-serving spec: ttlSecondsAfterFinished: 600 @@ -21,13 +20,13 @@ spec: app: storage-version-migration-serving app.kubernetes.io/name: knative-serving app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.1" spec: serviceAccountName: controller restartPolicy: OnFailure containers: - name: migrate - image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:bf8ef91c3caccfcde8aa59d15f9fe9a06053134a0172cc7c18c4787fdcfbc77e + image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:b6a9bb1c500669410d1ec2fef88af0de011375e619c335973a2894f109135858 args: - "services.serving.knative.dev" - "configurations.serving.knative.dev" @@ -44,3 +43,8 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/common/knative/knative-serving/base/upstream/net-istio.yaml b/common/knative/knative-serving/base/upstream/net-istio.yaml index 23c5bb20a3..1d81a72735 100644 --- a/common/knative/knative-serving/base/upstream/net-istio.yaml +++ b/common/knative/knative-serving/base/upstream/net-istio.yaml @@ -5,8 +5,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: @@ -22,8 +21,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -44,8 +42,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio experimental.istio.io/disable-gateway-port-translation: "true" spec: @@ -65,8 +62,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio data: _example: | @@ -108,13 +104,6 @@ data: # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - # DEPRECATED: local-gateway.mesh is deprecated. - # See: https://github.com/knative/serving/issues/11523 - # - # To use only Istio service mesh and no knative-local-gateway, replace - # all local-gateway.* entries by the following entry. - local-gateway.mesh: "mesh" - # If true, knative will use the Istio VirtualService's status to determine # endpoint readiness. Otherwise, probe as usual. # NOTE: This feature is currently experimental and should not be used in production. @@ -128,8 +117,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -147,8 +135,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -166,8 +153,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -185,8 +171,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -201,13 +186,12 @@ spec: app: net-istio-controller app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" spec: serviceAccountName: controller containers: - name: controller - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:f253b82941c2220181cee80d7488fe1cefce9d49ab30bdb54bcb8c76515f7a26 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:2b484d982ef1a5d6ff93c46d3e45f51c2605c2e3ed766e20247d1727eb5ce918 resources: requests: cpu: 30m @@ -224,6 +208,8 @@ spec: value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID + value: "false" - name: METRICS_DOMAIN value: knative.dev/net-istio securityContext: @@ -232,7 +218,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -247,8 +235,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: selector: @@ -264,13 +251,12 @@ spec: role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" spec: serviceAccountName: controller containers: - name: webhook - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:a705c1ea8e9e556f860314fe055082fbe3cde6a924c29291955f98d979f8185e + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:59b6a46d3b55a03507c76a3afe8a4ee5f1a38f1130fd3d65c9fe57fff583fa8d resources: requests: cpu: 20m @@ -292,7 +278,13 @@ spec: - name: WEBHOOK_NAME value: net-istio-webhook securityContext: + runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -309,8 +301,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio --- apiVersion: v1 @@ -322,8 +313,7 @@ metadata: role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio spec: ports: @@ -346,8 +336,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: @@ -371,8 +360,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.0" - serving.knative.dev/release: "v1.2.0" + app.kubernetes.io/version: "1.8.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: @@ -385,8 +373,8 @@ webhooks: failurePolicy: Fail sideEffects: None name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists ---- \ No newline at end of file + objectSelector: + matchLabels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: net-istio +--- diff --git a/common/knative/knative-serving/base/upstream/serving-core.yaml b/common/knative/knative-serving/base/upstream/serving-core.yaml index f4b997cbbc..5f8289071a 100644 --- a/common/knative/knative-serving/base/upstream/serving-core.yaml +++ b/common/knative/knative-serving/base/upstream/serving-core.yaml @@ -4,16 +4,14 @@ metadata: name: knative-serving labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: knative-serving-aggregated-addressable-resolver labels: - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving aggregationRule: clusterRoleSelectors: @@ -25,8 +23,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-serving-addressable-resolver labels: - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving duck.knative.dev/addressable: "true" rules: @@ -48,8 +45,7 @@ metadata: name: knative-serving-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev"] @@ -65,8 +61,7 @@ metadata: name: knative-serving-namespaced-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev"] @@ -82,8 +77,7 @@ metadata: name: knative-serving-namespaced-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"] @@ -96,8 +90,7 @@ metadata: name: knative-serving-core labels: serving.knative.dev/controller: "true" - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] @@ -136,8 +129,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-serving-podspecable-binding labels: - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving duck.knative.dev/podspecable: "true" rules: @@ -159,8 +151,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -168,8 +159,7 @@ metadata: name: knative-serving-admin labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" aggregationRule: clusterRoleSelectors: - matchLabels: @@ -182,8 +172,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" subjects: - kind: ServiceAccount name: controller @@ -200,8 +189,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" subjects: - kind: ServiceAccount name: controller @@ -217,7 +205,7 @@ metadata: name: images.caching.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: caching.internal.knative.dev @@ -228,8 +216,6 @@ spec: categories: - knative-internal - caching - shortNames: - - img scope: Namespaced versions: - name: v1alpha1 @@ -239,8 +225,81 @@ spec: status: {} schema: openAPIV3Schema: + description: Image is a Knative abstraction that encapsulates the interface by which Knative components express a desire to have a particular image cached. type: object - x-kubernetes-preserve-unknown-fields: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds the desired state of the Image (from the client). + type: object + required: + - image + properties: + image: + description: Image is the name of the container image url to cache across the cluster. + type: string + imagePullSecrets: + description: ImagePullSecrets contains the names of the Kubernetes Secrets containing login information used by the Pods which will run this container. + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + serviceAccountName: + description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount as which the Pods will run this container. This is potentially used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' + type: string + status: + description: Status communicates the observed state of the Image (from the controller). + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 additionalPrinterColumns: - name: Image type: string @@ -252,8 +311,8 @@ metadata: name: certificates.networking.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -265,8 +324,99 @@ spec: status: {} schema: openAPIV3Schema: + description: Certificate is responsible for provisioning a SSL certificate for the given hosts. It is a Knative abstraction for various SSL certificate provisioning solutions (such as cert-manager or self-signed SSL certificate). type: object - x-kubernetes-preserve-unknown-fields: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the Certificate. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - dnsNames + - secretName + properties: + dnsNames: + description: DNSNames is a list of DNS names the Certificate could support. The wildcard format of DNSNames (e.g. *.default.example.com) is supported. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret resource to store the SSL certificate in. + type: string + status: + description: 'Status is the current state of the Certificate. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + http01Challenges: + description: HTTP01Challenges is a list of HTTP01 challenges that need to be fulfilled in order to get the TLS certificate.. + type: array + items: + description: HTTP01Challenge defines the status of a HTTP01 challenge that a certificate needs to fulfill. + type: object + properties: + serviceName: + description: ServiceName is the name of the service to serve HTTP01 challenge requests. + type: string + serviceNamespace: + description: ServiceNamespace is the namespace of the service to serve HTTP01 challenge requests. + type: string + servicePort: + description: ServicePort is the port of the service to serve HTTP01 challenge requests. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + url: + description: URL is the URL that the HTTP01 challenge is expected to serve on. + type: string + notAfter: + description: The expiration time of the TLS certificate stored in the secret named by this resource in spec.secretName. + type: string + format: date-time + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 additionalPrinterColumns: - name: Ready type: string @@ -291,8 +441,7 @@ metadata: name: configurations.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" duck.knative.dev/podspecable: "true" spec: @@ -375,6 +524,10 @@ spec: required: - containers properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true automountServiceAccountToken: description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. type: boolean @@ -390,12 +543,12 @@ spec: type: object properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string @@ -433,6 +586,17 @@ spec: optional: description: Specify whether the ConfigMap or its key must be defined type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace type: object @@ -448,7 +612,7 @@ spec: optional: description: Specify whether the Secret or its key must be defined type: boolean - x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic envFrom: description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. type: array @@ -466,6 +630,7 @@ spec: optional: description: Specify whether the ConfigMap must be defined type: boolean + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string @@ -479,8 +644,9 @@ spec: optional: description: Specify whether the Secret must be defined type: boolean + x-kubernetes-map-type: atomic image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' @@ -490,7 +656,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -528,10 +694,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -545,13 +716,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -560,7 +736,7 @@ spec: description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. type: string ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. type: array items: description: ContainerPort represents a network port in a single container. @@ -579,7 +755,6 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string default: TCP - x-kubernetes-preserve-unknown-fields: true x-kubernetes-list-map-keys: - containerPort - protocol @@ -589,7 +764,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -627,10 +802,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -644,13 +824,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -681,25 +866,39 @@ spec: description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' type: object properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. type: object properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string drop: description: Removed capabilities type: array items: description: Capability represent POSIX capabilities type type: string - x-kubernetes-preserve-unknown-fields: true readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. type: integer format: int64 - x-kubernetes-preserve-unknown-fields: true terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' type: string @@ -731,12 +930,29 @@ spec: workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string - x-kubernetes-preserve-unknown-fields: true + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' type: array items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. @@ -745,13 +961,60 @@ spec: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true volumes: description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' type: array @@ -762,15 +1025,15 @@ spec: - name properties: configMap: - description: ConfigMap represents a configMap that should populate this volume + description: configMap represents a configMap that should populate this volume type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -780,45 +1043,54 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true projected: - description: Items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources secrets, configmaps, and downward API type: object properties: defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. type: integer format: int32 sources: - description: list of volume projections + description: sources is the list of volume projections type: array items: description: Projection that may be projected along with other supported volume types type: object properties: configMap: - description: information about the configMap data to project + description: configMap information about the configMap data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -828,27 +1100,28 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic secret: - description: information about the secret data to project + description: secret information about the secret data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -858,47 +1131,48 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be defined + description: optional field specify whether the Secret or its key must be defined type: boolean + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken data to project + description: serviceAccountToken is information about the serviceAccountToken data to project type: object required: - path properties: audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. type: integer format: int64 path: - description: Path is the path relative to the mount point of the file to project the token into. + description: path is the path relative to the mount point of the file to project the token into. type: string secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -908,23 +1182,21 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string optional: - description: Specify whether the Secret or its keys must be defined + description: optional field specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true status: description: ConfigurationStatus communicates the observed state of the Configuration (from the controller). type: object @@ -947,7 +1219,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -980,8 +1251,8 @@ metadata: name: clusterdomainclaims.networking.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -993,8 +1264,26 @@ spec: status: {} schema: openAPIV3Schema: + description: ClusterDomainClaim is a cluster-wide reservation for a particular domain name. type: object - x-kubernetes-preserve-unknown-fields: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the ClusterDomainClaim. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - namespace + properties: + namespace: + description: Namespace is the namespace which is allowed to create a DomainMapping using this ClusterDomainClaim's name. + type: string names: kind: ClusterDomainClaim plural: clusterdomainclaims @@ -1012,8 +1301,7 @@ metadata: name: domainmappings.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: serving.knative.dev @@ -1111,7 +1399,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -1217,7 +1504,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -1268,8 +1554,8 @@ metadata: name: ingresses.networking.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -1281,8 +1567,212 @@ spec: status: {} schema: openAPIV3Schema: + description: "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable URLs, load balance traffic, offer name based virtual hosting, etc. \n This is heavily based on K8s Ingress https://godoc.org/k8s.io/api/networking/v1beta1#Ingress which some highlighted modifications." type: object - x-kubernetes-preserve-unknown-fields: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the Ingress. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + httpOption: + description: 'HTTPOption is the option of HTTP. It has the following two values: `HTTPOptionEnabled`, `HTTPOptionRedirected`' + type: string + rules: + description: A list of host rules used to configure the Ingress. + type: array + items: + description: IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue. + type: object + properties: + hosts: + description: 'Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently a rule value can only apply to the IP in the Spec of the parent . 2. The `:` delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. If multiple matching Hosts were provided, the first rule will take precedent.' + type: array + items: + type: string + http: + description: HTTP represents a rule to apply against incoming requests. If the rule is satisfied, the request is routed to the specified backend. + type: object + required: + - paths + properties: + paths: + description: "A collection of paths that map requests to backends. \n If they are multiple matching paths, the first match takes precedence." + type: array + items: + description: HTTPIngressPath associates a path regex with a backend. Incoming URLs matching the path are forwarded to the backend. + type: object + required: + - splits + properties: + appendHeaders: + description: "AppendHeaders allow specifying additional HTTP headers to add before forwarding a request to the destination service. \n NOTE: This differs from K8s Ingress which doesn't allow header appending." + type: object + additionalProperties: + type: string + headers: + description: Headers defines header matching rules which is a map from a header name to HeaderMatch which specify a matching condition. When a request matched with all the header matching rules, the request is routed by the corresponding ingress rule. If it is empty, the headers are not used for matching + type: object + additionalProperties: + description: HeaderMatch represents a matching value of Headers in HTTPIngressPath. Currently, only the exact matching is supported. + type: object + required: + - exact + properties: + exact: + type: string + path: + description: Path represents a literal prefix to which this rule should apply. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend. + type: string + rewriteHost: + description: "RewriteHost rewrites the incoming request's host header. \n This field is currently experimental and not supported by all Ingress implementations." + type: string + splits: + description: Splits defines the referenced service endpoints to which the traffic will be forwarded to. + type: array + items: + description: IngressBackendSplit describes all endpoints for a given service and port. + type: object + required: + - serviceName + - serviceNamespace + - servicePort + properties: + appendHeaders: + description: "AppendHeaders allow specifying additional HTTP headers to add before forwarding a request to the destination service. \n NOTE: This differs from K8s Ingress which doesn't allow header appending." + type: object + additionalProperties: + type: string + percent: + description: "Specifies the split percentage, a number between 0 and 100. If only one split is specified, we default to 100. \n NOTE: This differs from K8s Ingress to allow percentage split." + type: integer + serviceName: + description: Specifies the name of the referenced service. + type: string + serviceNamespace: + description: "Specifies the namespace of the referenced service. \n NOTE: This differs from K8s Ingress to allow routing to different namespaces." + type: string + servicePort: + description: Specifies the port of the referenced service. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + visibility: + description: Visibility signifies whether this rule should `ClusterLocal`. If it's not specified then it defaults to `ExternalIP`. + type: string + tls: + description: 'TLS configuration. Currently Ingress only supports a single TLS port: 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.' + type: array + items: + description: IngressTLS describes the transport layer security associated with an Ingress. + type: object + properties: + hosts: + description: Hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to terminate SSL traffic. + type: string + secretNamespace: + description: SecretNamespace is the namespace of the secret used to terminate SSL traffic. If not set the namespace should be assumed to be the same as the Ingress. If set the secret should have the same namespace as the Ingress otherwise the behaviour is undefined and not supported. + type: string + status: + description: 'Status is the current state of the Ingress. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + privateLoadBalancer: + description: PrivateLoadBalancer contains the current status of the load-balancer. + type: object + properties: + ingress: + description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + type: array + items: + description: 'LoadBalancerIngressStatus represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + type: object + properties: + domain: + description: Domain is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + type: string + domainInternal: + description: "DomainInternal is set if there is a cluster-local DNS name to access the Ingress. \n NOTE: This differs from K8s Ingress, since we also desire to have a cluster-local DNS name to allow routing in case of not having a mesh." + type: string + ip: + description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + type: string + meshOnly: + description: MeshOnly is set if the Ingress is only load-balanced through a Service mesh. + type: boolean + publicLoadBalancer: + description: PublicLoadBalancer contains the current status of the load-balancer. + type: object + properties: + ingress: + description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + type: array + items: + description: 'LoadBalancerIngressStatus represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + type: object + properties: + domain: + description: Domain is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + type: string + domainInternal: + description: "DomainInternal is set if there is a cluster-local DNS name to access the Ingress. \n NOTE: This differs from K8s Ingress, since we also desire to have a cluster-local DNS name to allow routing in case of not having a mesh." + type: string + ip: + description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + type: string + meshOnly: + description: MeshOnly is set if the Ingress is only load-balanced through a Service mesh. + type: boolean additionalPrinterColumns: - name: Ready type: string @@ -1308,8 +1798,7 @@ metadata: name: metrics.autoscaling.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: autoscaling.internal.knative.dev @@ -1388,7 +1877,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -1415,8 +1903,7 @@ metadata: name: podautoscalers.autoscaling.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: autoscaling.internal.knative.dev @@ -1452,7 +1939,7 @@ spec: jsonPath: ".status.conditions[?(@.type=='Ready')].reason" schema: openAPIV3Schema: - description: 'PodAutoscaler is a Knative abstraction that encapsulates the interface by which Knative components instantiate autoscalers. This definition is an abstraction that may be backed by multiple definitions. For more information, see the Knative Pluggability presentation: https://docs.google.com/presentation/d/10KWynvAJYuOEWy69VBa6bHJVCqIsz1TNdEKosNvcpPY/edit' + description: 'PodAutoscaler is a Knative abstraction that encapsulates the interface by which Knative components instantiate autoscalers. This definition is an abstraction that may be backed by multiple definitions. For more information, see the Knative Pluggability presentation: https://docs.google.com/presentation/d/19vW9HFZ6Puxt31biNZF3uLRejDmu82rxJIk1cWmxF7w/edit' type: object properties: apiVersion: @@ -1493,6 +1980,7 @@ spec: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + x-kubernetes-map-type: atomic status: description: Status communicates the observed state of the PodAutoscaler (from the controller). type: object @@ -1522,7 +2010,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -1559,8 +2046,7 @@ metadata: name: revisions.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: serving.knative.dev @@ -1622,6 +2108,10 @@ spec: required: - containers properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true automountServiceAccountToken: description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. type: boolean @@ -1637,12 +2127,12 @@ spec: type: object properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string @@ -1680,6 +2170,17 @@ spec: optional: description: Specify whether the ConfigMap or its key must be defined type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace type: object @@ -1695,7 +2196,7 @@ spec: optional: description: Specify whether the Secret or its key must be defined type: boolean - x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic envFrom: description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. type: array @@ -1713,6 +2214,7 @@ spec: optional: description: Specify whether the ConfigMap must be defined type: boolean + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string @@ -1726,8 +2228,9 @@ spec: optional: description: Specify whether the Secret must be defined type: boolean + x-kubernetes-map-type: atomic image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' @@ -1737,7 +2240,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -1775,10 +2278,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -1792,13 +2300,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -1807,7 +2320,7 @@ spec: description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. type: string ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. type: array items: description: ContainerPort represents a network port in a single container. @@ -1826,7 +2339,6 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string default: TCP - x-kubernetes-preserve-unknown-fields: true x-kubernetes-list-map-keys: - containerPort - protocol @@ -1836,7 +2348,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -1874,10 +2386,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -1891,13 +2408,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -1928,25 +2450,39 @@ spec: description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' type: object properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. type: object properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string drop: description: Removed capabilities type: array items: description: Capability represent POSIX capabilities type type: string - x-kubernetes-preserve-unknown-fields: true readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. type: integer format: int64 - x-kubernetes-preserve-unknown-fields: true terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' type: string @@ -1978,12 +2514,29 @@ spec: workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string - x-kubernetes-preserve-unknown-fields: true + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' type: array items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. @@ -1992,13 +2545,60 @@ spec: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true volumes: description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' type: array @@ -2009,15 +2609,15 @@ spec: - name properties: configMap: - description: ConfigMap represents a configMap that should populate this volume + description: configMap represents a configMap that should populate this volume type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -2027,45 +2627,54 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true projected: - description: Items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources secrets, configmaps, and downward API type: object properties: defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. type: integer format: int32 sources: - description: list of volume projections + description: sources is the list of volume projections type: array items: description: Projection that may be projected along with other supported volume types type: object properties: configMap: - description: information about the configMap data to project + description: configMap information about the configMap data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -2075,27 +2684,28 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic secret: - description: information about the secret data to project + description: secret information about the secret data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -2105,47 +2715,48 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be defined + description: optional field specify whether the Secret or its key must be defined type: boolean + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken data to project + description: serviceAccountToken is information about the serviceAccountToken data to project type: object required: - path properties: audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. type: integer format: int64 path: - description: Path is the path relative to the mount point of the file to project the token into. + description: path is the path relative to the mount point of the file to project the token into. type: string secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -2155,23 +2766,21 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string optional: - description: Specify whether the Secret or its keys must be defined + description: optional field specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true status: description: RevisionStatus communicates the observed state of the Revision (from the controller). type: object @@ -2198,7 +2807,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -2254,8 +2862,7 @@ metadata: name: routes.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" spec: @@ -2318,7 +2925,7 @@ spec: description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. type: boolean percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' type: integer format: int64 revisionName: @@ -2358,7 +2965,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -2392,7 +2998,7 @@ spec: description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. type: boolean percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' type: integer format: int64 revisionName: @@ -2414,8 +3020,8 @@ metadata: name: serverlessservices.networking.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -2427,8 +3033,107 @@ spec: status: {} schema: openAPIV3Schema: + description: 'ServerlessService is a proxy for the K8s service objects containing the endpoints for the revision, whether those are endpoints of the activator or revision pods. See: https://knative.page.link/naxz for details.' type: object - x-kubernetes-preserve-unknown-fields: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the ServerlessService. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - objectRef + - protocolType + properties: + mode: + description: Mode describes the mode of operation of the ServerlessService. + type: string + numActivators: + description: NumActivators contains number of Activators that this revision should be assigned. O means — assign all. + type: integer + format: int32 + objectRef: + description: ObjectRef defines the resource that this ServerlessService is responsible for making "serverless". + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + x-kubernetes-map-type: atomic + protocolType: + description: The application-layer protocol. Matches `RevisionProtocolType` set on the owning pa/revision. serving imports networking, so just use string. + type: string + status: + description: 'Status is the current state of the ServerlessService. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + privateServiceName: + description: PrivateServiceName holds the name of a core K8s Service resource that load balances over the user service pods backing this Revision. + type: string + serviceName: + description: ServiceName holds the name of a core K8s Service resource that load balances over the pods backing this Revision (activator or revision). + type: string additionalPrinterColumns: - name: Mode type: string @@ -2465,8 +3170,7 @@ metadata: name: services.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" duck.knative.dev/podspecable: "true" @@ -2553,6 +3257,10 @@ spec: required: - containers properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true automountServiceAccountToken: description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. type: boolean @@ -2568,12 +3276,12 @@ spec: type: object properties: args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' type: array items: type: string @@ -2611,6 +3319,17 @@ spec: optional: description: Specify whether the ConfigMap or its key must be defined type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace type: object @@ -2626,7 +3345,7 @@ spec: optional: description: Specify whether the Secret or its key must be defined type: boolean - x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic envFrom: description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. type: array @@ -2644,6 +3363,7 @@ spec: optional: description: Specify whether the ConfigMap must be defined type: boolean + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string @@ -2657,8 +3377,9 @@ spec: optional: description: Specify whether the Secret must be defined type: boolean + x-kubernetes-map-type: atomic image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' @@ -2668,7 +3389,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -2706,10 +3427,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -2723,13 +3449,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -2738,7 +3469,7 @@ spec: description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. type: string ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. type: array items: description: ContainerPort represents a network port in a single container. @@ -2757,7 +3488,6 @@ spec: description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". type: string default: TCP - x-kubernetes-preserve-unknown-fields: true x-kubernetes-list-map-keys: - containerPort - protocol @@ -2767,7 +3497,7 @@ spec: type: object properties: exec: - description: One and only one of the following should be specified. Exec specifies the action to take. + description: Exec specifies the action to take. type: object properties: command: @@ -2805,10 +3535,15 @@ spec: path: description: Path to access on the HTTP server. type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true scheme: description: Scheme to use for connecting to the host. Defaults to HTTP. type: string - x-kubernetes-preserve-unknown-fields: true initialDelaySeconds: description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -2822,13 +3557,18 @@ spec: type: integer format: int32 tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + description: TCPSocket specifies an action involving a TCP port. type: object properties: host: description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - x-kubernetes-preserve-unknown-fields: true + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' type: integer @@ -2859,25 +3599,39 @@ spec: description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' type: object properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. type: object properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string drop: description: Removed capabilities type: array items: description: Capability represent POSIX capabilities type type: string - x-kubernetes-preserve-unknown-fields: true readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. type: integer format: int64 - x-kubernetes-preserve-unknown-fields: true terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' type: string @@ -2909,12 +3663,29 @@ spec: workingDir: description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. type: string - x-kubernetes-preserve-unknown-fields: true + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' type: array items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. @@ -2923,13 +3694,60 @@ spec: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true volumes: description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' type: array @@ -2940,15 +3758,15 @@ spec: - name properties: configMap: - description: ConfigMap represents a configMap that should populate this volume + description: configMap represents a configMap that should populate this volume type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -2958,45 +3776,54 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true projected: - description: Items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources secrets, configmaps, and downward API type: object properties: defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. type: integer format: int32 sources: - description: list of volume projections + description: sources is the list of volume projections type: array items: description: Projection that may be projected along with other supported volume types type: object properties: configMap: - description: information about the configMap data to project + description: configMap information about the configMap data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -3006,27 +3833,28 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap or its keys must be defined type: boolean + x-kubernetes-map-type: atomic secret: - description: information about the secret data to project + description: secret information about the secret data to project type: object properties: items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -3036,47 +3864,48 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be defined + description: optional field specify whether the Secret or its key must be defined type: boolean + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken data to project + description: serviceAccountToken is information about the serviceAccountToken data to project type: object required: - path properties: audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. type: integer format: int64 path: - description: Path is the path relative to the mount point of the file to project the token into. + description: path is the path relative to the mount point of the file to project the token into. type: string secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: object properties: defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. type: array items: description: Maps a string key to a path within a volume. @@ -3086,23 +3915,21 @@ spec: - path properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' type: integer format: int32 path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string optional: - description: Specify whether the Secret or its keys must be defined + description: optional field specify whether the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true traffic: description: Traffic specifies how to distribute traffic over a collection of revisions and configurations. type: array @@ -3117,7 +3944,7 @@ spec: description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. type: boolean percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' type: integer format: int64 revisionName: @@ -3157,7 +3984,6 @@ spec: lastTransitionTime: description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). type: string - format: date-time message: description: A human readable message indicating details about the transition. type: string @@ -3197,7 +4023,7 @@ spec: description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. type: boolean percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' type: integer format: int64 revisionName: @@ -3213,6 +4039,21 @@ spec: description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} type: string --- +apiVersion: v1 +kind: Secret +metadata: + name: serving-certs-ctrl-ca + namespace: knative-serving +--- +apiVersion: v1 +kind: Secret +metadata: + name: knative-serving-certs + namespace: knative-serving + labels: + serving-certs-ctrl: "data-plane" + networking.internal.knative.dev/certificate-uid: "serving-certs" +--- apiVersion: caching.internal.knative.dev/v1alpha1 kind: Image metadata: @@ -3221,10 +4062,9 @@ metadata: labels: app.kubernetes.io/component: queue-proxy app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: - image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:14415b204ea8d0567235143a6c3377f49cbd35f18dc84dfa4baa7695c2a9b53d + image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:505179c0c4892ea4a70e78bc52ac21b03cd7f1a763d2ecc78e7bbaa1ae59c86c --- apiVersion: v1 kind: ConfigMap @@ -3234,10 +4074,9 @@ metadata: labels: app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "16af78ce" + knative.dev/example-checksum: "47c2487f" data: _example: | ################################ @@ -3312,7 +4151,7 @@ data: # -1 denotes unlimited target-burst-capacity and activator will always # be in the request path. # Other negative values are invalid. - target-burst-capacity: "200" + target-burst-capacity: "211" # When operating in a stable mode, the autoscaler operates on the # average concurrency over the stable window. @@ -3431,10 +4270,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "a0feb4c6" + knative.dev/example-checksum: "e7973912" data: _example: | ################################ @@ -3466,6 +4304,18 @@ data: # should also be increased to prevent in-flight requests being disrupted. max-revision-timeout-seconds: "600" # 10 minutes + # revision-response-start-timeout-seconds contains the default number of + # seconds a request will be allowed to stay open while waiting to + # receive any bytes from the user's application, if none is specified. + # + # This defaults to 'revision-timeout-seconds' + revision-response-start-timeout-seconds: "300" + + # revision-idle-timeout-seconds contains the default number of + # seconds a request will be allowed to stay open while not receiving any + # bytes from the user's application, if none is specified. + revision-idle-timeout-seconds: "0" # infinite + # revision-cpu-request contains the cpu allocation to assign # to revisions by default. If omitted, no value is specified # and the system default is used. @@ -3560,12 +4410,11 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: knative.dev/example-checksum: "dd7ee769" data: - queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:14415b204ea8d0567235143a6c3377f49cbd35f18dc84dfa4baa7695c2a9b53d + queue-sidecar-image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:505179c0c4892ea4a70e78bc52ac21b03cd7f1a763d2ecc78e7bbaa1ae59c86c _example: |- ################################ # # @@ -3646,10 +4495,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "81552d0b" + knative.dev/example-checksum: "26c09de5" data: _example: | ################################ @@ -3668,16 +4516,6 @@ data: # to actually change the configuration. # Default value for domain. - # Although it will match all routes, it is the least-specific rule so it - # will only be used if no other domain matches. - example.com: | - - # These are example settings of domain. - # example.org will be used for routes having app=nonprofit. - example.org: | - selector: - app: nonprofit - # Routes having the cluster domain suffix (by default 'svc.cluster.local') # will not be exposed through Ingress. You can define your own label # selector to assign that domain suffix to your Route here, or you can set @@ -3688,6 +4526,16 @@ data: svc.cluster.local: | selector: app: secret + + # These are example settings of domain. + # example.com will be used for all routes, but it is the least-specific rule so it + # will only be used if no other domain matches. + example.com: | + + # example.org will be used for routes having app=nonprofit. + example.org: | + selector: + app: nonprofit --- apiVersion: v1 kind: ConfigMap @@ -3697,10 +4545,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "d9e300ba" + knative.dev/example-checksum: "691a192e" data: _example: |- ################################ @@ -3730,6 +4577,12 @@ data: # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-node-affinity kubernetes.podspec-affinity: "disabled" + # Indicates whether Kubernetes topologySpreadConstraints support is enabled + # + # WARNING: Cannot safely be disabled once enabled. + # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-topology-spread-constraints + kubernetes.podspec-topologyspreadconstraints: "disabled" + # Indicates whether Kubernetes hostAliases support is enabled # # WARNING: Cannot safely be disabled once enabled. @@ -3760,6 +4613,18 @@ data: # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-runtime-class kubernetes.podspec-runtimeclassname: "disabled" + # Indicates whether Kubernetes DNSPolicy support is enabled + # + # WARNING: Cannot safely be disabled once enabled. + # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dnspolicy + kubernetes.podspec-dnspolicy: "disabled" + + # Indicates whether Kubernetes DNSConfig support is enabled + # + # WARNING: Cannot safely be disabled once enabled. + # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dnsconfig + kubernetes.podspec-dnsconfig: "disabled" + # This feature allows end-users to set a subset of fields on the Pod's SecurityContext # # When set to "enabled" or "allowed" it allows the following @@ -3769,6 +4634,7 @@ data: # - RunAsNonRoot # - SupplementalGroups # - RunAsUser + # - SeccompProfile # # This feature flag should be used with caution as the PodSecurityContext # properties may have a side-effect on non-user sidecar containers that come @@ -3820,7 +4686,7 @@ data: # Controls whether volume support for EmptyDir is enabled or not. # 1. Enabled: enabling EmptyDir volume support # 2. Disabled: disabling EmptyDir volume support - kubernetes.podspec-volumes-emptydir: "disabled" + kubernetes.podspec-volumes-emptydir: "enabled" # Controls whether init containers support is enabled or not. # 1. Enabled: enabling init containers support @@ -3836,6 +4702,23 @@ data: # 1. Enabled: enabling write access for persistent volumes # 2. Disabled: disabling write access for persistent volumes kubernetes.podspec-persistent-volume-write: "disabled" + + # Controls if the queue proxy podInfo feature is enabled, allowed or disabled + # + # This feature should be enabled/allowed when using queue proxy Options (Extensions) + # Enabling will mount a podInfo volume to the queue proxy container. + # The volume will contains an 'annotations' file (from the pod's annotation field). + # The annotations in this file include the Service annotations set by the client creating the service. + # If mounted, the annotations can be accessed by queue proxy extensions at /etc/podinfo/annnotations + # + # 1. "enabled": always mount a podInfo volume + # 2. "disabled": never mount a podInfo volume + # 3. "allowed": by default, do not mount a podInfo volume + # However, a client may mount the podInfo volume on an individual Service by attaching + # the following metadata annotation to the Service: "features.knative.dev/queueproxy-podinfo":"enabled". + # + # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE + queueproxy.mount-podinfo: "disabled" --- apiVersion: v1 kind: ConfigMap @@ -3845,10 +4728,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "51b4d68a" + knative.dev/example-checksum: "aa3813a8" data: _example: | ################################ @@ -3866,7 +4748,6 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # --------------------------------------- # Garbage Collector Settings # --------------------------------------- @@ -3889,6 +4770,7 @@ data: # # Example config to immediately collect any inactive revision: # min-non-active-revisions: "0" + # max-non-active-revisions: "0" # retain-since-create-time: "disabled" # retain-since-last-active-time: "disabled" # @@ -3897,7 +4779,7 @@ data: # retain-since-last-active-time: "disabled" # max-non-active-revisions: "10" # - # Example config to disable all GC: + # Example config to disable all garbage collection: # retain-since-create-time: "disabled" # retain-since-last-active-time: "disabled" # max-non-active-revisions: "disabled" @@ -3931,8 +4813,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" annotations: knative.dev/example-checksum: "f4b71f57" data: @@ -3977,11 +4858,11 @@ metadata: name: config-logging namespace: knative-serving labels: - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" + app.kubernetes.io/component: logging app.kubernetes.io/name: knative-serving annotations: - knative.dev/example-checksum: "be93ff10" + knative.dev/example-checksum: "b0f3c6f2" data: _example: | ################################ @@ -4034,6 +4915,7 @@ data: loglevel.hpaautoscaler: "info" loglevel.net-certmanager-controller: "info" loglevel.net-istio-controller: "info" + loglevel.net-contour-controller: "info" --- apiVersion: v1 kind: ConfigMap @@ -4042,10 +4924,10 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.8.0" annotations: - knative.dev/example-checksum: "6e2033e0" + knative.dev/example-checksum: "73d96d1b" data: _example: | ################################ @@ -4195,6 +5077,16 @@ data: # fronting Knative with an external loadbalancer that deals with TLS termination and # Knative doesn't know about that otherwise. default-external-scheme: "http" + + # internal-encryption indicates whether internal traffic is encrypted or not. + # If this is "true", the following traffic are encrypted: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy + # + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + internal-encryption: "false" --- apiVersion: v1 kind: ConfigMap @@ -4203,8 +5095,8 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: observability + app.kubernetes.io/version: "1.8.0" annotations: knative.dev/example-checksum: "fed4756e" data: @@ -4297,8 +5189,8 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/component: tracing + app.kubernetes.io/version: "1.8.0" annotations: knative.dev/example-checksum: "26614636" data: @@ -4332,7 +5224,7 @@ data: # Percentage (0-1) of requests to trace sample-rate: "0.1" --- -apiVersion: autoscaling/v2beta2 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: activator @@ -4340,8 +5232,7 @@ metadata: labels: app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: minReplicas: 1 maxReplicas: 20 @@ -4365,8 +5256,7 @@ metadata: labels: app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: minAvailable: 80% selector: @@ -4380,9 +5270,8 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: activator - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving - serving.knative.dev/release: "v1.2.5" spec: selector: matchLabels: @@ -4397,13 +5286,12 @@ spec: role: activator app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: serviceAccountName: controller containers: - name: activator - image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:93ff6e69357785ff97806945b284cbd1d37e50402b876a320645be8877c0d7b7 + image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:c3bbf3a96920048869dcab8e133e00f59855670b8a0bbca3d72ced2f512eb5e1 resources: requests: cpu: 300m @@ -4438,7 +5326,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -4475,9 +5365,8 @@ metadata: labels: app: activator app.kubernetes.io/component: activator - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving - serving.knative.dev/release: "v1.2.5" spec: selector: app: activator @@ -4494,6 +5383,9 @@ spec: - name: http2 port: 81 targetPort: 8013 + - name: https + port: 443 + targetPort: 8112 type: ClusterIP --- apiVersion: apps/v1 @@ -4504,8 +5396,7 @@ metadata: labels: app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: replicas: 1 selector: @@ -4523,8 +5414,7 @@ spec: app: autoscaler app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: affinity: podAntiAffinity: @@ -4538,7 +5428,7 @@ spec: serviceAccountName: controller containers: - name: autoscaler - image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:007820fdb75b60e6fd5a25e65fd6ad9744082a6bf195d72795561c91b425d016 + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:caae5e34b4cb311ed8551f2778cfca566a77a924a59b775bd516fa8b5e3c1d7f resources: requests: cpu: 100m @@ -4571,7 +5461,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -4600,8 +5492,7 @@ metadata: app: autoscaler app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" name: autoscaler namespace: knative-serving spec: @@ -4626,8 +5517,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: selector: matchLabels: @@ -4640,8 +5530,7 @@ spec: app: controller app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: affinity: podAntiAffinity: @@ -4655,7 +5544,7 @@ spec: serviceAccountName: controller containers: - name: controller - image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:75cfdcfa050af9522e798e820ba5483b9093de1ce520207a3fedf112d73a4686 + image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:38f9557f4d61ec79cc2cdbe76da8df6c6ae5f978a50a2847c22cc61aa240da95 resources: requests: cpu: 100m @@ -4684,7 +5573,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -4698,8 +5589,7 @@ metadata: app: controller app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" name: controller namespace: knative-serving spec: @@ -4721,8 +5611,7 @@ metadata: labels: app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: selector: matchLabels: @@ -4735,8 +5624,7 @@ spec: app: domain-mapping app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: affinity: podAntiAffinity: @@ -4750,7 +5638,7 @@ spec: serviceAccountName: controller containers: - name: domain-mapping - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping@sha256:23baa19322320f25a462568eded1276601ef67194883db9211e1ea24f21a0beb + image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping@sha256:763d648bf1edee2b4471b0e211dbc53ba2d28f92e4dae28ccd39af7185ef2c96 resources: requests: cpu: 30m @@ -4775,7 +5663,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -4790,8 +5680,7 @@ metadata: labels: app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: selector: matchLabels: @@ -4806,8 +5695,7 @@ spec: role: domainmapping-webhook app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: affinity: podAntiAffinity: @@ -4821,7 +5709,7 @@ spec: serviceAccountName: controller containers: - name: domainmapping-webhook - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook@sha256:847bb97e38440c71cb4bcc3e430743e18b328ad1e168b6fca35b10353b9a2c22 + image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook@sha256:a4ba0076df2efaca2eed561339e21b3a4ca9d90167befd31de882bff69639470 resources: requests: cpu: 100m @@ -4852,7 +5740,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -4887,8 +5777,7 @@ metadata: role: domainmapping-webhook app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" name: domainmapping-webhook namespace: knative-serving spec: @@ -4913,8 +5802,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: minReplicas: 1 maxReplicas: 5 @@ -4938,8 +5826,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" spec: minAvailable: 80% selector: @@ -4952,9 +5839,8 @@ metadata: name: webhook namespace: knative-serving labels: - serving.knative.dev/release: "v1.2.5" app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving spec: selector: @@ -4968,9 +5854,7 @@ spec: labels: app: webhook role: webhook - serving.knative.dev/release: "v1.2.5" - app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving spec: affinity: @@ -4985,7 +5869,7 @@ spec: serviceAccountName: controller containers: - name: webhook - image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:9084ea8498eae3c6c4364a397d66516a25e48488f4a9871ef765fa554ba483f0 + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:bc13765ba4895c0fa318a065392d05d0adc0e20415c739e0aacb3f56140bf9ae resources: requests: cpu: 100m @@ -5018,7 +5902,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -5051,9 +5937,8 @@ kind: Service metadata: labels: role: webhook - serving.knative.dev/release: "v1.2.5" app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.2.5" + app.kubernetes.io/version: "1.8.0" app.kubernetes.io/name: knative-serving name: webhook namespace: knative-serving @@ -5078,8 +5963,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -5089,10 +5973,14 @@ webhooks: failurePolicy: Fail sideEffects: None name: config.webhook.serving.knative.dev - namespaceSelector: + objectSelector: matchExpressions: - - key: serving.knative.dev/release - operator: Exists + - key: app.kubernetes.io/name + operator: In + values: ["knative-serving"] + - key: app.kubernetes.io/component + operator: In + values: ["autoscaler", "controller", "logging", "networking", "observability", "tracing"] timeoutSeconds: 10 --- apiVersion: admissionregistration.k8s.io/v1 @@ -5102,8 +5990,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -5143,8 +6030,7 @@ metadata: labels: app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -5159,14 +6045,14 @@ webhooks: - apiGroups: - serving.knative.dev apiVersions: - - v1alpha1 - - v1beta1 + - "*" operations: - CREATE - UPDATE scope: "*" resources: - domainmappings + - domainmappings/status --- apiVersion: v1 kind: Secret @@ -5176,8 +6062,7 @@ metadata: labels: app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -5186,8 +6071,7 @@ metadata: labels: app.kubernetes.io/component: domain-mapping app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -5202,8 +6086,7 @@ webhooks: - apiGroups: - serving.knative.dev apiVersions: - - v1alpha1 - - v1beta1 + - "*" operations: - CREATE - UPDATE @@ -5211,6 +6094,7 @@ webhooks: scope: "*" resources: - domainmappings + - domainmappings/status --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -5219,8 +6103,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" + app.kubernetes.io/version: "1.8.0" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -5262,6 +6145,6 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.2.5" - serving.knative.dev/release: "v1.2.5" ---- \ No newline at end of file + app.kubernetes.io/version: "1.8.0" +--- + From 03f1c7ee849378545a3f3649451b9fe240b7dafb Mon Sep 17 00:00:00 2001 From: apoger Date: Tue, 24 Jan 2023 17:56:24 +0200 Subject: [PATCH 15/74] common: Upgrade Knative Eventing manifests to version 1.8.1 (#2333) * common: Upgrade knative-eventing manifests to v1.8 Signed-off-by: Apostolos Gerakaris * Update README file Add instructions to remove duplicate resource definitions from upstream knative-eventing manifests as kustomize breaks when it tries to build them. Signed-off-by: Apostolos Gerakaris * Update version references of knative in README files Signed-off-by: Apostolos Gerakaris * testing: Update GH Action workflows Trigger the test workflow of each component, that uses Knative, when Knative-serving/eventing manifests are changed. Signed-off-by: Apostolos Gerakaris Signed-off-by: Apostolos Gerakaris --- .github/workflows/kserve_kind_test.yaml | 1 + common/knative/README.md | 38 +- ...l-jobs.yaml => eventing-post-install.yaml} | 30 +- .../base/kustomization.yaml | 2 +- .../knative-eventing/base/kustomization.yaml | 4 +- .../base/upstream/eventing-core.yaml | 401 +++++++++++------- .../base/upstream/in-memory-channel.yaml | 214 +++------- .../base/upstream/mt-channel-broker.yaml | 96 +++-- 8 files changed, 394 insertions(+), 392 deletions(-) rename common/knative/knative-eventing-post-install-jobs/base/{eventing-post-install-jobs.yaml => eventing-post-install.yaml} (78%) diff --git a/.github/workflows/kserve_kind_test.yaml b/.github/workflows/kserve_kind_test.yaml index 7cded58547..4467000a99 100644 --- a/.github/workflows/kserve_kind_test.yaml +++ b/.github/workflows/kserve_kind_test.yaml @@ -3,6 +3,7 @@ on: pull_request: paths: - contrib/kserve/** + - common/knative/** jobs: build: diff --git a/common/knative/README.md b/common/knative/README.md index 1d8dc912bd..3fe8b7d24e 100644 --- a/common/knative/README.md +++ b/common/knative/README.md @@ -70,20 +70,20 @@ NOTE: You'll need to remove a redundant `{}` at the end of the `knative-serving/ ## Knative-Eventing -The manifests for Knative Eventing are based off the the [v1.2.4 release](https://github.com/knative/eventing/releases/tag/knative-v1.2.4). +The manifests for Knative Eventing are based off the the [v1.8.1 release](https://github.com/knative/eventing/releases/tag/knative-v1.8.1). - - [Eventing Core](https://github.com/knative/eventing/releases/download/knative-v1.2.4/eventing-core.yaml) - - [In-Memory Channel](https://github.com/knative/eventing/releases/download/knative-v1.2.4/in-memory-channel.yaml) - - [MT Channel Broker](https://github.com/knative/eventing/releases/download/knative-v1.2.4/mt-channel-broker.yaml) + - [Eventing Core](https://github.com/knative/eventing/releases/download/knative-v1.8.1/eventing-core.yaml) + - [In-Memory Channel](https://github.com/knative/eventing/releases/download/knative-v1.8.1/in-memory-channel.yaml) + - [MT Channel Broker](https://github.com/knative/eventing/releases/download/knative-v1.8.1/mt-channel-broker.yaml) 1. Download the knative-eventing manifests with the following commands: ```sh - wget -O knative-eventing/base/upstream/eventing-core.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.2.4/eventing-core.yaml' - wget -O knative-eventing/base/upstream/in-memory-channel.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.2.4/in-memory-channel.yaml' - wget -O knative-eventing/base/upstream/mt-channel-broker.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.2.4/mt-channel-broker.yaml' - wget -O knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml https://github.com/knative/eventing/releases/download/knative-v1.2.4/eventing-post-install.yaml + wget -O knative-eventing/base/upstream/eventing-core.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.8.1/eventing-core.yaml' + wget -O knative-eventing/base/upstream/in-memory-channel.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.8.1/in-memory-channel.yaml' + wget -O knative-eventing/base/upstream/mt-channel-broker.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.8.1/mt-channel-broker.yaml' + wget -O knative-eventing-post-install-jobs/base/eventing-post-install.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.8.1/eventing-post-install.yaml' ``` 1. Remove all comments, since `yq` does not handle them correctly. See: @@ -93,7 +93,7 @@ The manifests for Knative Eventing are based off the the [v1.2.4 release](https: yq eval -i '... comments=""' knative-eventing/base/upstream/eventing-core.yaml yq eval -i '... comments=""' knative-eventing/base/upstream/in-memory-channel.yaml yq eval -i '... comments=""' knative-eventing/base/upstream/mt-channel-broker.yaml - yq eval -i '... comments=""' knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml + yq eval -i '... comments=""' knative-eventing-post-install-jobs/base/eventing-post-install.yaml ``` 1. Remove all YAML anchors and aliases, as kustomize does not support them. See: @@ -104,9 +104,27 @@ The manifests for Knative Eventing are based off the the [v1.2.4 release](https: yq eval -i 'explode(.)' knative-eventing/base/upstream/eventing-core.yaml yq eval -i 'explode(.)' knative-eventing/base/upstream/in-memory-channel.yaml yq eval -i 'explode(.)' knative-eventing/base/upstream/mt-channel-broker.yaml - yq eval -i 'explode(.)' knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml + yq eval -i 'explode(.)' knative-eventing-post-install-jobs/base/eventing-post-install.yaml ``` +1. Set `metadata.name` in the eventing post-install job, to be deploy-able with + `kustomize` and `kubectl apply`: + + ```sh + # We are not using the '|=' operator because it generates an empty object + # ({}) which crashes kustomize. + yq eval -i 'select(.kind == "Job" and .metadata.generateName == "storage-version-migration-eventing-") | .metadata.name = "storage-version-migration-eventing"' knative-eventing-post-install-jobs/base/eventing-post-install.yaml + ``` + +1. Remove the `config-observability` and `config-tracing` ConfigMaps resource definitions from the In-Memory Channel, as they are already defined in eventing core. + + ```sh + yq eval -i 'select((.kind == "ConfigMap" and .metadata.name == "config-observability") | not)' knative-eventing/base/upstream/in-memory-channel.yaml + yq eval -i 'select((.kind == "ConfigMap" and .metadata.name == "config-tracing") | not)' knative-eventing/base/upstream/in-memory-channel.yaml + ``` + + NOTE: Make sure to remove a redundant `{}` at the end of the `knative-eventing/base/upstream/in-memory-channel.yaml` file after running the above commands. + ## Copyright The files under the folders `knative-serving/base/upstream` and diff --git a/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml b/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml similarity index 78% rename from common/knative/knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml rename to common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml index 6ef5c02074..d552412bc6 100644 --- a/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install-jobs.yaml +++ b/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml @@ -3,7 +3,9 @@ kind: ClusterRole metadata: name: knative-eventing-post-install-job-role labels: - eventing.knative.dev/release: "v1.2.4" + app.kubernetes.io/version: "1.8.1" + app.kubernetes.io/name: knative-eventing + eventing.knative.dev/release: "v1.8.1" rules: - apiGroups: - "apiextensions.k8s.io" @@ -106,14 +108,18 @@ metadata: name: knative-eventing-post-install-job namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" + app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: knative-eventing-post-install-job-role-binding labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" + app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount name: knative-eventing-post-install-job @@ -126,11 +132,14 @@ roleRef: apiVersion: batch/v1 kind: Job metadata: - generateName: storage-version-migration-eventing- + name: storage-version-migration-eventing namespace: knative-eventing labels: app: "storage-version-migration-eventing" - eventing.knative.dev/release: "v1.2.4" + app.kubernetes.io/name: knative-eventing + app.kubernetes.io/component: storage-version-migration-job + app.kubernetes.io/version: "1.8.1" + eventing.knative.dev/release: "v1.8.1" spec: ttlSecondsAfterFinished: 600 backoffLimit: 10 @@ -138,7 +147,10 @@ spec: metadata: labels: app: "storage-version-migration-eventing" - eventing.knative.dev/release: "v1.2.4" + app.kubernetes.io/name: knative-eventing + app.kubernetes.io/component: storage-version-migration-job + app.kubernetes.io/version: "1.8.1" + eventing.knative.dev/release: "v1.8.1" annotations: sidecar.istio.io/inject: "false" spec: @@ -146,7 +158,7 @@ spec: restartPolicy: OnFailure containers: - name: migrate - image: gcr.io/knative-releases/knative.dev/eventing/vendor/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:ce1cf40c3e58fb437bac1731aa4dd3bda63bcedeaaf303b928963071192f82bf + image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:bb95337552b07e1a52d6205a95342317b1b081b6b57ef7764c0d59c466978b6f args: - "apiserversources.sources.knative.dev" - "brokers.eventing.knative.dev" @@ -166,6 +178,8 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault --- diff --git a/common/knative/knative-eventing-post-install-jobs/base/kustomization.yaml b/common/knative/knative-eventing-post-install-jobs/base/kustomization.yaml index 3cc5036986..9aca5d86f9 100644 --- a/common/knative/knative-eventing-post-install-jobs/base/kustomization.yaml +++ b/common/knative/knative-eventing-post-install-jobs/base/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- eventing-post-install-jobs.yaml +- eventing-post-install.yaml diff --git a/common/knative/knative-eventing/base/kustomization.yaml b/common/knative/knative-eventing/base/kustomization.yaml index 8b579a06a6..cd3a190a05 100644 --- a/common/knative/knative-eventing/base/kustomization.yaml +++ b/common/knative/knative-eventing/base/kustomization.yaml @@ -2,8 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: knative-eventing resources: -- upstream/eventing-core.yaml +- upstream/eventing-core.yaml +# Uncomment to install In-Memory Channels as messaging layer: # - upstream/in-memory-channel.yaml +# Uncomment to install MT-channel-based Broker layer # - upstream/mt-channel-broker.yaml patchesStrategicMerge: - patches/clusterrole-patch.yaml diff --git a/common/knative/knative-eventing/base/upstream/eventing-core.yaml b/common/knative/knative-eventing/base/upstream/eventing-core.yaml index 7de25adbfe..e922cc3f33 100644 --- a/common/knative/knative-eventing/base/upstream/eventing-core.yaml +++ b/common/knative/knative-eventing/base/upstream/eventing-core.yaml @@ -3,8 +3,8 @@ kind: Namespace metadata: name: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: v1 @@ -13,8 +13,8 @@ metadata: name: eventing-controller namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -22,8 +22,8 @@ kind: ClusterRoleBinding metadata: name: eventing-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -39,8 +39,8 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-resolver labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -56,8 +56,8 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-source-observer labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -73,8 +73,8 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-sources-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -90,8 +90,8 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-manipulator labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -108,8 +108,8 @@ metadata: name: pingsource-mt-adapter namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -117,8 +117,8 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-pingsource-mt-adapter labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -135,8 +135,8 @@ metadata: name: eventing-webhook namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -144,8 +144,8 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -162,8 +162,8 @@ metadata: namespace: knative-eventing name: eventing-webhook labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -179,8 +179,8 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-resolver labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -196,8 +196,8 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-podspecable-binding labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -214,8 +214,8 @@ metadata: name: config-br-default-channel namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: channel-template-spec: | @@ -228,8 +228,8 @@ metadata: name: config-br-defaults namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: default-br-config: | @@ -250,8 +250,8 @@ metadata: name: default-ch-webhook namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: default-ch-config: | @@ -269,10 +269,10 @@ metadata: name: config-ping-defaults namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" annotations: knative.dev/example-checksum: "9185c153" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: _example: | @@ -301,17 +301,17 @@ metadata: name: config-features namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: kreference-group: "disabled" delivery-retryafter: "disabled" - delivery-timeout: "disabled" + delivery-timeout: "enabled" kreference-mapping: "disabled" - strict-subscriber: "disabled" + strict-subscriber: "enabled" new-trigger-filters: "disabled" --- apiVersion: v1 @@ -320,7 +320,7 @@ metadata: name: config-kreference-mapping namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/config-propagation: original knative.dev/config-category: eventing annotations: @@ -354,8 +354,8 @@ metadata: name: config-leader-election namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f7948630" @@ -401,10 +401,10 @@ metadata: name: config-logging namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: zap-logger-config: | @@ -437,10 +437,10 @@ metadata: name: config-observability namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f46cf09d" @@ -495,14 +495,57 @@ data: --- apiVersion: v1 kind: ConfigMap +metadata: + name: config-sugar + namespace: knative-eventing + labels: + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" + app.kubernetes.io/name: knative-eventing + annotations: + knative.dev/example-checksum: "62dfac6f" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # namespace-selector specifies a LabelSelector which + # determines which namespaces the Sugar Controller should operate upon + # Use an empty value to disable the feature (this is the default): + namespace-selector: "" + + # Use an empty object as a string to enable for all namespaces + namespace-selector: "{}" + + # trigger-selector specifies a LabelSelector which + # determines which triggers the Sugar Controller should operate upon + # Use an empty value to disable the feature (this is the default): + trigger-selector: "" + + # Use an empty object as string to enable for all triggers + trigger-selector: "{}" +--- +apiVersion: v1 +kind: ConfigMap metadata: name: config-tracing namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "0492ceb0" @@ -542,10 +585,10 @@ metadata: name: eventing-controller namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/high-availability: "true" app.kubernetes.io/component: eventing-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -555,9 +598,9 @@ spec: metadata: labels: app: eventing-controller - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/component: eventing-autoscaler - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/component: eventing-controller + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -574,7 +617,7 @@ spec: containers: - name: eventing-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/controller@sha256:dc0ac2d8f235edb04ec1290721f389d2bc719ab8b6222ee86f17af8d7d2a160f + image: gcr.io/knative-releases/knative.dev/eventing/cmd/controller@sha256:33d78536e9b38dbb2ec2952207b48ff8e05acb48e7d28c2305bd0a0f7156198f resources: requests: cpu: 100m @@ -591,7 +634,7 @@ spec: - name: METRICS_DOMAIN value: knative.dev/eventing - name: APISERVER_RA_IMAGE - value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:5b672eedd343bcf9496c2070479f9d8f29231069148bf2aa7991bd5ca5a7562a + value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:2fd38788ae96abd96e63bf8b7ef3e1b37370513a84a86cd153dfb1cd9442a095 - name: POD_NAME valueFrom: fieldRef: @@ -602,12 +645,32 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 + - name: probes + containerPort: 8080 --- apiVersion: apps/v1 kind: Deployment @@ -615,9 +678,9 @@ metadata: name: pingsource-mt-adapter namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: replicas: 0 @@ -630,9 +693,9 @@ spec: labels: eventing.knative.dev/source: ping-source-controller sources.knative.dev/role: adapter - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -648,7 +711,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtping@sha256:632d9d710d070efed2563f6125a87993e825e8e36562ec3da0366e2a897406c0 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtping@sha256:282b5265e1ef26309b3343038c9b4f172654e06cbee46f6ddffd23ea9ad9a3be env: - name: SYSTEM_NAMESPACE value: '' @@ -656,6 +719,12 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: NAMESPACE + value: '' + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace - name: K_METRICS_CONFIG value: '' - name: K_LOGGING_CONFIG @@ -687,18 +756,20 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault serviceAccountName: pingsource-mt-adapter --- -apiVersion: autoscaling/v2beta2 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: eventing-webhook namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -715,15 +786,15 @@ spec: type: Utilization averageUtilization: 100 --- -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: eventing-webhook namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: minAvailable: 80% @@ -737,9 +808,9 @@ metadata: name: eventing-webhook namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -751,9 +822,9 @@ spec: labels: app: eventing-webhook role: eventing-webhook - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -770,7 +841,7 @@ spec: containers: - name: eventing-webhook terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/webhook@sha256:b7faf7d253bd256dbe08f1cac084469128989cf39abbe256ecb4e1d4eb085a31 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/webhook@sha256:d217ab7e3452a87f8cbb3b45df65c98b18b8be39551e3e960cd49ea44bb415ba resources: requests: cpu: 100m @@ -803,7 +874,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: https-webhook containerPort: 8443 @@ -827,17 +900,17 @@ spec: httpHeaders: - name: k-kubelet-probe value: "webhook" - initialDelaySeconds: 20 + initialDelaySeconds: 120 terminationGracePeriodSeconds: 300 --- apiVersion: v1 kind: Service metadata: labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" role: eventing-webhook app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing name: eventing-webhook namespace: knative-eventing @@ -854,11 +927,11 @@ kind: CustomResourceDefinition metadata: creationTimestamp: null labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing annotations: registry.knative.dev/eventTypes: | @@ -1054,10 +1127,10 @@ kind: CustomResourceDefinition metadata: name: brokers.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -1206,11 +1279,11 @@ kind: CustomResourceDefinition metadata: name: channels.messaging.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -1466,11 +1539,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing name: containersources.sources.knative.dev spec: @@ -1605,9 +1678,9 @@ kind: CustomResourceDefinition metadata: name: eventtypes.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -1719,10 +1792,10 @@ kind: CustomResourceDefinition metadata: name: parallels.flows.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -2157,11 +2230,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing annotations: registry.knative.dev/eventTypes: | @@ -2459,10 +2532,10 @@ kind: CustomResourceDefinition metadata: name: sequences.flows.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -2764,12 +2837,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" eventing.knative.dev/source: "true" duck.knative.dev/source: "true" duck.knative.dev/binding: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing name: sinkbindings.sources.knative.dev spec: @@ -2942,9 +3015,9 @@ kind: CustomResourceDefinition metadata: name: subscriptions.messaging.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -3139,9 +3212,9 @@ kind: CustomResourceDefinition metadata: name: triggers.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -3309,8 +3382,8 @@ kind: ClusterRole metadata: name: addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3323,9 +3396,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3342,9 +3415,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: serving-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3364,9 +3437,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: channel-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3390,9 +3463,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: broker-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3410,9 +3483,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flows-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3432,8 +3505,8 @@ kind: ClusterRole metadata: name: eventing-broker-filter labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3459,8 +3532,8 @@ kind: ClusterRole metadata: name: eventing-broker-ingress labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3477,8 +3550,8 @@ kind: ClusterRole metadata: name: eventing-config-reader labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3495,8 +3568,8 @@ kind: ClusterRole metadata: name: channelable-manipulator labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3509,9 +3582,9 @@ kind: ClusterRole metadata: name: meta-channelable-manipulator labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3533,9 +3606,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-eventing-namespaced-admin labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev"] @@ -3547,9 +3620,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-messaging-namespaced-admin labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["messaging.knative.dev"] @@ -3561,9 +3634,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-flows-namespaced-admin labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["flows.knative.dev"] @@ -3575,9 +3648,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-sources-namespaced-admin labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["sources.knative.dev"] @@ -3589,9 +3662,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-bindings-namespaced-admin labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["bindings.knative.dev"] @@ -3604,8 +3677,8 @@ metadata: name: knative-eventing-namespaced-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -3618,8 +3691,8 @@ metadata: name: knative-eventing-namespaced-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -3631,8 +3704,8 @@ kind: ClusterRole metadata: name: knative-eventing-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3783,8 +3856,8 @@ kind: ClusterRole metadata: name: knative-eventing-pingsource-mt-adapter labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3835,8 +3908,8 @@ kind: ClusterRole metadata: name: podspecable-binding labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3849,9 +3922,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: builtin-podspecable-binding labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/podspecable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3879,8 +3952,8 @@ kind: ClusterRole metadata: name: source-observer labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3893,9 +3966,9 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: eventing-sources-source-observer labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/source: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3915,8 +3988,8 @@ kind: ClusterRole metadata: name: knative-eventing-sources-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4016,8 +4089,8 @@ kind: ClusterRole metadata: name: knative-eventing-webhook labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4106,8 +4179,8 @@ metadata: namespace: knative-eventing name: knative-eventing-webhook labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4127,8 +4200,8 @@ kind: ValidatingWebhookConfiguration metadata: name: config.webhook.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4150,8 +4223,8 @@ kind: MutatingWebhookConfiguration metadata: name: webhook.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4169,8 +4242,8 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4189,8 +4262,8 @@ metadata: name: eventing-webhook-certs namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: admissionregistration.k8s.io/v1 @@ -4198,8 +4271,8 @@ kind: MutatingWebhookConfiguration metadata: name: sinkbindings.webhook.sources.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml b/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml index ee1bfbdeeb..691ebc7b24 100644 --- a/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml +++ b/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml @@ -1,20 +1,11 @@ apiVersion: v1 -kind: Namespace -metadata: - name: knative-eventing - labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" - app.kubernetes.io/name: knative-eventing ---- -apiVersion: v1 kind: ServiceAccount metadata: name: imc-controller namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -22,8 +13,8 @@ kind: ClusterRoleBinding metadata: name: imc-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -40,8 +31,8 @@ metadata: namespace: knative-eventing name: imc-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -57,8 +48,8 @@ kind: ClusterRoleBinding metadata: name: imc-controller-resolver labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -75,8 +66,8 @@ metadata: name: imc-dispatcher namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -84,8 +75,8 @@ kind: ClusterRoleBinding metadata: name: imc-dispatcher labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -102,129 +93,24 @@ metadata: name: config-imc-event-dispatcher namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing data: MaxIdleConnections: "1000" MaxIdleConnectionsPerHost: "100" --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-observability - namespace: knative-eventing - labels: - eventing.knative.dev/release: "v1.2.4" - knative.dev/config-propagation: original - knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" - app.kubernetes.io/name: knative-eventing - annotations: - knative.dev/example-checksum: "f46cf09d" -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using stackdriver will incur additional charges - metrics.backend-destination: prometheus - - # metrics.request-metrics-backend-destination specifies the request metrics - # destination. If non-empty, it enables queue proxy to send request metrics. - # Currently supported values: prometheus, stackdriver. - metrics.request-metrics-backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used if this field is not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to - # Stackdriver using "global" resource type and custom metric type if the - # metrics are not supported by "knative_broker", "knative_trigger", and "knative_source" resource types. - # Setting this flag to "true" could cause extra Stackdriver charge. - # If metrics.backend-destination is not Stackdriver, this is ignored. - metrics.allow-stackdriver-custom-metrics: "false" - - # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from - # the pods via an HTTP server in the format expected by the pprof visualization tool. When - # enabled, the Knative Eventing pods expose the profiling data on an alternate HTTP port 8008. - # The HTTP context root for profiling is then /debug/pprof/. - profiling.enable: "false" - - # sink-event-error-reporting.enable whether the adapter reports a kube event to the CRD indicating - # a failure to send a cloud event to the sink. - sink-event-error-reporting.enable: "false" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-tracing - namespace: knative-eventing - labels: - eventing.knative.dev/release: "v1.2.4" - knative.dev/config-propagation: original - knative.dev/config-category: eventing - app.kubernetes.io/version: "1.2.4" - app.kubernetes.io/name: knative-eventing - annotations: - knative.dev/example-checksum: "c8f8c47b" -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # - # This may be "zipkin" or "none", the default is "none" - backend: "none" - - # URL to zipkin collector where traces are sent. - # This must be specified when backend is "zipkin" - zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans" - - # Enable zipkin debug mode. This allows all spans to be sent to the server - # bypassing sampling. - debug: "false" - - # Percentage (0-1) of requests to trace - sample-rate: "0.1" ---- apiVersion: apps/v1 kind: Deployment metadata: name: imc-controller namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/high-availability: "true" app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -237,7 +123,7 @@ spec: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: controller app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -254,7 +140,7 @@ spec: enableServiceLinks: false containers: - name: controller - image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:a602de59eab2140a9a7639e221b777aa1bd5b9b4203e09dacdc32850f4414e4f + image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:f40825f7b4384ba8baac90018c42e4fd8aa2e37ad7a9e1c00c8858b73ed8d987 env: - name: WEBHOOK_NAME value: inmemorychannel-webhook @@ -271,7 +157,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DISPATCHER_IMAGE - value: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:cd4502677aedc0779be980c5e7186cdc8e7557a036048480f8a3431ec1b3b873 + value: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:eef625176c57aab4c3061428b787f844529dfd19b82cf50ccaffc909072d568f - name: POD_NAME valueFrom: fieldRef: @@ -282,7 +168,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -306,7 +194,7 @@ spec: httpHeaders: - name: k-kubelet-probe value: "webhook" - initialDelaySeconds: 20 + initialDelaySeconds: 120 terminationGracePeriodSeconds: 300 --- apiVersion: v1 @@ -314,9 +202,9 @@ kind: Service metadata: labels: app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" name: inmemorychannel-webhook namespace: knative-eventing spec: @@ -340,11 +228,11 @@ metadata: name: imc-dispatcher namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: dispatcher app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -365,10 +253,10 @@ metadata: name: imc-dispatcher namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/high-availability: "true" app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -381,7 +269,7 @@ spec: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: dispatcher app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -398,7 +286,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:cd4502677aedc0779be980c5e7186cdc8e7557a036048480f8a3431ec1b3b873 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:eef625176c57aab4c3061428b787f844529dfd19b82cf50ccaffc909072d568f readinessProbe: failureThreshold: 3 httpGet: @@ -451,18 +339,20 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: inmemorychannels.messaging.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -689,9 +579,9 @@ kind: ClusterRole metadata: name: imc-addressable-resolver labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -709,9 +599,9 @@ kind: ClusterRole metadata: name: imc-channelable-manipulator labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -733,8 +623,8 @@ kind: ClusterRole metadata: name: imc-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -873,8 +763,8 @@ kind: ClusterRole metadata: name: imc-dispatcher labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -927,8 +817,8 @@ metadata: namespace: knative-eventing name: knative-inmemorychannel-webhook labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -948,8 +838,8 @@ kind: MutatingWebhookConfiguration metadata: name: inmemorychannel.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -967,8 +857,8 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.inmemorychannel.eventing.knative.dev labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -987,8 +877,8 @@ metadata: name: inmemorychannel-webhook-certs namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- diff --git a/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml b/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml index df13879476..0ad685dfdc 100644 --- a/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml +++ b/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml @@ -3,8 +3,8 @@ kind: ClusterRole metadata: name: knative-eventing-mt-channel-broker-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -31,8 +31,8 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-filter labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -59,8 +59,8 @@ metadata: name: mt-broker-filter namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -68,8 +68,8 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-ingress labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -95,8 +95,8 @@ metadata: name: mt-broker-ingress namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -104,8 +104,8 @@ kind: ClusterRoleBinding metadata: name: eventing-mt-channel-broker-controller labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -121,8 +121,8 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-filter labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -138,8 +138,8 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-ingress labels: - eventing.knative.dev/release: "v1.2.4" - app.kubernetes.io/version: "1.2.4" + eventing.knative.dev/release: "v1.8.1" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -156,9 +156,9 @@ metadata: name: mt-broker-filter namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -168,9 +168,9 @@ spec: metadata: labels: eventing.knative.dev/brokerRole: filter - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-filter @@ -178,7 +178,7 @@ spec: containers: - name: filter terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:f4bda104202557a75fce024329fc1f0e2d4ac43f4362007ed4201290f79c1d82 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:1155e66059a84b83d21e3360e03dcc28e933566e8a049c8882e75b541862b0cc readinessProbe: failureThreshold: 3 httpGet: @@ -241,16 +241,18 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service metadata: labels: eventing.knative.dev/brokerRole: filter - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing name: broker-filter namespace: knative-eventing @@ -273,9 +275,9 @@ metadata: name: mt-broker-ingress namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -285,9 +287,9 @@ spec: metadata: labels: eventing.knative.dev/brokerRole: ingress - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-ingress @@ -295,7 +297,7 @@ spec: containers: - name: ingress terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:1bbbdea02b6fc01f316addefe56fa33f583cd332d7213cbc2e4937234bfc3d1b + image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:5529e577c6262d78530531b26b3e940da5dec071304e9c639d00400f644463f8 readinessProbe: failureThreshold: 3 httpGet: @@ -358,16 +360,18 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service metadata: labels: eventing.knative.dev/brokerRole: ingress - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing name: broker-ingress namespace: knative-eventing @@ -390,9 +394,9 @@ metadata: name: mt-broker-controller namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: mt-broker-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: selector: @@ -402,9 +406,9 @@ spec: metadata: labels: app: mt-broker-controller - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-controller - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -421,7 +425,7 @@ spec: containers: - name: mt-broker-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtchannel_broker@sha256:90e2b9413519d0634508ff848180fb50a341da09e53ac0408848f0663c7c8c3b + image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtchannel_broker@sha256:1f2783738c0ba4e8f72cbbdd4bf5cef8a1dd7bfa57d0297f288c64f853ed58ef resources: requests: cpu: 100m @@ -437,8 +441,6 @@ spec: value: config-observability - name: METRICS_DOMAIN value: knative.dev/eventing - - name: BROKER_INJECTION_DEFAULT - value: "false" - name: POD_NAME valueFrom: fieldRef: @@ -449,22 +451,24 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 --- -apiVersion: autoscaling/v2beta2 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: broker-ingress-hpa namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -481,15 +485,15 @@ spec: type: Utilization averageUtilization: 70 --- -apiVersion: autoscaling/v2beta2 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: broker-filter-hpa namespace: knative-eventing labels: - eventing.knative.dev/release: "v1.2.4" + eventing.knative.dev/release: "v1.8.1" app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.2.4" + app.kubernetes.io/version: "1.8.1" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: From fb793d20db844efa2f3fda495a6d76b0a4c37774 Mon Sep 17 00:00:00 2001 From: Elena Zioga Date: Thu, 26 Jan 2023 16:33:11 +0200 Subject: [PATCH 16/74] centraldashboard: Rename Models to Endpoints (#2364) Signed-off-by: Elena Zioga Signed-off-by: Elena Zioga --- apps/centraldashboard/upstream/base/configmap.yaml | 2 +- .../upstream/overlays/kserve/patches/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/centraldashboard/upstream/base/configmap.yaml b/apps/centraldashboard/upstream/base/configmap.yaml index 3d84364c0c..62f4e3becc 100644 --- a/apps/centraldashboard/upstream/base/configmap.yaml +++ b/apps/centraldashboard/upstream/base/configmap.yaml @@ -28,7 +28,7 @@ data: { "type": "item", "link": "/models/", - "text": "Models", + "text": "Endpoints", "icon": "kubeflow:models" }, { diff --git a/apps/centraldashboard/upstream/overlays/kserve/patches/configmap.yaml b/apps/centraldashboard/upstream/overlays/kserve/patches/configmap.yaml index 58d2002b8b..f4c43c1104 100644 --- a/apps/centraldashboard/upstream/overlays/kserve/patches/configmap.yaml +++ b/apps/centraldashboard/upstream/overlays/kserve/patches/configmap.yaml @@ -28,7 +28,7 @@ data: { "type": "item", "link": "/kserve-endpoints/", - "text": "Models", + "text": "Endpoints", "icon": "kubeflow:models" }, { From 6b14076a133a1da2e6f3335986537827eea56fa7 Mon Sep 17 00:00:00 2001 From: DomFleischmann Date: Tue, 31 Jan 2023 15:05:31 +0100 Subject: [PATCH 17/74] Update kubeflow/training-operator manifests from v1.6.0-rc.0 (#2368) --- README.md | 2 +- .../upstream/base/cluster-role.yaml | 20 + .../base/crds/kubeflow.org_mpijobs.yaml | 819 +- .../base/crds/kubeflow.org_mxjobs.yaml | 825 +- .../base/crds/kubeflow.org_paddlejobs.yaml | 8061 +++++++++++++++++ .../base/crds/kubeflow.org_pytorchjobs.yaml | 843 +- .../base/crds/kubeflow.org_tfjobs.yaml | 823 +- .../base/crds/kubeflow.org_xgboostjobs.yaml | 819 +- .../upstream/base/crds/kustomization.yaml | 1 + .../upstream/base/deployment.yaml | 7 - .../kubeflow/kubeflow-training-roles.yaml | 4 + .../overlays/kubeflow/kustomization.yaml | 2 +- .../overlays/standalone/kustomization.yaml | 2 +- 13 files changed, 9216 insertions(+), 3012 deletions(-) create mode 100644 apps/training-operator/upstream/base/crds/kubeflow.org_paddlejobs.yaml diff --git a/README.md b/README.md index 654ebdb09a..ce21ac5c75 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ This repo periodically syncs all official Kubeflow components from their respect | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Training Operator | apps/training-operator/upstream | [v1.5.0](https://github.com/kubeflow/training-operator/tree/v1.5.0/manifests) | +| Training Operator | apps/training-operator/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/training-operator/tree/v1.6.0-rc.0/manifests) | | Notebook Controller | apps/jupyter/notebook-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/notebook-controller/config) | | Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/tensorboard-controller/config) | | Central Dashboard | apps/centraldashboard/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/centraldashboard/manifests) | diff --git a/apps/training-operator/upstream/base/cluster-role.yaml b/apps/training-operator/upstream/base/cluster-role.yaml index 66e677f7c3..eb6004ebb0 100644 --- a/apps/training-operator/upstream/base/cluster-role.yaml +++ b/apps/training-operator/upstream/base/cluster-role.yaml @@ -14,11 +14,19 @@ rules: - mxjobs - pytorchjobs - xgboostjobs + - paddlejobs - mpijobs/status - tfjobs/status - pytorchjobs/status - mxjobs/status - xgboostjobs/status + - paddlejobs/status + - mpijobs/finalizers + - tfjobs/finalizers + - pytorchjobs/finalizers + - mxjobs/finalizers + - xgboostjobs/finalizers + - paddlejobs/finalizers verbs: - create - delete @@ -77,3 +85,15 @@ rules: - podgroups verbs: - "*" + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - "*" + - apiGroups: + - scheduling.sigs.k8s.io + resources: + - podgroups + verbs: + - "*" diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_mpijobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_mpijobs.yaml index 50dd294114..b1a84dc7f7 100644 --- a/apps/training-operator/upstream/base/crds/kubeflow.org_mpijobs.yaml +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_mpijobs.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: mpijobs.kubeflow.org spec: @@ -115,12 +114,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -215,6 +209,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -328,10 +323,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -347,12 +344,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -424,6 +416,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -493,6 +486,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -540,10 +534,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -612,6 +603,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -675,6 +667,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -715,15 +708,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -795,6 +780,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -864,6 +850,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -911,10 +898,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -983,6 +967,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1046,6 +1031,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1097,11 +1083,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1113,11 +1095,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1142,10 +1120,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1171,6 +1146,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1190,6 +1166,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1219,6 +1196,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1241,6 +1219,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1274,6 +1253,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1293,6 +1273,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -1421,21 +1402,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -1684,17 +1658,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -1711,14 +1675,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1910,17 +1873,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2040,10 +1993,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2145,13 +2095,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -2166,16 +2110,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -2320,17 +2259,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2352,15 +2281,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2371,7 +2292,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2381,9 +2302,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2530,23 +2449,15 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: - description: "An EphemeralContainer is a temporary + description: An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes - the Pod to exceed its resource allocation. \n To - add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a beta - feature available on clusters that haven't disabled - the EphemeralContainers feature gate." + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The @@ -2557,10 +2468,7 @@ spec: string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + produce the string literal "$(VAR_NAME)".' items: type: string type: array @@ -2572,11 +2480,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2601,10 +2505,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2630,6 +2531,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2649,6 +2551,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2678,6 +2581,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2700,6 +2604,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2733,6 +2638,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2752,6 +2658,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -2875,21 +2782,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -3137,17 +3037,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3355,17 +3245,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3485,10 +3365,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3590,13 +3467,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -3757,17 +3628,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3789,15 +3650,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: description: "If set, the name of the container @@ -3806,9 +3659,7 @@ spec: (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. \n The container - runtime must implement support for this feature. - If the runtime does not support namespace targeting - then the result of setting this field is undefined." + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3819,7 +3670,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3829,9 +3680,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3951,6 +3800,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3975,24 +3833,16 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. @@ -4005,11 +3855,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4021,11 +3867,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4050,10 +3892,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -4079,6 +3918,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -4098,6 +3938,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -4127,6 +3968,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4149,6 +3991,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4182,6 +4025,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4201,6 +4045,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -4329,21 +4174,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -4592,17 +4430,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4619,14 +4447,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4818,17 +4645,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4948,10 +4765,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -5053,13 +4867,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -5074,16 +4882,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -5228,17 +5031,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5260,15 +5053,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -5279,7 +5064,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5289,9 +5074,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5397,20 +5180,8 @@ spec: if this is set. \n If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This - is a beta field and requires the IdentifyPodOS feature" + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." properties: name: description: 'Name is the name of the operating @@ -5431,18 +5202,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -5498,7 +5265,7 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched @@ -5518,11 +5285,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name - is windows." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -5533,9 +5296,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -5554,9 +5315,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -5679,12 +5438,7 @@ spec: honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. + the Pod. type: boolean runAsUserName: description: The UserName in Windows to run @@ -5712,11 +5466,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -5739,13 +5489,7 @@ spec: request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The - grace period is the duration in seconds after the - processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5855,61 +5599,66 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is the - minimum number of matching pods in an eligible + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 2/2/1: In this - case, the global minimum is 1. | zone1 | zone2 - | zone3 | | P P | P P | P | - if MaxSkew - is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + is less than MinDomains. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number + description: MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats - \"global minimum\" as 0, and then the calculation + "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value - has no effect on scheduling. As a result, when - the number of eligible domains is less than - minDomains, scheduler won't schedule more than - maxSkew Pods to those domains. If value is nil, - the constraint behaves as if MinDomains is equal - to 1. Valid values are integers greater than - 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a - 3-zone cluster, MaxSkew is set to 2, MinDomains - is set to 5 and pods with the same labelSelector - spread as 2/2/2: | zone1 | zone2 | zone3 | | - \ P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" - is treated as 0. In this situation, new pod - with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new - Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical @@ -5917,35 +5666,16 @@ spec: We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -6107,6 +5837,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is optional: User is the rados user name, default is admin More info: @@ -6145,6 +5876,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -6165,10 +5897,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6178,12 +5907,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -6200,10 +5924,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -6229,6 +5950,7 @@ spec: ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled @@ -6264,6 +5986,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: description: readOnly specifies a read-only configuration for the volume. Defaults to @@ -6294,10 +6017,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6325,6 +6045,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -6333,11 +6054,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -6376,6 +6093,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -6406,37 +6124,19 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + http://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that + description: ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. \n Use - this if: a) the volume is only needed while - the pod runs, b) features of normal volumes - like restoring from snapshot or capacity tracking - are needed, c) the storage driver is specified - through a storage class, and d) the storage - driver supports dynamic volume provisioning - through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between - this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than - the lifecycle of an individual pod. \n Use CSI - for light-weight local ephemeral volumes if - the CSI driver is meant to be used that way - - see the documentation of the driver for more - information. \n A pod can use both types of - ephemeral volumes and persistent volumes at - the same time." + and deleted when the pod is removed. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6444,23 +6144,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -6509,11 +6192,7 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of - the specified data source. If the - AnyVolumeDataSource feature gate - is enabled, this field will always - have the same contents as the DataSourceRef - field.' + the specified data source.' properties: apiGroup: description: APIGroup is the group @@ -6536,8 +6215,9 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies + description: dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any @@ -6547,29 +6227,7 @@ spec: volume binding will only succeed if the type of the specified object matches some installed volume populator - or dynamic provisioner. This field - will replace the functionality of - the DataSource field and as such - if both fields are non-empty, they - must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to - the same value automatically if - one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows - any non-core object, as well as - PersistentVolumeClaim objects. * - While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error - if a disallowed value is specified. - (Beta) Using this field requires - the AnyVolumeDataSource feature - gate to be enabled.' + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -6592,6 +6250,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume @@ -6693,6 +6352,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: description: 'storageClassName is the name of the StorageClass required @@ -6796,6 +6456,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object @@ -6911,10 +6572,7 @@ spec: directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: description: 'path of the directory on the @@ -6998,6 +6656,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port @@ -7108,10 +6767,7 @@ spec: 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are - not affected by this setting. This might - be in conflict with other options that affect - the file mode, like fsGroup, and the result - can be other mode bits set. + not affected by this setting. format: int32 type: integer sources: @@ -7135,12 +6791,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7160,12 +6810,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7194,6 +6839,7 @@ spec: be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: description: downwardAPI information about the downwardAPI data to project @@ -7227,6 +6873,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -7238,12 +6885,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7287,6 +6929,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -7306,12 +6949,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7331,12 +6968,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7365,6 +6997,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: description: serviceAccountToken is information about the serviceAccountToken @@ -7497,6 +7130,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' @@ -7542,6 +7176,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: description: sslEnabled Flag enable/disable SSL communication with Gateway, default @@ -7583,10 +7218,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -7596,12 +7228,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -7618,10 +7245,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -7674,6 +7298,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: description: volumeName is the human-readable name of the StorageOS volume. Volume names @@ -7688,8 +7313,7 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: @@ -7773,6 +7397,9 @@ spec: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. @@ -7852,10 +7479,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -7898,6 +7522,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -7922,9 +7553,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_mxjobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_mxjobs.yaml index 60e34c10ac..0b70d7316b 100644 --- a/apps/training-operator/upstream/base/crds/kubeflow.org_mxjobs.yaml +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_mxjobs.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: mxjobs.kubeflow.org spec: @@ -113,12 +112,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -213,6 +207,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -326,10 +321,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -345,12 +342,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -422,6 +414,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -491,6 +484,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -538,10 +532,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -610,6 +601,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -673,6 +665,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -713,15 +706,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -793,6 +778,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -862,6 +848,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -909,10 +896,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -981,6 +965,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1044,6 +1029,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1095,11 +1081,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1111,11 +1093,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1140,10 +1118,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1169,6 +1144,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1188,6 +1164,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1217,6 +1194,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1239,6 +1217,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1272,6 +1251,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1291,6 +1271,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -1419,21 +1400,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -1682,17 +1656,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -1709,14 +1673,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1908,17 +1871,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2038,10 +1991,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2143,13 +2093,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -2164,16 +2108,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -2318,17 +2257,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2350,15 +2279,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2369,7 +2290,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2379,9 +2300,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2528,23 +2447,15 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: - description: "An EphemeralContainer is a temporary + description: An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes - the Pod to exceed its resource allocation. \n To - add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a beta - feature available on clusters that haven't disabled - the EphemeralContainers feature gate." + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The @@ -2555,10 +2466,7 @@ spec: string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + produce the string literal "$(VAR_NAME)".' items: type: string type: array @@ -2570,11 +2478,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2599,10 +2503,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2628,6 +2529,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2647,6 +2549,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2676,6 +2579,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2698,6 +2602,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2731,6 +2636,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2750,6 +2656,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -2873,21 +2780,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -3135,17 +3035,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3353,17 +3243,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3483,10 +3363,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3588,13 +3465,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -3755,17 +3626,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3787,15 +3648,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: description: "If set, the name of the container @@ -3804,9 +3657,7 @@ spec: (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. \n The container - runtime must implement support for this feature. - If the runtime does not support namespace targeting - then the result of setting this field is undefined." + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3817,7 +3668,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3827,9 +3678,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3949,6 +3798,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3973,24 +3831,16 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. @@ -4003,11 +3853,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4019,11 +3865,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4048,10 +3890,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -4077,6 +3916,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -4096,6 +3936,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -4125,6 +3966,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4147,6 +3989,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4180,6 +4023,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4199,6 +4043,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -4327,21 +4172,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -4590,17 +4428,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4617,14 +4445,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4816,17 +4643,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4946,10 +4763,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -5051,13 +4865,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -5072,16 +4880,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -5226,17 +5029,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5258,15 +5051,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -5277,7 +5062,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5287,9 +5072,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5395,20 +5178,8 @@ spec: if this is set. \n If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This - is a beta field and requires the IdentifyPodOS feature" + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." properties: name: description: 'Name is the name of the operating @@ -5429,18 +5200,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -5496,7 +5263,7 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched @@ -5516,11 +5283,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name - is windows." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -5531,9 +5294,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -5552,9 +5313,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -5677,12 +5436,7 @@ spec: honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. + the Pod. type: boolean runAsUserName: description: The UserName in Windows to run @@ -5710,11 +5464,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -5737,13 +5487,7 @@ spec: request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The - grace period is the duration in seconds after the - processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5853,61 +5597,66 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is the - minimum number of matching pods in an eligible + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 2/2/1: In this - case, the global minimum is 1. | zone1 | zone2 - | zone3 | | P P | P P | P | - if MaxSkew - is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + is less than MinDomains. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number + description: MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats - \"global minimum\" as 0, and then the calculation + "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value - has no effect on scheduling. As a result, when - the number of eligible domains is less than - minDomains, scheduler won't schedule more than - maxSkew Pods to those domains. If value is nil, - the constraint behaves as if MinDomains is equal - to 1. Valid values are integers greater than - 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a - 3-zone cluster, MaxSkew is set to 2, MinDomains - is set to 5 and pods with the same labelSelector - spread as 2/2/2: | zone1 | zone2 | zone3 | | - \ P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" - is treated as 0. In this situation, new pod - with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new - Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical @@ -5915,35 +5664,16 @@ spec: We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -6105,6 +5835,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is optional: User is the rados user name, default is admin More info: @@ -6143,6 +5874,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -6163,10 +5895,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6176,12 +5905,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -6198,10 +5922,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -6227,6 +5948,7 @@ spec: ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled @@ -6262,6 +5984,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: description: readOnly specifies a read-only configuration for the volume. Defaults to @@ -6292,10 +6015,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6323,6 +6043,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -6331,11 +6052,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -6374,6 +6091,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -6404,37 +6122,19 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + http://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that + description: ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. \n Use - this if: a) the volume is only needed while - the pod runs, b) features of normal volumes - like restoring from snapshot or capacity tracking - are needed, c) the storage driver is specified - through a storage class, and d) the storage - driver supports dynamic volume provisioning - through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between - this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than - the lifecycle of an individual pod. \n Use CSI - for light-weight local ephemeral volumes if - the CSI driver is meant to be used that way - - see the documentation of the driver for more - information. \n A pod can use both types of - ephemeral volumes and persistent volumes at - the same time." + and deleted when the pod is removed. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6442,23 +6142,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -6507,11 +6190,7 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of - the specified data source. If the - AnyVolumeDataSource feature gate - is enabled, this field will always - have the same contents as the DataSourceRef - field.' + the specified data source.' properties: apiGroup: description: APIGroup is the group @@ -6534,8 +6213,9 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies + description: dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any @@ -6545,29 +6225,7 @@ spec: volume binding will only succeed if the type of the specified object matches some installed volume populator - or dynamic provisioner. This field - will replace the functionality of - the DataSource field and as such - if both fields are non-empty, they - must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to - the same value automatically if - one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows - any non-core object, as well as - PersistentVolumeClaim objects. * - While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error - if a disallowed value is specified. - (Beta) Using this field requires - the AnyVolumeDataSource feature - gate to be enabled.' + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -6590,6 +6248,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume @@ -6691,6 +6350,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: description: 'storageClassName is the name of the StorageClass required @@ -6794,6 +6454,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object @@ -6909,10 +6570,7 @@ spec: directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: description: 'path of the directory on the @@ -6996,6 +6654,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port @@ -7106,10 +6765,7 @@ spec: 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are - not affected by this setting. This might - be in conflict with other options that affect - the file mode, like fsGroup, and the result - can be other mode bits set. + not affected by this setting. format: int32 type: integer sources: @@ -7133,12 +6789,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7158,12 +6808,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7192,6 +6837,7 @@ spec: be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: description: downwardAPI information about the downwardAPI data to project @@ -7225,6 +6871,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -7236,12 +6883,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7285,6 +6927,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -7304,12 +6947,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7329,12 +6966,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7363,6 +6995,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: description: serviceAccountToken is information about the serviceAccountToken @@ -7495,6 +7128,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' @@ -7540,6 +7174,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: description: sslEnabled Flag enable/disable SSL communication with Gateway, default @@ -7581,10 +7216,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -7594,12 +7226,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -7616,10 +7243,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -7672,6 +7296,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: description: volumeName is the human-readable name of the StorageOS volume. Volume names @@ -7686,8 +7311,7 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: @@ -7728,9 +7352,9 @@ spec: type: object type: object description: 'MXReplicaSpecs is map of commonv1.ReplicaType and commonv1.ReplicaSpec - specifies the MX replicas to run. For example, { "Scheduler": - commonv1.ReplicaSpec, "Server": commonv1.ReplicaSpec, "Worker": - commonv1.ReplicaSpec, }' + specifies the MX replicas to run. For example, { "Scheduler": commonv1.ReplicaSpec, + "Server": commonv1.ReplicaSpec, "Worker": commonv1.ReplicaSpec, + }' type: object runPolicy: description: RunPolicy encapsulates various runtime policies of the @@ -7773,6 +7397,9 @@ spec: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. @@ -7848,10 +7475,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -7894,6 +7518,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -7918,9 +7549,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_paddlejobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_paddlejobs.yaml new file mode 100644 index 0000000000..4446769ddb --- /dev/null +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_paddlejobs.yaml @@ -0,0 +1,8061 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: paddlejobs.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PaddleJob + listKind: PaddleJobList + plural: paddlejobs + singular: paddlejob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[-1:].type + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: PaddleJob Represents a PaddleJob resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the PaddleJob. + properties: + elasticPolicy: + description: ElasticPolicy holds the elastic policy for paddle job. + properties: + maxReplicas: + description: upper limit for the number of pods that can be set + by the autoscaler; cannot be smaller than MinReplicas, defaults + to null. + format: int32 + type: integer + maxRestarts: + description: MaxRestarts is the limit for restart times of pods + in elastic mode. + format: int32 + type: integer + metrics: + description: Metrics contains the specifications which are used + to calculate the desired replica count (the maximum replica + count across all metrics will be used). The desired replica + count is calculated with multiplying the ratio between the target + value and the current value by the current number of pods. Ergo, + metrics used must decrease as the pod count is increased, and + vice-versa. + items: + description: MetricSpec specifies how to scale based on a single + metric (only `type` and one other matching field should be + set at once). + properties: + containerResource: + description: containerResource refers to a resource metric + (such as those specified in requests and limits) known + to Kubernetes describing a single container in each pod + of the current scale target (e.g. CPU or memory). Such + metrics are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod metrics + using the "pods" source. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: external refers to a global metric that is + not associated with any Kubernetes object. It allows autoscaling + based on information coming from components running outside + of cluster (for example length of queue in cloud messaging + service, or QPS from loadbalancer running outside of cluster). + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: object refers to a metric describing a single + kubernetes object (for example, hits-per-second on an + Ingress object). + properties: + describedObject: + description: describedObject specifies the descriptions + of a object,such as kind,name apiVersion + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: pods refers to a metric describing each pod + in the current scale target (for example, transactions-processed-per-second). The + values will be averaged together before being compared + to the target value. + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: resource refers to a resource metric (such + as those specified in requests and limits) known to Kubernetes + describing each pod in the current scale target (e.g. + CPU or memory). Such metrics are built in to Kubernetes, + and have special scaling options on top of those available + to normal per-pod metrics using the "pods" source. + properties: + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: 'type is the type of metric source. It should + be one of "ContainerResource", "External", "Object", "Pods" + or "Resource", each mapping to a matching field in the + object. Note: "ContainerResource" type is available on + when the feature-gate HPAContainerMetrics is enabled' + type: string + required: + - type + type: object + type: array + minReplicas: + description: minReplicas is the lower limit for the number of + replicas to which the training job can scale down. It defaults + to null. + format: int32 + type: integer + type: object + paddleReplicaSpecs: + additionalProperties: + description: ReplicaSpec is a description of the replica + properties: + replicas: + description: Replicas is the desired number of replicas of the + given template. If unspecified, defaults to 1. + format: int32 + type: integer + restartPolicy: + description: Restart policy for all replicas within the job. + One of Always, OnFailure, Never and ExitCode. Default to Never. + type: string + template: + description: Template is the object that describes the pod that + will be created for this replica. RestartPolicy in PodTemplateSpec + will be overide by RestartPolicy in ReplicaSpec + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: 'Specification of the desired behavior of the + pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may + be active on the node relative to StartTime before + the system will actively try to mark it failed and + kill associated containers. Value must be a positive + integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: An empty preferred scheduling + term matches all objects with implicit weight + 0 (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to an update), the + system may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to a pod label update), + the system may or may not try to eventually + evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'A map of PaddleReplicaType (type) to ReplicaSpec (value). + Specifies the Paddle cluster configuration. For example, { "Master": + PaddleReplicaSpec, "Worker": PaddleReplicaSpec, }' + type: object + runPolicy: + description: RunPolicy encapsulates various runtime policies of the + distributed training job, for example how to clean up resources + and how long the job can stay active. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) + pairs. + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + required: + - paddleReplicaSpecs + type: object + status: + description: Most recently observed status of the PaddleJob. Read-only + (modified by the system). + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.replicaStatuses.Worker.selector + specReplicasPath: .spec.paddleReplicaSpecs.Worker.replicas + statusReplicasPath: .status.replicaStatuses.Worker.active + status: {} diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_pytorchjobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_pytorchjobs.yaml index 61578ac5af..bb2de4e1f7 100644 --- a/apps/training-operator/upstream/base/crds/kubeflow.org_pytorchjobs.yaml +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_pytorchjobs.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: pytorchjobs.kubeflow.org spec: @@ -61,23 +60,20 @@ spec: count is calculated with multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and - vice-versa. See the individual metric source types for more - information about how each type of metric must respond. If not - set, the HPA will not be created. + vice-versa. items: description: MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once). properties: containerResource: - description: container resource refers to a resource metric + description: containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics - using the "pods" source. This is an alpha feature and - can be enabled by the HPAContainerMetrics feature flag. + using the "pods" source. properties: container: description: container is the name of the container @@ -197,6 +193,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -247,8 +244,8 @@ spec: Ingress object). properties: describedObject: - description: CrossVersionObjectReference contains enough - information to let you identify the referred resource. + description: describedObject specifies the descriptions + of a object,such as kind,name apiVersion properties: apiVersion: description: API version of the referent @@ -325,6 +322,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -438,6 +436,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -650,12 +649,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -750,6 +744,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -863,10 +858,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -882,12 +879,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -959,6 +951,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -1028,6 +1021,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -1075,10 +1069,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1147,6 +1138,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1210,6 +1202,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1250,15 +1243,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -1330,6 +1315,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -1399,6 +1385,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -1446,10 +1433,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1518,6 +1502,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1581,6 +1566,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1632,11 +1618,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1648,11 +1630,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1677,10 +1655,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1706,6 +1681,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1725,6 +1701,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1754,6 +1731,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1776,6 +1754,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1809,6 +1788,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1828,6 +1808,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -1956,21 +1937,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -2219,17 +2193,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2246,14 +2210,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -2445,17 +2408,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2575,10 +2528,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2680,13 +2630,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -2701,16 +2645,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -2855,17 +2794,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2887,15 +2816,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2906,7 +2827,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2916,9 +2837,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3065,23 +2984,15 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: - description: "An EphemeralContainer is a temporary + description: An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes - the Pod to exceed its resource allocation. \n To - add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a beta - feature available on clusters that haven't disabled - the EphemeralContainers feature gate." + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The @@ -3092,10 +3003,7 @@ spec: string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + produce the string literal "$(VAR_NAME)".' items: type: string type: array @@ -3107,11 +3015,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3136,10 +3040,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3165,6 +3066,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3184,6 +3086,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3213,6 +3116,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -3235,6 +3139,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -3268,6 +3173,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -3287,6 +3193,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -3410,21 +3317,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -3672,17 +3572,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3890,17 +3780,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4020,10 +3900,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4125,13 +4002,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -4292,17 +4163,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4324,15 +4185,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: description: "If set, the name of the container @@ -4341,9 +4194,7 @@ spec: (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. \n The container - runtime must implement support for this feature. - If the runtime does not support namespace targeting - then the result of setting this field is undefined." + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -4354,7 +4205,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -4364,9 +4215,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4486,6 +4335,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -4510,24 +4368,16 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. @@ -4540,11 +4390,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4556,11 +4402,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4585,10 +4427,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -4614,6 +4453,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -4633,6 +4473,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -4662,6 +4503,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4684,6 +4526,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4717,6 +4560,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4736,6 +4580,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -4864,21 +4709,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -5127,17 +4965,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5154,14 +4982,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -5353,17 +5180,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5483,10 +5300,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -5588,13 +5402,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -5609,16 +5417,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -5763,17 +5566,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5795,15 +5588,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -5814,7 +5599,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5824,9 +5609,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5932,20 +5715,8 @@ spec: if this is set. \n If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This - is a beta field and requires the IdentifyPodOS feature" + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." properties: name: description: 'Name is the name of the operating @@ -5966,18 +5737,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -6033,7 +5800,7 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched @@ -6053,11 +5820,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name - is windows." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -6068,9 +5831,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -6089,9 +5850,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -6214,12 +5973,7 @@ spec: honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. + the Pod. type: boolean runAsUserName: description: The UserName in Windows to run @@ -6247,11 +6001,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -6274,13 +6024,7 @@ spec: request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The - grace period is the duration in seconds after the - processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -6390,61 +6134,66 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is the - minimum number of matching pods in an eligible + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 2/2/1: In this - case, the global minimum is 1. | zone1 | zone2 - | zone3 | | P P | P P | P | - if MaxSkew - is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + is less than MinDomains. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number + description: MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats - \"global minimum\" as 0, and then the calculation + "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value - has no effect on scheduling. As a result, when - the number of eligible domains is less than - minDomains, scheduler won't schedule more than - maxSkew Pods to those domains. If value is nil, - the constraint behaves as if MinDomains is equal - to 1. Valid values are integers greater than - 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a - 3-zone cluster, MaxSkew is set to 2, MinDomains - is set to 5 and pods with the same labelSelector - spread as 2/2/2: | zone1 | zone2 | zone3 | | - \ P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" - is treated as 0. In this situation, new pod - with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new - Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical @@ -6452,35 +6201,16 @@ spec: We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -6642,6 +6372,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is optional: User is the rados user name, default is admin More info: @@ -6680,6 +6411,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -6700,10 +6432,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6713,12 +6442,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -6735,10 +6459,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -6764,6 +6485,7 @@ spec: ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled @@ -6799,6 +6521,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: description: readOnly specifies a read-only configuration for the volume. Defaults to @@ -6829,10 +6552,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6860,6 +6580,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -6868,11 +6589,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -6911,6 +6628,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -6941,37 +6659,19 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + http://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that + description: ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. \n Use - this if: a) the volume is only needed while - the pod runs, b) features of normal volumes - like restoring from snapshot or capacity tracking - are needed, c) the storage driver is specified - through a storage class, and d) the storage - driver supports dynamic volume provisioning - through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between - this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than - the lifecycle of an individual pod. \n Use CSI - for light-weight local ephemeral volumes if - the CSI driver is meant to be used that way - - see the documentation of the driver for more - information. \n A pod can use both types of - ephemeral volumes and persistent volumes at - the same time." + and deleted when the pod is removed. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6979,23 +6679,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -7044,11 +6727,7 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of - the specified data source. If the - AnyVolumeDataSource feature gate - is enabled, this field will always - have the same contents as the DataSourceRef - field.' + the specified data source.' properties: apiGroup: description: APIGroup is the group @@ -7071,8 +6750,9 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies + description: dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any @@ -7082,29 +6762,7 @@ spec: volume binding will only succeed if the type of the specified object matches some installed volume populator - or dynamic provisioner. This field - will replace the functionality of - the DataSource field and as such - if both fields are non-empty, they - must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to - the same value automatically if - one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows - any non-core object, as well as - PersistentVolumeClaim objects. * - While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error - if a disallowed value is specified. - (Beta) Using this field requires - the AnyVolumeDataSource feature - gate to be enabled.' + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -7127,6 +6785,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume @@ -7228,6 +6887,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: description: 'storageClassName is the name of the StorageClass required @@ -7331,6 +6991,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object @@ -7446,10 +7107,7 @@ spec: directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: description: 'path of the directory on the @@ -7533,6 +7191,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port @@ -7643,10 +7302,7 @@ spec: 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are - not affected by this setting. This might - be in conflict with other options that affect - the file mode, like fsGroup, and the result - can be other mode bits set. + not affected by this setting. format: int32 type: integer sources: @@ -7670,12 +7326,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7695,12 +7345,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7729,6 +7374,7 @@ spec: be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: description: downwardAPI information about the downwardAPI data to project @@ -7762,6 +7408,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -7773,12 +7420,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7822,6 +7464,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -7841,12 +7484,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7866,12 +7503,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7900,6 +7532,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: description: serviceAccountToken is information about the serviceAccountToken @@ -8032,6 +7665,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' @@ -8077,6 +7711,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: description: sslEnabled Flag enable/disable SSL communication with Gateway, default @@ -8118,10 +7753,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -8131,12 +7763,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -8153,10 +7780,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -8209,6 +7833,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: description: volumeName is the human-readable name of the StorageOS volume. Volume names @@ -8223,8 +7848,7 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: @@ -8265,8 +7889,8 @@ spec: type: object type: object description: 'A map of PyTorchReplicaType (type) to ReplicaSpec (value). - Specifies the PyTorch cluster configuration. For example, { "Master": - PyTorchReplicaSpec, "Worker": PyTorchReplicaSpec, }' + Specifies the PyTorch cluster configuration. For example, { "Master": + PyTorchReplicaSpec, "Worker": PyTorchReplicaSpec, }' type: object runPolicy: description: RunPolicy encapsulates various runtime policies of the @@ -8309,6 +7933,9 @@ spec: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. @@ -8383,10 +8010,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -8429,6 +8053,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -8453,13 +8084,7 @@ spec: storage: true subresources: scale: - labelSelectorPath: .status.labelSelector + labelSelectorPath: .status.replicaStatuses.Worker.selector specReplicasPath: .spec.pytorchReplicaSpecs.Worker.replicas - statusReplicasPath: .status.replicaStatuses.Active + statusReplicasPath: .status.replicaStatuses.Worker.active status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_tfjobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_tfjobs.yaml index 6485609163..a36d8b1734 100644 --- a/apps/training-operator/upstream/base/crds/kubeflow.org_tfjobs.yaml +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_tfjobs.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: tfjobs.kubeflow.org spec: @@ -87,6 +86,9 @@ spec: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. @@ -165,12 +167,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -265,6 +262,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -378,10 +376,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -397,12 +397,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -474,6 +469,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -543,6 +539,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -590,10 +587,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -662,6 +656,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -725,6 +720,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -765,15 +761,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -845,6 +833,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -914,6 +903,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -961,10 +951,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1033,6 +1020,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1096,6 +1084,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1147,11 +1136,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1163,11 +1148,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1192,10 +1173,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1221,6 +1199,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1240,6 +1219,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1269,6 +1249,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1291,6 +1272,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1324,6 +1306,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1343,6 +1326,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -1471,21 +1455,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -1734,17 +1711,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -1761,14 +1728,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1960,17 +1926,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2090,10 +2046,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2195,13 +2148,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -2216,16 +2163,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -2370,17 +2312,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2402,15 +2334,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2421,7 +2345,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2431,9 +2355,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2580,23 +2502,15 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: - description: "An EphemeralContainer is a temporary + description: An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes - the Pod to exceed its resource allocation. \n To - add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a beta - feature available on clusters that haven't disabled - the EphemeralContainers feature gate." + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The @@ -2607,10 +2521,7 @@ spec: string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + produce the string literal "$(VAR_NAME)".' items: type: string type: array @@ -2622,11 +2533,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2651,10 +2558,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2680,6 +2584,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2699,6 +2604,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2728,6 +2634,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2750,6 +2657,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2783,6 +2691,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2802,6 +2711,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -2925,21 +2835,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -3187,17 +3090,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3405,17 +3298,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3535,10 +3418,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3640,13 +3520,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -3807,17 +3681,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3839,15 +3703,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: description: "If set, the name of the container @@ -3856,9 +3712,7 @@ spec: (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. \n The container - runtime must implement support for this feature. - If the runtime does not support namespace targeting - then the result of setting this field is undefined." + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3869,7 +3723,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3879,9 +3733,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4001,6 +3853,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -4025,24 +3886,16 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. @@ -4055,11 +3908,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4071,11 +3920,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4100,10 +3945,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -4129,6 +3971,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -4148,6 +3991,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -4177,6 +4021,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4199,6 +4044,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4232,6 +4078,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4251,6 +4098,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -4379,21 +4227,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -4642,17 +4483,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4669,14 +4500,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4868,17 +4698,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4998,10 +4818,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -5103,13 +4920,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -5124,16 +4935,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -5278,17 +5084,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5310,15 +5106,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -5329,7 +5117,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5339,9 +5127,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5447,20 +5233,8 @@ spec: if this is set. \n If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This - is a beta field and requires the IdentifyPodOS feature" + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." properties: name: description: 'Name is the name of the operating @@ -5481,18 +5255,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -5548,7 +5318,7 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched @@ -5568,11 +5338,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name - is windows." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -5583,9 +5349,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -5604,9 +5368,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -5729,12 +5491,7 @@ spec: honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. + the Pod. type: boolean runAsUserName: description: The UserName in Windows to run @@ -5762,11 +5519,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -5789,13 +5542,7 @@ spec: request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The - grace period is the duration in seconds after the - processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5905,61 +5652,66 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is the - minimum number of matching pods in an eligible + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 2/2/1: In this - case, the global minimum is 1. | zone1 | zone2 - | zone3 | | P P | P P | P | - if MaxSkew - is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + is less than MinDomains. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number + description: MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats - \"global minimum\" as 0, and then the calculation + "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value - has no effect on scheduling. As a result, when - the number of eligible domains is less than - minDomains, scheduler won't schedule more than - maxSkew Pods to those domains. If value is nil, - the constraint behaves as if MinDomains is equal - to 1. Valid values are integers greater than - 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a - 3-zone cluster, MaxSkew is set to 2, MinDomains - is set to 5 and pods with the same labelSelector - spread as 2/2/2: | zone1 | zone2 | zone3 | | - \ P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" - is treated as 0. In this situation, new pod - with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new - Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical @@ -5967,35 +5719,16 @@ spec: We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -6157,6 +5890,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is optional: User is the rados user name, default is admin More info: @@ -6195,6 +5929,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -6215,10 +5950,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6228,12 +5960,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -6250,10 +5977,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -6279,6 +6003,7 @@ spec: ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled @@ -6314,6 +6039,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: description: readOnly specifies a read-only configuration for the volume. Defaults to @@ -6344,10 +6070,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6375,6 +6098,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -6383,11 +6107,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -6426,6 +6146,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -6456,37 +6177,19 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + http://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that + description: ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. \n Use - this if: a) the volume is only needed while - the pod runs, b) features of normal volumes - like restoring from snapshot or capacity tracking - are needed, c) the storage driver is specified - through a storage class, and d) the storage - driver supports dynamic volume provisioning - through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between - this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than - the lifecycle of an individual pod. \n Use CSI - for light-weight local ephemeral volumes if - the CSI driver is meant to be used that way - - see the documentation of the driver for more - information. \n A pod can use both types of - ephemeral volumes and persistent volumes at - the same time." + and deleted when the pod is removed. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6494,23 +6197,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -6559,11 +6245,7 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of - the specified data source. If the - AnyVolumeDataSource feature gate - is enabled, this field will always - have the same contents as the DataSourceRef - field.' + the specified data source.' properties: apiGroup: description: APIGroup is the group @@ -6586,8 +6268,9 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies + description: dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any @@ -6597,29 +6280,7 @@ spec: volume binding will only succeed if the type of the specified object matches some installed volume populator - or dynamic provisioner. This field - will replace the functionality of - the DataSource field and as such - if both fields are non-empty, they - must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to - the same value automatically if - one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows - any non-core object, as well as - PersistentVolumeClaim objects. * - While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error - if a disallowed value is specified. - (Beta) Using this field requires - the AnyVolumeDataSource feature - gate to be enabled.' + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -6642,6 +6303,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume @@ -6743,6 +6405,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: description: 'storageClassName is the name of the StorageClass required @@ -6846,6 +6509,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object @@ -6961,10 +6625,7 @@ spec: directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: description: 'path of the directory on the @@ -7048,6 +6709,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port @@ -7158,10 +6820,7 @@ spec: 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are - not affected by this setting. This might - be in conflict with other options that affect - the file mode, like fsGroup, and the result - can be other mode bits set. + not affected by this setting. format: int32 type: integer sources: @@ -7185,12 +6844,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7210,12 +6863,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7244,6 +6892,7 @@ spec: be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: description: downwardAPI information about the downwardAPI data to project @@ -7277,6 +6926,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -7288,12 +6938,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7337,6 +6982,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -7356,12 +7002,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7381,12 +7021,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7415,6 +7050,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: description: serviceAccountToken is information about the serviceAccountToken @@ -7547,6 +7183,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' @@ -7592,6 +7229,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: description: sslEnabled Flag enable/disable SSL communication with Gateway, default @@ -7633,10 +7271,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -7646,12 +7281,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -7668,10 +7298,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -7724,6 +7351,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: description: volumeName is the human-readable name of the StorageOS volume. Volume names @@ -7738,8 +7366,7 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: @@ -7780,8 +7407,8 @@ spec: type: object type: object description: 'A map of TFReplicaType (type) to ReplicaSpec (value). - Specifies the TF cluster configuration. For example, { "PS": - ReplicaSpec, "Worker": ReplicaSpec, }' + Specifies the TF cluster configuration. For example, { "PS": ReplicaSpec, + "Worker": ReplicaSpec, }' type: object required: - tfReplicaSpecs @@ -7849,10 +7476,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -7895,6 +7519,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -7919,9 +7550,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/apps/training-operator/upstream/base/crds/kubeflow.org_xgboostjobs.yaml b/apps/training-operator/upstream/base/crds/kubeflow.org_xgboostjobs.yaml index 2a09adddef..c10ee67f8e 100644 --- a/apps/training-operator/upstream/base/crds/kubeflow.org_xgboostjobs.yaml +++ b/apps/training-operator/upstream/base/crds/kubeflow.org_xgboostjobs.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: xgboostjobs.kubeflow.org spec: @@ -83,6 +82,9 @@ spec: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. @@ -157,12 +159,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -257,6 +254,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -370,10 +368,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -389,12 +389,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -466,6 +461,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -535,6 +531,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -582,10 +579,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -654,6 +648,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -717,6 +712,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -757,15 +753,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -837,6 +825,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term @@ -906,6 +895,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -953,10 +943,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1025,6 +1012,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -1088,6 +1076,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that the term @@ -1139,11 +1128,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1155,11 +1140,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1184,10 +1165,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1213,6 +1191,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1232,6 +1211,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1261,6 +1241,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1283,6 +1264,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1316,6 +1298,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1335,6 +1318,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -1463,21 +1447,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -1726,17 +1703,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -1753,14 +1720,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1952,17 +1918,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2082,10 +2038,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2187,13 +2140,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -2208,16 +2155,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -2362,17 +2304,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -2394,15 +2326,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2413,7 +2337,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2423,9 +2347,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2572,23 +2494,15 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: - description: "An EphemeralContainer is a temporary + description: An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes - the Pod to exceed its resource allocation. \n To - add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a beta - feature available on clusters that haven't disabled - the EphemeralContainers feature gate." + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The @@ -2599,10 +2513,7 @@ spec: string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + produce the string literal "$(VAR_NAME)".' items: type: string type: array @@ -2614,11 +2525,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2643,10 +2550,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2672,6 +2576,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2691,6 +2596,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2720,6 +2626,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2742,6 +2649,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2775,6 +2683,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2794,6 +2703,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -2917,21 +2827,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -3179,17 +3082,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3397,17 +3290,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3527,10 +3410,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3632,13 +3512,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -3799,17 +3673,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -3831,15 +3695,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: description: "If set, the name of the container @@ -3848,9 +3704,7 @@ spec: (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. \n The container - runtime must implement support for this feature. - If the runtime does not support namespace targeting - then the result of setting this field is undefined." + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3861,7 +3715,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3871,9 +3725,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3993,6 +3845,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -4017,24 +3878,16 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. @@ -4047,11 +3900,7 @@ spec: If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4063,11 +3912,7 @@ spec: environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -4092,10 +3937,7 @@ spec: unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -4121,6 +3963,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -4140,6 +3983,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -4169,6 +4013,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4191,6 +4036,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4224,6 +4070,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4243,6 +4090,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: @@ -4371,21 +4219,14 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The Pod''s termination grace period countdown + The Pod's termination grace period countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, - the container will eventually terminate - within the Pod''s termination grace period - (unless delayed by finalizers). Other management - of the container blocks until the hook completes - or until the termination grace period is - reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action @@ -4634,17 +4475,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4661,14 +4492,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4860,17 +4690,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -4990,10 +4810,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -5095,13 +4912,7 @@ spec: that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors - when validating the Pod. All of a Pod's - containers must have the same effective - HostProcess value (it is not allowed - to have a mix of HostProcess containers - and non-HostProcess containers). In - addition, if HostProcess is true then - HostNetwork must also be set to true. + when validating the Pod. type: boolean runAsUserName: description: The UserName in Windows to @@ -5116,16 +4927,11 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to @@ -5270,17 +5076,7 @@ spec: the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for - your process. If this value is nil, the - pod's terminationGracePeriodSeconds will - be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value - zero indicates stop immediately via the - kill signal (no opportunity to shut down). - This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. + your process. format: int64 type: integer timeoutSeconds: @@ -5302,15 +5098,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -5321,7 +5109,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5331,9 +5119,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5439,20 +5225,8 @@ spec: if this is set. \n If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This - is a beta field and requires the IdentifyPodOS feature" + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." properties: name: description: 'Name is the name of the operating @@ -5473,18 +5247,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -5540,7 +5310,7 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched @@ -5560,11 +5330,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name - is windows." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -5575,9 +5341,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -5596,9 +5360,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -5721,12 +5483,7 @@ spec: honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. + the Pod. type: boolean runAsUserName: description: The UserName in Windows to run @@ -5754,11 +5511,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -5781,13 +5534,7 @@ spec: request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The - grace period is the duration in seconds after the - processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5897,61 +5644,66 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is the - minimum number of matching pods in an eligible + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 2/2/1: In this - case, the global minimum is 1. | zone1 | zone2 - | zone3 | | P P | P P | P | - if MaxSkew - is 1, incoming pod can only be scheduled to - zone3 to become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + is less than MinDomains. format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number + description: MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats - \"global minimum\" as 0, and then the calculation + "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value - has no effect on scheduling. As a result, when - the number of eligible domains is less than - minDomains, scheduler won't schedule more than - maxSkew Pods to those domains. If value is nil, - the constraint behaves as if MinDomains is equal - to 1. Valid values are integers greater than - 0. When value is not nil, WhenUnsatisfiable - must be DoNotSchedule. \n For example, in a - 3-zone cluster, MaxSkew is set to 2, MinDomains - is set to 5 and pods with the same labelSelector - spread as 2/2/2: | zone1 | zone2 | zone3 | | - \ P P | P P | P P | The number of domains - is less than 5(MinDomains), so \"global minimum\" - is treated as 0. In this situation, new pod - with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new - Pod is scheduled to any of the three zones, - it will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical @@ -5959,35 +5711,16 @@ spec: We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular - instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assignment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -6149,6 +5882,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is optional: User is the rados user name, default is admin More info: @@ -6187,6 +5921,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' @@ -6207,10 +5942,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6220,12 +5952,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -6242,10 +5969,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -6271,6 +5995,7 @@ spec: ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled @@ -6306,6 +6031,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: description: readOnly specifies a read-only configuration for the volume. Defaults to @@ -6336,10 +6062,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -6367,6 +6090,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -6375,11 +6099,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -6418,6 +6138,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -6448,37 +6169,19 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + http://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that + description: ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. \n Use - this if: a) the volume is only needed while - the pod runs, b) features of normal volumes - like restoring from snapshot or capacity tracking - are needed, c) the storage driver is specified - through a storage class, and d) the storage - driver supports dynamic volume provisioning - through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between - this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than - the lifecycle of an individual pod. \n Use CSI - for light-weight local ephemeral volumes if - the CSI driver is meant to be used that way - - see the documentation of the driver for more - information. \n A pod can use both types of - ephemeral volumes and persistent volumes at - the same time." + and deleted when the pod is removed. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6486,23 +6189,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -6551,11 +6237,7 @@ spec: controller can support the specified data source, it will create a new volume based on the contents of - the specified data source. If the - AnyVolumeDataSource feature gate - is enabled, this field will always - have the same contents as the DataSourceRef - field.' + the specified data source.' properties: apiGroup: description: APIGroup is the group @@ -6578,8 +6260,9 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies + description: dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any @@ -6589,29 +6272,7 @@ spec: volume binding will only succeed if the type of the specified object matches some installed volume populator - or dynamic provisioner. This field - will replace the functionality of - the DataSource field and as such - if both fields are non-empty, they - must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to - the same value automatically if - one of them is empty and the other - is non-empty. There are two important - differences between DataSource and - DataSourceRef: * While DataSource - only allows two specific types of - objects, DataSourceRef allows - any non-core object, as well as - PersistentVolumeClaim objects. * - While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error - if a disallowed value is specified. - (Beta) Using this field requires - the AnyVolumeDataSource feature - gate to be enabled.' + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -6634,6 +6295,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume @@ -6735,6 +6397,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: description: 'storageClassName is the name of the StorageClass required @@ -6838,6 +6501,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object @@ -6953,10 +6617,7 @@ spec: directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: description: 'path of the directory on the @@ -7040,6 +6701,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port @@ -7150,10 +6812,7 @@ spec: 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are - not affected by this setting. This might - be in conflict with other options that affect - the file mode, like fsGroup, and the result - can be other mode bits set. + not affected by this setting. format: int32 type: integer sources: @@ -7177,12 +6836,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7202,12 +6855,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7236,6 +6884,7 @@ spec: be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: description: downwardAPI information about the downwardAPI data to project @@ -7269,6 +6918,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -7280,12 +6930,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7329,6 +6974,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object @@ -7348,12 +6994,6 @@ spec: the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -7373,12 +7013,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -7407,6 +7042,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: description: serviceAccountToken is information about the serviceAccountToken @@ -7539,6 +7175,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' @@ -7584,6 +7221,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: description: sslEnabled Flag enable/disable SSL communication with Gateway, default @@ -7625,10 +7263,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -7638,12 +7273,7 @@ spec: as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. @@ -7660,10 +7290,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + will be used.' format: int32 type: integer path: @@ -7716,6 +7343,7 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: description: volumeName is the human-readable name of the StorageOS volume. Volume names @@ -7730,8 +7358,7 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: @@ -7838,10 +7465,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -7884,6 +7508,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -7908,9 +7539,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/apps/training-operator/upstream/base/crds/kustomization.yaml b/apps/training-operator/upstream/base/crds/kustomization.yaml index 495ab2f263..6617ab3e2a 100644 --- a/apps/training-operator/upstream/base/crds/kustomization.yaml +++ b/apps/training-operator/upstream/base/crds/kustomization.yaml @@ -6,3 +6,4 @@ resources: - kubeflow.org_pytorchjobs.yaml - kubeflow.org_xgboostjobs.yaml - kubeflow.org_mpijobs.yaml + - kubeflow.org_paddlejobs.yaml diff --git a/apps/training-operator/upstream/base/deployment.yaml b/apps/training-operator/upstream/base/deployment.yaml index fc6c8d2cfc..de4dc8740e 100644 --- a/apps/training-operator/upstream/base/deployment.yaml +++ b/apps/training-operator/upstream/base/deployment.yaml @@ -48,12 +48,5 @@ spec: initialDelaySeconds: 10 periodSeconds: 15 timeoutSeconds: 3 - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi serviceAccountName: training-operator terminationGracePeriodSeconds: 10 diff --git a/apps/training-operator/upstream/overlays/kubeflow/kubeflow-training-roles.yaml b/apps/training-operator/upstream/overlays/kubeflow/kubeflow-training-roles.yaml index 50f186720c..2ea5740f92 100644 --- a/apps/training-operator/upstream/overlays/kubeflow/kubeflow-training-roles.yaml +++ b/apps/training-operator/upstream/overlays/kubeflow/kubeflow-training-roles.yaml @@ -27,6 +27,7 @@ rules: - pytorchjobs - mxjobs - xgboostjobs + - paddlejobs verbs: - create - delete @@ -43,6 +44,7 @@ rules: - pytorchjobs/status - mxjobs/status - xgboostjobs/status + - paddlejobs/status verbs: - get @@ -62,6 +64,7 @@ rules: - pytorchjobs - mxjobs - xgboostjobs + - paddlejobs verbs: - get - list @@ -74,5 +77,6 @@ rules: - pytorchjobs/status - mxjobs/status - xgboostjobs/status + - paddlejobs/status verbs: - get diff --git a/apps/training-operator/upstream/overlays/kubeflow/kustomization.yaml b/apps/training-operator/upstream/overlays/kubeflow/kustomization.yaml index 2fd5423a2b..50bfeb4e81 100644 --- a/apps/training-operator/upstream/overlays/kubeflow/kustomization.yaml +++ b/apps/training-operator/upstream/overlays/kubeflow/kustomization.yaml @@ -6,4 +6,4 @@ resources: - kubeflow-training-roles.yaml images: - name: kubeflow/training-operator - newTag: "v1-e1434f6" + newTag: "v1-d0fb5c0" diff --git a/apps/training-operator/upstream/overlays/standalone/kustomization.yaml b/apps/training-operator/upstream/overlays/standalone/kustomization.yaml index 0adcf53dd3..a7a8bd5c80 100644 --- a/apps/training-operator/upstream/overlays/standalone/kustomization.yaml +++ b/apps/training-operator/upstream/overlays/standalone/kustomization.yaml @@ -6,4 +6,4 @@ resources: - namespace.yaml images: - name: kubeflow/training-operator - newTag: "v1-e1434f6" + newTag: "v1-d0fb5c0" From 6b6954fdc78818cd02d07ad9ab00182d4b58c648 Mon Sep 17 00:00:00 2001 From: yetone Date: Wed, 1 Feb 2023 11:47:30 +0800 Subject: [PATCH 18/74] Feat: Add BentoML Yatai Stack contrib (#2350) --- .github/workflows/bentoml_kind_test.yaml | 29 + contrib/bentoml/Makefile | 23 + contrib/bentoml/OWNERS | 2 + contrib/bentoml/README.md | 193 + contrib/bentoml/UPGRADE.md | 35 + .../bases/yatai-deployment/kustomization.yaml | 2 + .../bases/yatai-deployment/resources.yaml | 10816 ++++++++++++++++ .../yatai-image-builder/kustomization.yaml | 2 + .../bases/yatai-image-builder/resources.yaml | 2157 +++ .../default/kustomization.yaml | 6 + contrib/bentoml/example.yaml | 57 + .../sources/kustomization-template.yaml | 2 + .../sources/yatai-deployment-values.yaml | 20 + .../sources/yatai-image-builder-values.yaml | 13 + contrib/bentoml/test.sh | 36 + 15 files changed, 13393 insertions(+) create mode 100644 .github/workflows/bentoml_kind_test.yaml create mode 100644 contrib/bentoml/Makefile create mode 100644 contrib/bentoml/OWNERS create mode 100644 contrib/bentoml/README.md create mode 100644 contrib/bentoml/UPGRADE.md create mode 100644 contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/kustomization.yaml create mode 100644 contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/resources.yaml create mode 100644 contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/kustomization.yaml create mode 100644 contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/resources.yaml create mode 100644 contrib/bentoml/bentoml-yatai-stack/default/kustomization.yaml create mode 100644 contrib/bentoml/example.yaml create mode 100644 contrib/bentoml/sources/kustomization-template.yaml create mode 100644 contrib/bentoml/sources/yatai-deployment-values.yaml create mode 100644 contrib/bentoml/sources/yatai-image-builder-values.yaml create mode 100755 contrib/bentoml/test.sh diff --git a/.github/workflows/bentoml_kind_test.yaml b/.github/workflows/bentoml_kind_test.yaml new file mode 100644 index 0000000000..aeaf0eb613 --- /dev/null +++ b/.github/workflows/bentoml_kind_test.yaml @@ -0,0 +1,29 @@ +name: Build & Apply BentoML Yatai Stack manifests in KinD +on: + pull_request: + paths: + - contrib/bentoml/** + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh + + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster-1-24.yaml + + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh + + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh + + - name: Build & Apply manifests + run: | + cd contrib/bentoml/ + make test diff --git a/contrib/bentoml/Makefile b/contrib/bentoml/Makefile new file mode 100644 index 0000000000..bce96d7956 --- /dev/null +++ b/contrib/bentoml/Makefile @@ -0,0 +1,23 @@ +BENTOML_YATAI_IMAGE_BUILDER_VERSION ?= 1.1.3 +BENTOML_YATAI_DEPLOYMENT_VERSION ?= 1.1.4 +BENTOML_HELM_CHART_REPO ?= https://bentoml.github.io/helm-charts + +.PHONY: bentoml-yatai-stack/bases +bentoml-yatai-stack/bases: clean-kustomize + mkdir -p bentoml-yatai-stack/bases/yatai-image-builder + cd bentoml-yatai-stack/bases/yatai-image-builder && helm template --skip-tests yatai-image-builder-crds yatai-image-builder-crds --repo ${BENTOML_HELM_CHART_REPO} --namespace kubeflow --version ${BENTOML_YATAI_IMAGE_BUILDER_VERSION} > resources.yaml + cd bentoml-yatai-stack/bases/yatai-image-builder && helm template --skip-tests -f ../../../sources/yatai-image-builder-values.yaml yatai-image-builder yatai-image-builder --repo ${BENTOML_HELM_CHART_REPO} --namespace kubeflow --version ${BENTOML_YATAI_IMAGE_BUILDER_VERSION} >> resources.yaml + cp sources/kustomization-template.yaml bentoml-yatai-stack/bases/yatai-image-builder/kustomization.yaml + mkdir -p bentoml-yatai-stack/bases/yatai-deployment + cd bentoml-yatai-stack/bases/yatai-deployment && helm template --skip-tests yatai-deployment-crds yatai-deployment-crds --repo ${BENTOML_HELM_CHART_REPO} --namespace kubeflow --version ${BENTOML_YATAI_DEPLOYMENT_VERSION} > resources.yaml + cd bentoml-yatai-stack/bases/yatai-deployment && helm template --skip-tests -f ../../../sources/yatai-deployment-values.yaml yatai-deployment yatai-deployment --repo ${BENTOML_HELM_CHART_REPO} --namespace kubeflow --version ${BENTOML_YATAI_DEPLOYMENT_VERSION} >> resources.yaml + cp sources/kustomization-template.yaml bentoml-yatai-stack/bases/yatai-deployment/kustomization.yaml + +.PHONY: clean-kustomize +clean-kustomize: + rm -rf bentoml-yatai-stack/bases + +.PHONY: test +test: + ./test.sh + diff --git a/contrib/bentoml/OWNERS b/contrib/bentoml/OWNERS new file mode 100644 index 0000000000..e37c1ced57 --- /dev/null +++ b/contrib/bentoml/OWNERS @@ -0,0 +1,2 @@ +approvers: + - yubozhao diff --git a/contrib/bentoml/README.md b/contrib/bentoml/README.md new file mode 100644 index 0000000000..8fbae4850d --- /dev/null +++ b/contrib/bentoml/README.md @@ -0,0 +1,193 @@ +# BentoML Yatai Stack + +[BentoML Yatai Stack](https://github.com/bentoml/yatai-deployment) is a series of components for deploying models/bentos to Kubernetes at scale + +## Requirements + +* Kubernetes 1.20 - 1.24 + +## Installation + + * The yaml assumes you will install in kubeflow namespace + +```bash +kustomize build bentoml-yatai-stack/default | kubectl apply -n kubeflow --server-side -f - +``` + +## Upgrating + +See [UPGRADE.md](UPGRADE.md) + +# Design Proposal + +## Why BentoML + +![image](https://user-images.githubusercontent.com/861225/212856116-bf873dc8-7da3-4484-9f33-e401e34a82dc.png) + +- BentoML is an open-source framework for developing, serving, and deploying ML services. + - Building + - Unifies ML frameworks with out-of-the-box implementation of popular frameworks + - Exposes gRPC and OpenAPI for serving + - Provides Python SDK for development + - Deployment + - Any environment, batch inference, streaming, or online serving + - Any cloud platform for on-prem + - Full observability support through Grafana + - Yatai - BentoML's deployment platform + +## User Stories + +Goal: From simple Python module to distributed Kubernetes deployment. + +Consider the following common ML services involve custom pre and post-processing logic and inference of multiple models. + +![image](https://user-images.githubusercontent.com/861225/212856456-866125c8-2bf3-42d4-b031-3c7d89c07f37.png) + +### Developing on Kubeflow Notebook + +- Create a service using saved model. + +``` +%%writefile service.py +import asyncio +import bentoml + +fraud_detection = bentoml.pytorch.get("fraud_detection:latest").to_runner() +risk_assessment_1 = bentoml.sklearn.get("risk_assessment_1:latest").to_runner() +risk_assessment_2 = bentoml.sklearn.get("risk_assessment_2:latest").to_runner() +risk_assessment_3 = bentoml.sklearn.get("risk_assessment_3:latest").to_runner() + +svc = bentoml.Service( + name="credit_application", + runners=[fraud_detection, risk_assessment_1, risk_assessment_2, risk_assessment_3] +) + +@svc.api(input=bentoml.io.JSON(), output=bentoml.io.JSON()) +async def apply(input_data: dict) -> dict: + features = await fetch_features(input_date["user_id"]) + detection = await fraud_detection.async_run(input_data, features) + if detection["confidence"] < CONFIDENCE_THRESHOLD: + return REJECTION + assessments = await asyncio.gather( + risk_assessment_1.async_run(input_data["application"], features), + risk_assessment_2.async_run(input_data["application"], features), + risk_assessment_3.async_run(input_data["application"], features), + ) + return process_assessments(assessments) + +``` + +- Serve and test the service. + +``` +!bentoml serve service.py:svc --reload + +2022-11-07T06:50:53+0000 [INFO] [cli] Prometheus metrics for HTTP BentoServer from "service.py:svc" can be accessed at . +2022-11-07T06:50:53+0000 [INFO] [cli] Starting development HTTP BentoServer from "service.py:svc" listening on (Press CTRL+C to quit) + +``` + +![image](https://user-images.githubusercontent.com/861225/212856978-c8a24c4b-bc5b-4706-887e-81f5be914938.png) + +- Build bento + +``` +!bentoml build + +Building BentoML service "credit_application:wly5lqc6ncpzwcvj" from build context "." +Successfully built Bento(tag="credit_application:wly5lqc6ncpzwcvj"). +``` + +- Export bento to blob storage. + +``` +!bentoml export credit_application:wly5lqc6ncpzwcvj s3://your_bento_bucket/credit_application.wly5lqc6ncpzwcvj.bento +``` + +### Deploying to Kubernetes + +![image](https://user-images.githubusercontent.com/861225/212857708-f96c9877-bb89-4afa-930a-1d2cb0300520.png) + +Users can deploy bentos to the K8s cluster in one of the three ways. + +#### Kubernetes Python Client + +Users can deploy bentos through Kubeflow Notebook with Kubernetes [Python client](https://github.com/kubernetes-client/python) + +#### kubectl + +BentoML offers two options to deploy bentos directly to the Kubenetes cluster through `kubectl` and the `BentoRequest`, `Bento`, and `BentoDeployment` CRDs. + +The first option relies on `yatai-image-builder` to build the OCI image. Users need to create a `BentoRequest` CR and `BentoDeployment` CR to deploy a bento. In the `BentoDeployment` CR, the name of the bento should be defined as the name of the `BentoRequest` CR. If this Bento CR not found, `yatai-deployment` will look for the BentoRequest CR by the same name and wait for the BentoRequest CR to generate the Bento CR. This option will build the OCI image by spawning a pod to run the Kaniko build tool. However, the Kaniko build tool requires root user access. If root user access is not available, consider the second option below. + +The second option relies on the users to provide a URI to the pre-built OCI image of the bento. Users need to manually create a Bento CR with the image field defined as the pre-built OCI image URI. Then create a BentoDeployment CR to reference the Bento CR previously created. + +#### Kubeflow Pipeline Component + +This option will be available in Kubeflow release 1.8. + +### Verification + +The following installation and testing steps demonstrate how to install Yatai components and deploy bentos through `kubectl` with `BentoRequest` and `BentoDeployment` CRDs. + +#### Installation + +Install with kustomize command: + +``` +kustomize build bentoml-yatai-stack/default | kubectl apply -n kubeflow --server-side -f - +``` + +#### Test + +Create Bento CR and BentoDeployment CR: + +``` +kubectl apply -f example.yaml +``` + +Verifying that the bento deployment is running: + +``` +kubectl -n kubeflow get deploy -l yatai.ai/bento-deployment=test-yatai +``` + +The output of the above command should be like this: + +``` +NAME READY UP-TO-DATE AVAILABLE AGE +test-yatai 1/1 1 1 6m12s +test-yatai-runner-0 1/1 1 1 16m +``` + +Verifying that the bento service is created: + +``` +kubectl -n kubeflow get service -l yatai.ai/bento-deployment=test-yatai +``` + +The output of the above command should look like this: + +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +test-yatai ClusterIP 10.96.150.42 3000/TCP,3001/TCP 7m59s +test-yatai-runner-32c50ece701351fb576189d54bd58724 ClusterIP 10.96.193.242 3000/TCP,3001/TCP 7m39s +``` + +Port-forwarding the bento service: + +``` +kubectl -n kubeflow port-forward svc/test-yatai 3000:3000 +``` + +Finally you can test the bento service with the curl command: + +``` +curl -X 'POST' http://localhost:3000/classify -d '[[0,1,2,3]]' +``` + +The output should be: + +``` +[2] +``` diff --git a/contrib/bentoml/UPGRADE.md b/contrib/bentoml/UPGRADE.md new file mode 100644 index 0000000000..1dc7ec1a1d --- /dev/null +++ b/contrib/bentoml/UPGRADE.md @@ -0,0 +1,35 @@ +# Upgrading Documentation + +## Updating manifests + +In order to update manifests make sure you are running the commands in linux. + +If you are running in another OS, please make sure to update the Makefile commands. + +You can refresh the configuration by running: + +``` +make bentoml-yatai-stack/base +``` + +## Updating to specific version + +Upgrading the version can be done by setting the `BENTOML_YATAI_STACK_VERSION` environment variable, such as: + +``` +# Set the desired version +export BENTOML_YATAI_IMAGE_BUILDER_VERSION=1.1.0 +export BENTOML_YATAI_DEPLOYMENT_VERSION=1.1.0 + +# Rebuild the kustomize bases +make bentoml-yatai-stack/bases + +# Run new manifests against cluster +kustomize build bentoml-yatai-stack/default | kubectl apply -f - +``` + +## Instructions for breaking changes + +The [Yatai upgrading docs](https://docs.bentoml.org/projects/yatai) provide step by step overview of breaking changes across minor and patch versions. + + diff --git a/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/kustomization.yaml b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/kustomization.yaml new file mode 100644 index 0000000000..b6b8eeb903 --- /dev/null +++ b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- resources.yaml diff --git a/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/resources.yaml b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/resources.yaml new file mode 100644 index 0000000000..a27ae00554 --- /dev/null +++ b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-deployment/resources.yaml @@ -0,0 +1,10816 @@ +--- +# Source: yatai-deployment-crds/templates/bentodeployment.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: 'kubeflow/yatai-deployment-serving-cert' + controller-gen.kubebuilder.io/version: v0.7.0 + name: bentodeployments.serving.yatai.ai +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: 'yatai-deployment-webhook-service' + namespace: 'kubeflow' + path: /convert + conversionReviewVersions: + - v1 + - v1alpha1 + - v1alpha2 + - v1alpha3 + - v2alpha1 + group: serving.yatai.ai + names: + kind: BentoDeployment + listKind: BentoDeploymentList + plural: bentodeployments + singular: bentodeployment + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: BentoTag + jsonPath: .spec.bento_tag + name: Bento + type: string + - description: Ready + jsonPath: .status.printerReady + name: Ready + type: string + - description: MinReplicas + jsonPath: .spec.autoscaling.min_replicas + name: MinReplicas + type: integer + - description: MaxReplicas + jsonPath: .spec.autoscaling.max_replicas + name: MaxReplicas + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BentoDeployment is the Schema for the bentodeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoDeploymentSpec defines the desired state of BentoDeployment + properties: + autoscaling: + properties: + cpu: + format: int32 + type: integer + gpu: + format: int32 + type: integer + max_replicas: + format: int32 + type: integer + memory: + type: string + min_replicas: + format: int32 + type: integer + qps: + format: int64 + type: integer + type: object + bento_tag: + type: string + envs: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + runners: + items: + properties: + autoscaling: + properties: + maxReplicas: + format: int32 + type: integer + metrics: + items: + description: MetricSpec specifies how to scale based on + a single metric (only `type` and one other matching + field should be set at once). + properties: + containerResource: + description: container resource refers to a resource + metric (such as those specified in requests and + limits) known to Kubernetes describing a single + container in each pod of the current scale target + (e.g. CPU or memory). Such metrics are built in + to Kubernetes, and have special scaling options + on top of those available to normal per-pod metrics + using the "pods" source. This is an alpha feature + and can be enabled by the HPAContainerMetrics feature + flag. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource + in question. + type: string + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: external refers to a global metric that + is not associated with any Kubernetes object. It + allows autoscaling based on information coming from + components running outside of cluster (for example + length of queue in cloud messaging service, or QPS + from loadbalancer running outside of cluster). + properties: + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: object refers to a metric describing + a single kubernetes object (for example, hits-per-second + on an Ingress object). + properties: + describedObject: + description: CrossVersionObjectReference contains + enough information to let you identify the referred + resource. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: + http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: pods refers to a metric describing each + pod in the current scale target (for example, transactions-processed-per-second). The + values will be averaged together before being compared + to the target value. + properties: + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: resource refers to a resource metric + (such as those specified in requests and limits) + known to Kubernetes describing each pod in the current + scale target (e.g. CPU or memory). Such metrics + are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod + metrics using the "pods" source. + properties: + name: + description: name is the name of the resource + in question. + type: string + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: 'type is the type of metric source. It + should be one of "ContainerResource", "External", + "Object", "Pods" or "Resource", each mapping to + a matching field in the object. Note: "ContainerResource" + type is available on when the feature-gate HPAContainerMetrics + is enabled' + type: string + required: + - type + type: object + type: array + minReplicas: + format: int32 + type: integer + required: + - maxReplicas + type: object + name: + type: string + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + type: array + required: + - bento_tag + type: object + status: + description: BentoDeploymentStatus defines the observed state of BentoDeployment + properties: + availableReplicas: + description: Total number of available pods (ready for at least minReadySeconds) + targeted by this deployment. + format: int32 + type: integer + podSelector: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + type: object + printerReady: + type: string + readyReplicas: + description: readyReplicas is the number of pods targeted by this + Deployment with a Ready Condition. + format: int32 + type: integer + replicas: + description: Total number of non-terminated pods targeted by this + deployment (their labels match the selector). + format: int32 + type: integer + unavailableReplicas: + description: Total number of unavailable pods targeted by this deployment. + This is the total number of pods that are still required for the + deployment to have 100% available capacity. They may either be pods + that are running but not yet available or pods that still have not + been created. + format: int32 + type: integer + updatedReplicas: + description: Total number of non-terminated pods targeted by this + deployment that have the desired template spec. + format: int32 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: BentoTag + jsonPath: .spec.bento_tag + name: Bento + type: string + - description: Ready + jsonPath: .status.printerReady + name: Ready + type: string + - description: MinReplicas + jsonPath: .spec.autoscaling.min_replicas + name: MinReplicas + type: integer + - description: MaxReplicas + jsonPath: .spec.autoscaling.max_replicas + name: MaxReplicas + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: BentoDeployment is the Schema for the bentodeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoDeploymentSpec defines the desired state of BentoDeployment + properties: + autoscaling: + properties: + cpu: + format: int32 + type: integer + gpu: + format: int32 + type: integer + max_replicas: + format: int32 + type: integer + memory: + type: string + min_replicas: + format: int32 + type: integer + qps: + format: int64 + type: integer + type: object + bento_tag: + type: string + envs: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + ingress: + properties: + enabled: + type: boolean + type: object + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + runners: + items: + properties: + autoscaling: + properties: + cpu: + format: int32 + type: integer + gpu: + format: int32 + type: integer + max_replicas: + format: int32 + type: integer + memory: + type: string + min_replicas: + format: int32 + type: integer + qps: + format: int64 + type: integer + type: object + envs: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + name: + type: string + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + type: object + type: array + required: + - bento_tag + type: object + status: + description: BentoDeploymentStatus defines the observed state of BentoDeployment + properties: + availableReplicas: + description: Total number of available pods (ready for at least minReadySeconds) + targeted by this deployment. + format: int32 + type: integer + podSelector: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + type: object + printerReady: + type: string + readyReplicas: + description: readyReplicas is the number of pods targeted by this + Deployment with a Ready Condition. + format: int32 + type: integer + replicas: + description: Total number of non-terminated pods targeted by this + deployment (their labels match the selector). + format: int32 + type: integer + unavailableReplicas: + description: Total number of unavailable pods targeted by this deployment. + This is the total number of pods that are still required for the + deployment to have 100% available capacity. They may either be pods + that are running but not yet available or pods that still have not + been created. + format: int32 + type: integer + updatedReplicas: + description: Total number of non-terminated pods targeted by this + deployment that have the desired template spec. + format: int32 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: BentoTag + jsonPath: .spec.bento_tag + name: Bento + type: string + - description: Ready + jsonPath: .status.printerReady + name: Ready + type: string + - description: MinReplicas + jsonPath: .spec.autoscaling.min_replicas + name: MinReplicas + type: integer + - description: MaxReplicas + jsonPath: .spec.autoscaling.max_replicas + name: MaxReplicas + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: BentoDeployment is the Schema for the bentodeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoDeploymentSpec defines the desired state of BentoDeployment + properties: + annotations: + additionalProperties: + type: string + type: object + autoscaling: + properties: + cpu: + format: int32 + type: integer + gpu: + format: int32 + type: integer + max_replicas: + format: int32 + type: integer + memory: + type: string + min_replicas: + format: int32 + type: integer + qps: + format: int64 + type: integer + type: object + bento_tag: + type: string + envs: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + extra_pod_metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + extra_pod_spec: + properties: + affinity: + description: Affinity is a group of affinity scheduling rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + tolerations: + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a alpha-level + feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to + topologies that would help reduce the skew. A constraint + is considered "Unsatisfiable" for an incoming pod if and + only if every possible node assignment for that pod would + violate "MaxSkew" on some topology. For example, in a + 3-zone cluster, MaxSkew is set to 1, and pods with the + same labelSelector spread as 3/1/1: | zone1 | zone2 | + zone3 | | P P P | P | P | If WhenUnsatisfiable + is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other words, + the cluster can still be imbalanced, but scheduler won''t + make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + ingress: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + tls: + properties: + secretName: + type: string + type: object + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + runners: + items: + properties: + annotations: + additionalProperties: + type: string + type: object + autoscaling: + properties: + cpu: + format: int32 + type: integer + gpu: + format: int32 + type: integer + max_replicas: + format: int32 + type: integer + memory: + type: string + min_replicas: + format: int32 + type: integer + qps: + format: int64 + type: integer + type: object + envs: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + extra_pod_metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + extra_pod_spec: + properties: + affinity: + description: Affinity is a group of affinity scheduling + rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node matches the corresponding + matchExpressions; the node(s) with the highest + sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to an update), the system may or may + not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of + namespaces that the term applies to. The + term is applied to the union of the namespaces + selected by this field and the ones listed + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term applies + to. The term is applied to the union of + the namespaces listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose value + of the label with key topologyKey matches + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the anti-affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to a pod label update), the + system may or may not try to eventually evict + the pod from its node. When there are multiple + elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of + namespaces that the term applies to. The + term is applied to the union of the namespaces + selected by this field and the ones listed + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term applies + to. The term is applied to the union of + the namespaces listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose value + of the label with key topologyKey matches + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + tolerations: + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to + match. Empty means match all taint effects. When + specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If + the key is empty, operator must be Exists; this + combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect + NoExecute, otherwise this field is ignored) tolerates + the taint. By default, it is not set, which means + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + items: + description: TopologySpreadConstraint specifies how to + spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading will + be calculated. The keys are used to lookup values + from the incoming pod labels, those key-value labels + are ANDed with labelSelector to select the group + of existing pods over which spreading will be calculated + for the incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null or empty + list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or + zero if the number of eligible domains is less than + MinDomains. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum + is 1. | zone1 | zone2 | zone3 | | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled + to zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can + be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less than + minDomains, Pod Topology Spread treats \"global + minimum\" as 0, and then the calculation of Skew + is performed. And when the number of eligible domains + with matching topology keys equals or greater than + minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains + is less than minDomains, scheduler won't schedule + more than maxSkew Pods to those domains. If value + is nil, the constraint behaves as if MinDomains + is equal to 1. Valid values are integers greater + than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same labelSelector spread + as 2/2/2: | zone1 | zone2 | zone3 | | P P | P + P | P P | The number of domains is less than + 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will + be 3(3 - 0) if new Pod is scheduled to any of the + three zones, it will violate MaxSkew. \n This is + a beta field and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we + will treat Pod's nodeAffinity/nodeSelector when + calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a alpha-level feature + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will + treat node taints when calculating pod topology + spread skew. Options are: - Honor: nodes without + taints, along with tainted nodes for which the incoming + pod has a toleration, are included. - Ignore: node + taints are ignored. All nodes are included. \n If + this value is nil, the behavior is equivalent to + the Ignore policy. This is a alpha-level feature + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and + try to put balanced number of pods into each bucket. + We define a domain as a particular instance of a + topology. Also, we define an eligible domain as + a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if + TopologyKey is "topology.kubernetes.io/zone", each + zone is a domain of that topology. It's a required + field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving + higher precedence to topologies that would help + reduce the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P + P | P | P | If WhenUnsatisfiable is set + to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other words, + the cluster can still be imbalanced, but scheduler + won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + additionalProperties: + type: string + type: object + name: + type: string + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + type: object + type: array + required: + - bento_tag + type: object + status: + description: BentoDeploymentStatus defines the observed state of BentoDeployment + properties: + availableReplicas: + description: Total number of available pods (ready for at least minReadySeconds) + targeted by this deployment. + format: int32 + type: integer + podSelector: + additionalProperties: + type: string + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + type: object + printerReady: + type: string + readyReplicas: + description: readyReplicas is the number of pods targeted by this + Deployment with a Ready Condition. + format: int32 + type: integer + replicas: + description: Total number of non-terminated pods targeted by this + deployment (their labels match the selector). + format: int32 + type: integer + unavailableReplicas: + description: Total number of unavailable pods targeted by this deployment. + This is the total number of pods that are still required for the + deployment to have 100% available capacity. They may either be pods + that are running but not yet available or pods that still have not + been created. + format: int32 + type: integer + updatedReplicas: + description: Total number of non-terminated pods targeted by this + deployment that have the desired template spec. + format: int32 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Bento + jsonPath: .spec.bento + name: Bento + type: string + - description: Available + jsonPath: .status.conditions[?(@.type=='Available')].status + name: Available + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2alpha1 + schema: + openAPIV3Schema: + description: BentoDeployment is the Schema for the bentodeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoDeploymentSpec defines the desired state of BentoDeployment + properties: + annotations: + additionalProperties: + type: string + type: object + autoscaling: + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures the scaling + behavior of the target in both Up and Down directions (scaleUp + and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down + to minReplicas pods, with a 300 second stabilization window + (i.e., the highest recommendation for the last 300sec is + used). + properties: + policies: + description: policies is a list of potential scaling polices + which can be used during scaling. At least one policy + must be specified, otherwise the HPAScalingRules will + be discarded as invalid + items: + description: HPAScalingPolicy is a single policy which + must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less + than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must be greater + than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which policy + should be used. If not set, the default value MaxPolicySelect + is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should be + considered while scaling up or scaling down. StabilizationWindowSeconds + must be greater than or equal to zero and less than + or equal to 3600 (one hour). If not set, use the default + values: - For scale up: 0 (i.e. no stabilization is + done). - For scale down: 300 (i.e. the stabilization + window is 300 seconds long).' + format: int32 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling Up. If + not set, the default value is the higher of: * increase + no more than 4 pods per 60 seconds * double the number + of pods per 60 seconds No stabilization is used.' + properties: + policies: + description: policies is a list of potential scaling polices + which can be used during scaling. At least one policy + must be specified, otherwise the HPAScalingRules will + be discarded as invalid + items: + description: HPAScalingPolicy is a single policy which + must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less + than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must be greater + than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which policy + should be used. If not set, the default value MaxPolicySelect + is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should be + considered while scaling up or scaling down. StabilizationWindowSeconds + must be greater than or equal to zero and less than + or equal to 3600 (one hour). If not set, use the default + values: - For scale up: 0 (i.e. no stabilization is + done). - For scale down: 300 (i.e. the stabilization + window is 300 seconds long).' + format: int32 + type: integer + type: object + type: object + maxReplicas: + format: int32 + type: integer + metrics: + items: + description: MetricSpec specifies how to scale based on a single + metric (only `type` and one other matching field should be + set at once). + properties: + containerResource: + description: container resource refers to a resource metric + (such as those specified in requests and limits) known + to Kubernetes describing a single container in each pod + of the current scale target (e.g. CPU or memory). Such + metrics are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod metrics + using the "pods" source. This is an alpha feature and + can be enabled by the HPAContainerMetrics feature flag. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: external refers to a global metric that is + not associated with any Kubernetes object. It allows autoscaling + based on information coming from components running outside + of cluster (for example length of queue in cloud messaging + service, or QPS from loadbalancer running outside of cluster). + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: object refers to a metric describing a single + kubernetes object (for example, hits-per-second on an + Ingress object). + properties: + describedObject: + description: CrossVersionObjectReference contains enough + information to let you identify the referred resource. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: pods refers to a metric describing each pod + in the current scale target (for example, transactions-processed-per-second). The + values will be averaged together before being compared + to the target value. + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: resource refers to a resource metric (such + as those specified in requests and limits) known to Kubernetes + describing each pod in the current scale target (e.g. + CPU or memory). Such metrics are built in to Kubernetes, + and have special scaling options on top of those available + to normal per-pod metrics using the "pods" source. + properties: + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: 'type is the type of metric source. It should + be one of "ContainerResource", "External", "Object", "Pods" + or "Resource", each mapping to a matching field in the + object. Note: "ContainerResource" type is available on + when the feature-gate HPAContainerMetrics is enabled' + type: string + required: + - type + type: object + type: array + minReplicas: + format: int32 + type: integer + required: + - maxReplicas + - minReplicas + type: object + bento: + type: string + envs: + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previously defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the + string literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + extraPodMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + extraPodSpec: + properties: + affinity: + description: Affinity is a group of affinity scheduling rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + items: + description: A single application container that you want to + run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never be expanded, + regardless of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not + provided. Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable cannot + be resolved, the reference in the input string will be + unchanged. Double $$ are reduced to a single $, which + allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the + container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Defaults to + "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must + be a C_IDENTIFIER. All invalid keys will be reported as + an event when the container is starting. When a key exists + in multiple sources, the value associated with the last + source will take precedence. Values defined by an Env + with a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a + set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must + be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend to + each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be + defined + type: boolean + type: object + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, the + container is terminated and restarted according to + its restart policy. Other management of the container + blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this + field and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a + container is terminated due to an API request or management + event such as liveness/startup probe failure, preemption, + resource contention, etc. The handler is not called + if the container crashes or exits. The Pod''s termination + grace period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the handler, + the container will eventually terminate within the + Pod''s termination grace period (unless delayed by + finalizers). Other management of the container blocks + until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this + field and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum + value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided + by the pod spec. Value must be non-negative integer. + The value zero indicates stop immediately via the + kill signal (no opportunity to shut down). This is + a beta field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is + 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on the + default "0.0.0.0" address inside a container will be accessible + from the network. Modifying this array with strategic + merge patch may corrupt the data. For more information + See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in + a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, 0 + < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port + to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, this + must match ContainerPort. Most containers do not + need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a + pod must have a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the + probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum + value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided + by the pod spec. Value must be non-negative integer. + The value zero indicates stop immediately via the + kill signal (no opportunity to shut down). This is + a beta field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is + 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of + compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields of + SecurityContext override the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent + process. This bool directly controls if the no_new_privs + flag will be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be + set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount + to use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as + a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not run + as UID 0 (root) and fail to start the container if + it does. If unset or false, no such validation will + be performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the + container. If unspecified, the container runtime will + allocate a random SELinux context for each container. May + also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is + windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & + container level, the container options override the + pod options. Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative to + the kubelet's configured seccomp profile location. + Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: \n + Localhost - a profile defined in a file on the + node should be used. RuntimeDefault - the container + runtime default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to + all containers. If unspecified, the options from the + PodSecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec + named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. This + field is alpha-level and will only be honored + by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the feature + flag will result in errors when validating the + Pod. All of a Pod's containers must have the same + effective HostProcess value (it is not allowed + to have a mix of HostProcess containers and non-HostProcess + containers). In addition, if HostProcess is true + then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the + entrypoint of the container process. Defaults + to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed + until this completes successfully. If this probe fails, + the Pod will be restarted, just as if the livenessProbe + failed. This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it might + take a long time to load data or warm a cache, than during + steady-state operation. This cannot be updated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum + value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided + by the pod spec. Value must be non-negative integer. + The value zero indicates stop immediately via the + kill signal (no opportunity to shut down). This is + a beta field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is + 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, + reads from stdin in the container will always result in + EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce is + set to true, stdin is opened on container start, is empty + until the first client attaches to stdin, and then remains + open and accepts data until the client disconnects, at + which time stdin is closed and remains closed until the + container is restarted. If this flag is false, a container + processes that reads from stdin will never receive an + EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written is + mounted into the container''s filesystem. Message written + is intended to be brief final status, such as an assertion + failure message. Will be truncated by the node if greater + than 4096 bytes. The total message length across all containers + will be limited to 12kb. Defaults to /dev/termination-log. + Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last chunk + of container log output if the termination message file + is empty and the container exited with an error. The log + output is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY + for itself, also requires 'stdin' to be true. Default + is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a raw + block device within a container. + properties: + devicePath: + description: devicePath is the path inside of the + container that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the + volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and the + other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the + container's volume should be mounted. Defaults to + "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable + references $(VAR_NAME) are expanded using the container's + environment. Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + serviceAccountName: + type: string + tolerations: + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a alpha-level + feature enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to + topologies that would help reduce the skew. A constraint + is considered "Unsatisfiable" for an incoming pod if and + only if every possible node assignment for that pod would + violate "MaxSkew" on some topology. For example, in a + 3-zone cluster, MaxSkew is set to 1, and pods with the + same labelSelector spread as 3/1/1: | zone1 | zone2 | + zone3 | | P P P | P | P | If WhenUnsatisfiable + is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other words, + the cluster can still be imbalanced, but scheduler won''t + make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + ingress: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + tls: + properties: + secretName: + type: string + type: object + type: object + labels: + additionalProperties: + type: string + type: object + monitorExporter: + properties: + enabled: + type: boolean + options: + additionalProperties: + type: string + type: object + output: + type: string + type: object + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + runners: + items: + properties: + annotations: + additionalProperties: + type: string + type: object + autoscaling: + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures + the scaling behavior of the target in both Up and Down + directions (scaleUp and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling + Down. If not set, the default value is to allow to + scale down to minReplicas pods, with a 300 second + stabilization window (i.e., the highest recommendation + for the last 300sec is used). + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold + true. PeriodSeconds must be greater than + zero and less than or equal to 1800 (30 + min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of + change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default + value MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the + number of seconds for which past recommendations + should be considered while scaling up or scaling + down. StabilizationWindowSeconds must be greater + than or equal to zero and less than or equal to + 3600 (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization + window is 300 seconds long).' + format: int32 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling + Up. If not set, the default value is the higher of: * + increase no more than 4 pods per 60 seconds * double + the number of pods per 60 seconds No stabilization + is used.' + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold + true. PeriodSeconds must be greater than + zero and less than or equal to 1800 (30 + min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of + change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default + value MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the + number of seconds for which past recommendations + should be considered while scaling up or scaling + down. StabilizationWindowSeconds must be greater + than or equal to zero and less than or equal to + 3600 (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization + window is 300 seconds long).' + format: int32 + type: integer + type: object + type: object + maxReplicas: + format: int32 + type: integer + metrics: + items: + description: MetricSpec specifies how to scale based on + a single metric (only `type` and one other matching + field should be set at once). + properties: + containerResource: + description: container resource refers to a resource + metric (such as those specified in requests and + limits) known to Kubernetes describing a single + container in each pod of the current scale target + (e.g. CPU or memory). Such metrics are built in + to Kubernetes, and have special scaling options + on top of those available to normal per-pod metrics + using the "pods" source. This is an alpha feature + and can be enabled by the HPAContainerMetrics feature + flag. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource + in question. + type: string + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: external refers to a global metric that + is not associated with any Kubernetes object. It + allows autoscaling based on information coming from + components running outside of cluster (for example + length of queue in cloud messaging service, or QPS + from loadbalancer running outside of cluster). + properties: + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: object refers to a metric describing + a single kubernetes object (for example, hits-per-second + on an Ingress object). + properties: + describedObject: + description: CrossVersionObjectReference contains + enough information to let you identify the referred + resource. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: + http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: pods refers to a metric describing each + pod in the current scale target (for example, transactions-processed-per-second). The + values will be averaged together before being compared + to the target value. + properties: + metric: + description: metric identifies the target metric + by name and selector + properties: + name: + description: name is the name of the given + metric + type: string + selector: + description: selector is the string-encoded + form of a standard kubernetes label selector + for the given metric When set, it is passed + as an additional parameter to the metrics + server for more specific metrics scoping. + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + required: + - name + type: object + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: resource refers to a resource metric + (such as those specified in requests and limits) + known to Kubernetes describing each pod in the current + scale target (e.g. CPU or memory). Such metrics + are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod + metrics using the "pods" source. + properties: + name: + description: name is the name of the resource + in question. + type: string + target: + description: target specifies the target value + for the given metric + properties: + averageUtilization: + description: averageUtilization is the target + value of the average of the resource metric + across all relevant pods, represented as + a percentage of the requested value of the + resource for the pods. Currently only valid + for Resource metric source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value + of the average of the metric across all + relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of + the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: 'type is the type of metric source. It + should be one of "ContainerResource", "External", + "Object", "Pods" or "Resource", each mapping to + a matching field in the object. Note: "ContainerResource" + type is available on when the feature-gate HPAContainerMetrics + is enabled' + type: string + required: + - type + type: object + type: array + minReplicas: + format: int32 + type: integer + required: + - maxReplicas + - minReplicas + type: object + envs: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + extraPodMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + extraPodSpec: + properties: + affinity: + description: Affinity is a group of affinity scheduling + rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node matches the corresponding + matchExpressions; the node(s) with the highest + sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to an update), the system may or may + not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of + namespaces that the term applies to. The + term is applied to the union of the namespaces + selected by this field and the ones listed + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term applies + to. The term is applied to the union of + the namespaces listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose value + of the label with key topologyKey matches + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. If + the anti-affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to a pod label update), the + system may or may not try to eventually evict + the pod from its node. When there are multiple + elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of + namespaces that the term applies to. The + term is applied to the union of the namespaces + selected by this field and the ones listed + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term applies + to. The term is applied to the union of + the namespaces listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose value + of the label with key topologyKey matches + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + items: + description: A single application container that you want + to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ + are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults + to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will take + precedence. Values defined by an Env with a duplicate + key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag + is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should + take in response to container lifecycle events. + Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There are + no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the + handler, the container will eventually terminate + within the Pod''s termination grace period (unless + delayed by finalizers). Other management of + the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There are + no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum value + is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a + DNS_LABEL. Each container in a pod must have a unique + name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that + port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container + will be accessible from the network. Modifying this + array with strategic merge patch may corrupt the + data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid port + number, 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port + in a pod must have a unique name. Name for + the port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum value + is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If set, + the fields of SecurityContext override the equivalent + fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the + container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name is + windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note that + this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a + profile defined in a file on the node should + be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must only be set + if type is "Localhost". + type: string + type: + description: "type indicates which kind of + seccomp profile will be applied. Valid options + are: \n Localhost - a profile defined in + a file on the node should be used. RuntimeDefault + - the container runtime default profile + should be used. Unconfined - no profile + should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only + be honored by components that enable the + WindowsHostProcessContainers feature flag. + Setting this field without the feature flag + will result in errors when validating the + Pod. All of a Pod's containers must have + the same effective HostProcess value (it + is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). In + addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no other + probes are executed until this completes successfully. + If this probe fails, the Pod will be restarted, + just as if the livenessProbe failed. This can be + used to provide different probe parameters at the + beginning of a Pod''s lifecycle, when it might take + a long time to load data or warm a cache, than during + steady-state operation. This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum value + is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to + access on the container. Number must be + in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach sessions. + If stdinOnce is set to true, stdin is opened on + container start, is empty until the first client + attaches to stdin, and then remains open and accepts + data until the client disconnects, at which time + stdin is closed and remains closed until the container + is restarted. If this flag is false, a container + processes that reads from stdin will never receive + an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final status, + such as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of + a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of + a Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should be + mounted. Behaves similarly to SubPath but + environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + serviceAccountName: + type: string + tolerations: + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to + match. Empty means match all taint effects. When + specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If + the key is empty, operator must be Exists; this + combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect + NoExecute, otherwise this field is ignored) tolerates + the taint. By default, it is not set, which means + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + items: + description: TopologySpreadConstraint specifies how to + spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading will + be calculated. The keys are used to lookup values + from the incoming pod labels, those key-value labels + are ANDed with labelSelector to select the group + of existing pods over which spreading will be calculated + for the incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null or empty + list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or + zero if the number of eligible domains is less than + MinDomains. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum + is 1. | zone1 | zone2 | zone3 | | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled + to zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can + be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less than + minDomains, Pod Topology Spread treats \"global + minimum\" as 0, and then the calculation of Skew + is performed. And when the number of eligible domains + with matching topology keys equals or greater than + minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains + is less than minDomains, scheduler won't schedule + more than maxSkew Pods to those domains. If value + is nil, the constraint behaves as if MinDomains + is equal to 1. Valid values are integers greater + than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same labelSelector spread + as 2/2/2: | zone1 | zone2 | zone3 | | P P | P + P | P P | The number of domains is less than + 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will + be 3(3 - 0) if new Pod is scheduled to any of the + three zones, it will violate MaxSkew. \n This is + a beta field and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we + will treat Pod's nodeAffinity/nodeSelector when + calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a alpha-level feature + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will + treat node taints when calculating pod topology + spread skew. Options are: - Honor: nodes without + taints, along with tainted nodes for which the incoming + pod has a toleration, are included. - Ignore: node + taints are ignored. All nodes are included. \n If + this value is nil, the behavior is equivalent to + the Ignore policy. This is a alpha-level feature + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and + try to put balanced number of pods into each bucket. + We define a domain as a particular instance of a + topology. Also, we define an eligible domain as + a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if + TopologyKey is "topology.kubernetes.io/zone", each + zone is a domain of that topology. It's a required + field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving + higher precedence to topologies that would help + reduce the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P + P | P | P | If WhenUnsatisfiable is set + to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other words, + the cluster can still be imbalanced, but scheduler + won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + additionalProperties: + type: string + type: object + name: + type: string + resources: + properties: + limits: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + requests: + properties: + cpu: + type: string + custom: + additionalProperties: + type: string + type: object + gpu: + type: string + memory: + type: string + type: object + type: object + type: object + type: array + required: + - bento + type: object + status: + description: BentoDeploymentStatus defines the observed state of BentoDeployment + properties: + conditions: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n \ttype FooStatus struct{ \t // Represents the observations + of a foo's current state. \t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" \t // + +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map + \t // +listMapKey=type \t Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields + \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + podSelector: + additionalProperties: + type: string + type: object + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: yatai-deployment/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: yatai-deployment + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +--- +# Source: yatai-deployment/templates/secret-env.yaml +apiVersion: v1 +kind: Secret +metadata: + name: yatai-deployment-env + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + YATAI_SYSTEM_NAMESPACE: kubeflow + YATAI_API_TOKEN: "yrfiGXV1dw0X99eR" + + INTERNAL_IMAGES_METRICS_TRANSFORMER: "quay.io/bentoml/yatai-bento-metrics-transformer:0.0.3" + INTERNAL_IMAGES_DEBUGGER: "quay.io/bentoml/bento-debugger:0.0.5" +--- +# Source: yatai-deployment/templates/secret-shared-env.yaml +apiVersion: v1 +kind: Secret +metadata: + name: yatai-deployment-shared-env + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + YATAI_DEPLOYMENT_NAMESPACE: kubeflow + BENTO_DEPLOYMENT_NAMESPACES: "kubeflow" +--- +# Source: yatai-deployment/templates/configmap-network.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: network + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +data: + ingress-class: nginx + ingress-path: "/" + ingress-path-type: "ImplementationSpecific" +--- +# Source: yatai-deployment/templates/role-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-deployment-in-yatai-system + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-common-env + - yatai-deployment-shared-env + verbs: + - get + - list + - watch +--- +# Source: yatai-deployment/templates/role-with-bento-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-deployment-with-bento-deployment + namespace: "kubeflow" +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments/finalizers + verbs: + - update +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments/status + verbs: + - get + - patch + - update +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests + verbs: + - get + - list + - watch + - patch + - update + - create +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests/status + verbs: + - get +- apiGroups: + - resources.yatai.ai + resources: + - bentoes + verbs: + - get + - list + - watch +- apiGroups: + - resources.yatai.ai + resources: + - bentoes/status + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: yatai-deployment/templates/role-yatai-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-role-for-yatai-deployment + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-common-env + - yatai-deployment-shared-env + verbs: + - get + - list + - watch +--- +# Source: yatai-deployment/templates/role-yatai-with-bento-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-with-bento-deployment + namespace: "kubeflow" +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/attach + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/ephemeralcontainers + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments/finalizers + verbs: + - update +- apiGroups: + - serving.yatai.ai + resources: + - bentodeployments/status + verbs: + - get + - patch + - update +--- +# Source: yatai-deployment/templates/role-yatai-with-yatai-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-with-yatai-deployment + namespace: kubeflow +rules: +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/attach + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/ephemeralcontainers + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-deployment-env + verbs: + - get + - list + - watch +--- +# Source: yatai-deployment/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-deployment + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: yatai-deployment/templates/rolebinding-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-deployment-in-yatai-system + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-deployment-in-yatai-system +subjects: + - kind: ServiceAccount + name: yatai-deployment + namespace: kubeflow +--- +# Source: yatai-deployment/templates/rolebinding-with-bento-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-deployment-with-bento-deployment + namespace: "kubeflow" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-deployment-with-bento-deployment +subjects: + - kind: ServiceAccount + name: yatai-deployment + namespace: kubeflow +--- +# Source: yatai-deployment/templates/rolebinding-yatai-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-role-for-yatai-deployment + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-role-for-yatai-deployment +subjects: + - kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-deployment/templates/rolebinding-yatai-with-bento-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-with-bento-deployment + namespace: "kubeflow" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-with-bento-deployment +subjects: + - kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-deployment/templates/rolebinding-yatai-with-yatai-deployment.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-with-yatai-deployment + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-with-yatai-deployment +subjects: + - kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-deployment/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-deployment + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-deployment +subjects: + - kind: ServiceAccount + name: yatai-deployment + namespace: kubeflow +--- +# Source: yatai-deployment/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: yatai-deployment-webhook-service + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment +--- +# Source: yatai-deployment/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yatai-deployment + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + template: + metadata: + labels: + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + spec: + serviceAccountName: yatai-deployment + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: manager + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: yatai-deployment-env + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: "quay.io/bentoml/yatai-deployment:1.1.4" + imagePullPolicy: IfNotPresent + + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 1 + + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + resources: + {} + + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: yatai-deployment-webhook-server-cert +--- +# Source: yatai-deployment/templates/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: yatai-deployment-serving-cert + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +spec: + dnsNames: + - yatai-deployment-webhook-service.kubeflow.svc + - yatai-deployment-webhook-service.kubeflow.svc.cluster.local + issuerRef: + kind: Issuer + name: yatai-deployment-selfsigned-issuer + secretName: yatai-deployment-webhook-server-cert +--- +# Source: yatai-deployment/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: yatai-deployment-selfsigned-issuer + namespace: kubeflow + labels: + helm.sh/chart: yatai-deployment-1.1.4 + app.kubernetes.io/name: yatai-deployment + app.kubernetes.io/instance: yatai-deployment + app.kubernetes.io/version: "1.1.4" + app.kubernetes.io/managed-by: Helm +spec: + selfSigned: {} diff --git a/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/kustomization.yaml b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/kustomization.yaml new file mode 100644 index 0000000000..b6b8eeb903 --- /dev/null +++ b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- resources.yaml diff --git a/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/resources.yaml b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/resources.yaml new file mode 100644 index 0000000000..18a57c26c6 --- /dev/null +++ b/contrib/bentoml/bentoml-yatai-stack/bases/yatai-image-builder/resources.yaml @@ -0,0 +1,2157 @@ +--- +# Source: yatai-image-builder-crds/templates/bentorequest.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: bentoes.resources.yatai.ai +spec: + group: resources.yatai.ai + names: + kind: Bento + listKind: BentoList + plural: bentoes + singular: bento + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Tag + jsonPath: .spec.tag + name: Tag + type: string + - description: Image + jsonPath: .spec.image + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Bento is the Schema for the bentoes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoSpec defines the desired state of Bento + properties: + context: + properties: + bentomlVersion: + type: string + type: object + image: + type: string + imagePullSecrets: + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + runners: + items: + properties: + modelTags: + items: + type: string + type: array + name: + type: string + runnableType: + type: string + required: + - name + type: object + type: array + tag: + type: string + required: + - image + - tag + type: object + status: + description: BentoStatus defines the observed state of Bento + properties: + ready: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +# Source: yatai-image-builder-crds/templates/bentorequest.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: bentorequests.resources.yatai.ai +spec: + group: resources.yatai.ai + names: + kind: BentoRequest + listKind: BentoRequestList + plural: bentorequests + singular: bentorequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Bento Tag + jsonPath: .spec.bentoTag + name: Bento-Tag + type: string + - description: Download URL + jsonPath: .spec.downloadUrl + name: Download-Url + type: string + - description: Image + jsonPath: .spec.image + name: Image + type: string + - description: Image Exists + jsonPath: .status.conditions[?(@.type=='ImageExists')].status + name: Image-Exists + type: string + - description: Bento Available + jsonPath: .status.conditions[?(@.type=='BentoAvailable')].status + name: Bento-Available + type: string + - description: Image Builder Pod Phase + jsonPath: .status.imageBuilderPodStatus.phase + name: Image-Builder-Pod-Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BentoRequest is the Schema for the bentorequests API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BentoRequestSpec defines the desired state of BentoRequest + properties: + bentoTag: + type: string + context: + properties: + bentomlVersion: + type: string + type: object + dockerConfigJsonSecretName: + type: string + downloadUrl: + type: string + downloaderContainerEnvFrom: + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + type: string + imageBuildTimeout: + description: A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. + format: int64 + type: integer + imageBuilderContainerResources: + description: ResourceRequirements describes the compute resource requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + imageBuilderExtraContainerEnv: + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + imageBuilderExtraPodMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + imageBuilderExtraPodSpec: + properties: + affinity: + description: Affinity is a group of affinity scheduling rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements by node's fields. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements by node's fields. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + serviceAccountName: + type: string + tolerations: + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + items: + description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It''s a required field. Default value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. \n For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. \n This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. \n If this value is nil, the behavior is equivalent to the Honor policy. This is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. \n If this value is nil, the behavior is equivalent to the Ignore policy. This is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + models: + items: + properties: + downloadUrl: + type: string + tag: + type: string + required: + - tag + type: object + type: array + ociRegistryInsecure: + type: boolean + runners: + items: + properties: + modelTags: + items: + type: string + type: array + name: + type: string + runnableType: + type: string + required: + - name + type: object + type: array + required: + - bentoTag + type: object + status: + description: BentoRequestStatus defines the observed state of BentoRequest + properties: + conditions: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + imageBuilderPodStatus: + description: PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane. + properties: + conditions: + description: 'Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions' + items: + description: PodCondition contains details for the current condition of this pod. + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: 'Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions' + type: string + type: + description: 'Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions' + type: string + required: + - status + - type + type: object + type: array + containerStatuses: + description: 'The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status' + items: + description: ContainerStatus contains details for the current status of this container. + properties: + containerID: + description: Container's ID in the format '://'. + type: string + image: + description: 'The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.' + type: string + imageID: + description: ImageID of the container's image. + type: string + lastState: + description: Details about the container's last termination condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + name: + description: This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated. + type: string + ready: + description: Specifies whether the container has passed its readiness probe. + type: boolean + restartCount: + description: The number of times the container has been restarted. + format: int32 + type: integer + started: + description: Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined. + type: boolean + state: + description: Details about the container's current condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + required: + - image + - imageID + - name + - ready + - restartCount + type: object + type: array + ephemeralContainerStatuses: + description: Status for any ephemeral containers that have run in this pod. + items: + description: ContainerStatus contains details for the current status of this container. + properties: + containerID: + description: Container's ID in the format '://'. + type: string + image: + description: 'The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.' + type: string + imageID: + description: ImageID of the container's image. + type: string + lastState: + description: Details about the container's last termination condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + name: + description: This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated. + type: string + ready: + description: Specifies whether the container has passed its readiness probe. + type: boolean + restartCount: + description: The number of times the container has been restarted. + format: int32 + type: integer + started: + description: Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined. + type: boolean + state: + description: Details about the container's current condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + required: + - image + - imageID + - name + - ready + - restartCount + type: object + type: array + hostIP: + description: IP address of the host to which the pod is assigned. Empty if not yet scheduled. + type: string + initContainerStatuses: + description: 'The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status' + items: + description: ContainerStatus contains details for the current status of this container. + properties: + containerID: + description: Container's ID in the format '://'. + type: string + image: + description: 'The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.' + type: string + imageID: + description: ImageID of the container's image. + type: string + lastState: + description: Details about the container's last termination condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + name: + description: This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated. + type: string + ready: + description: Specifies whether the container has passed its readiness probe. + type: boolean + restartCount: + description: The number of times the container has been restarted. + format: int32 + type: integer + started: + description: Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined. + type: boolean + state: + description: Details about the container's current condition. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the container + type: string + reason: + description: (brief) reason from the last termination of the container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + required: + - image + - imageID + - name + - ready + - restartCount + type: object + type: array + message: + description: A human readable message indicating details about why the pod is in this condition. + type: string + nominatedNodeName: + description: nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled. + type: string + phase: + description: "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values: \n Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. \n More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase" + type: string + podIP: + description: IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated. + type: string + podIPs: + description: podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet. + items: + description: "IP address information for entries in the (plural) PodIPs field. Each entry includes: \n IP: An IP address allocated to the pod. Routable at least within the cluster." + properties: + ip: + description: ip is an IP address (IPv4 or IPv6) assigned to the pod + type: string + type: object + type: array + qosClass: + description: 'The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md' + type: string + reason: + description: A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted' + type: string + startTime: + description: RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod. + format: date-time + type: string + type: object + required: + - conditions + - imageBuilderPodStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +# Source: yatai-image-builder/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: yatai-image-builder + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +--- +# Source: yatai-image-builder/templates/secret-env.yaml +apiVersion: v1 +kind: Secret +metadata: + name: yatai-image-builder-env + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + YATAI_IMAGE_BUILDER_SHARED_ENV_SECRET_NAME: yatai-image-builder-shared-env + + YATAI_SYSTEM_NAMESPACE: kubeflow + YATAI_API_TOKEN: "SqXTUo0q8nqRtWQn" + + DOCKER_REGISTRY_SERVER: "127.0.0.1:5000" + DOCKER_REGISTRY_IN_CLUSTER_SERVER: "docker-registry.kubeflow.svc.cluster.local:5000" + DOCKER_REGISTRY_USERNAME: "" + DOCKER_REGISTRY_PASSWORD: "" + DOCKER_REGISTRY_SECURE: "false" + DOCKER_REGISTRY_BENTO_REPOSITORY_NAME: "yatai-bentos" + + INTERNAL_IMAGES_BENTO_DOWNLOADER: "quay.io/bentoml/bento-downloader:0.0.1" + INTERNAL_IMAGES_KANIKO: "quay.io/bentoml/kaniko:1.9.1" + INTERNAL_IMAGES_BUILDKIT: "quay.io/bentoml/buildkit:master" + INTERNAL_IMAGES_BUILDKIT_ROOTLESS: "quay.io/bentoml/buildkit:master-rootless" + + BENTO_IMAGE_BUILD_ENGINE: "kaniko" +--- +# Source: yatai-image-builder/templates/secret-shared-env.yaml +apiVersion: v1 +kind: Secret +metadata: + name: yatai-image-builder-shared-env + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + YATAI_IMAGE_BUILDER_NAMESPACE: kubeflow +--- +# Source: yatai-image-builder/templates/secret-yatai-common-env.yaml +apiVersion: v1 +kind: Secret +metadata: + name: yatai-common-env + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +type: Opaque +stringData: + YATAI_ENDPOINT: "" + YATAI_CLUSTER_NAME: "default" +--- +# Source: yatai-image-builder/templates/clusterrole-yatai-with-bento-request.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: yatai-with-bento-request-kubeflow +rules: +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests/finalizers + verbs: + - update +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests/status + verbs: + - get + - patch + - update +- apiGroups: + - resources.yatai.ai + resources: + - bentoes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - resources.yatai.ai + resources: + - bentoes/finalizers + verbs: + - update +- apiGroups: + - resources.yatai.ai + resources: + - bentoes/status + verbs: + - get + - patch + - update +--- +# Source: yatai-image-builder/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: yatai-image-builder-kubeflow +rules: +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - resources.yatai.ai + resources: + - bentorequests/status + verbs: + - update +- apiGroups: + - resources.yatai.ai + resources: + - bentoes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - resources.yatai.ai + resources: + - bentoes/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: yatai-image-builder/templates/clusterrolebinding-yatai-with-bento-request.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: yatai-with-bento-request-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: yatai-with-bento-request-kubeflow +subjects: +- kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: yatai-image-builder-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: yatai-image-builder-kubeflow +subjects: +- kind: ServiceAccount + name: yatai-image-builder + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/role-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-image-builder-in-yatai-system + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-common-env + - yatai-image-builder-shared-env + verbs: + - get + - list + - watch +--- +# Source: yatai-image-builder/templates/role-yatai-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-role-for-yatai-image-builder + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-common-env + - yatai-image-builder-shared-env + verbs: + - get + - list + - watch +--- +# Source: yatai-image-builder/templates/role-yatai-with-yatai-image-builder.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-with-yatai-image-builder + namespace: kubeflow +rules: +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - yatai-image-builder-config + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/attach + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/ephemeralcontainers + verbs: + - create + - update + - patch + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-image-builder-env + - yatai-image-builder-build-args + verbs: + - get + - list + - watch +--- +# Source: yatai-image-builder/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yatai-image-builder + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - yatai-image-builder-build-args + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - yatai-image-builder-config + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: yatai-image-builder/templates/rolebinding-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-image-builder-in-yatai-system + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-image-builder-in-yatai-system +subjects: + - kind: ServiceAccount + name: yatai-image-builder + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/rolebinding-yatai-in-yatai-system-namespace.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-role-for-yatai-image-builder + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-role-for-yatai-image-builder +subjects: + - kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/rolebinding-yatai-with-yatai-image-builder.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-with-yatai-image-builder + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-with-yatai-image-builder +subjects: + - kind: ServiceAccount + name: yatai + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yatai-image-builder + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yatai-image-builder +subjects: + - kind: ServiceAccount + name: yatai-image-builder + namespace: kubeflow +--- +# Source: yatai-image-builder/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: yatai-image-builder-webhook-service + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder +--- +# Source: yatai-image-builder/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yatai-image-builder + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + template: + metadata: + labels: + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + spec: + serviceAccountName: yatai-image-builder + securityContext: + {} + containers: + - name: manager + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: yatai-image-builder-env + securityContext: + {} + image: "quay.io/bentoml/yatai-image-builder:1.1.3" + imagePullPolicy: IfNotPresent + + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 1 + + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + resources: + {} + + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: yatai-image-builder-webhook-server-cert +--- +# Source: yatai-image-builder/templates/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: yatai-image-builder-serving-cert + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +spec: + dnsNames: + - yatai-image-builder-webhook-service.kubeflow.svc + - yatai-image-builder-webhook-service.kubeflow.svc.cluster.local + issuerRef: + kind: Issuer + name: yatai-image-builder-selfsigned-issuer + secretName: yatai-image-builder-webhook-server-cert +--- +# Source: yatai-image-builder/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: yatai-image-builder-selfsigned-issuer + namespace: kubeflow + labels: + helm.sh/chart: yatai-image-builder-1.1.3 + app.kubernetes.io/name: yatai-image-builder + app.kubernetes.io/instance: yatai-image-builder + app.kubernetes.io/version: "1.1.3" + app.kubernetes.io/managed-by: Helm +spec: + selfSigned: {} diff --git a/contrib/bentoml/bentoml-yatai-stack/default/kustomization.yaml b/contrib/bentoml/bentoml-yatai-stack/default/kustomization.yaml new file mode 100644 index 0000000000..4c6aad5d4a --- /dev/null +++ b/contrib/bentoml/bentoml-yatai-stack/default/kustomization.yaml @@ -0,0 +1,6 @@ +# Adds namespace to all resources. +namespace: kubeflow + +bases: +- ../bases/yatai-image-builder +- ../bases/yatai-deployment diff --git a/contrib/bentoml/example.yaml b/contrib/bentoml/example.yaml new file mode 100644 index 0000000000..f46c6476c5 --- /dev/null +++ b/contrib/bentoml/example.yaml @@ -0,0 +1,57 @@ +apiVersion: resources.yatai.ai/v1alpha1 +kind: Bento +metadata: + name: test-yatai + namespace: kubeflow +spec: + image: quay.io/bentoml/iris_classifier:r4zint4b567i4usu + runners: + - name: iris_clf + runnableType: SklearnRunnable + tag: iris_classifier:r4zint4b567i4usu +--- +apiVersion: serving.yatai.ai/v2alpha1 +kind: BentoDeployment +metadata: + name: test-yatai + namespace: kubeflow +spec: + autoscaling: + maxReplicas: 2 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + bento: test-yatai + ingress: + enabled: false + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 100m + memory: 200Mi + runners: + - autoscaling: + maxReplicas: 2 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + name: iris_clf + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 100m + memory: 200Mi diff --git a/contrib/bentoml/sources/kustomization-template.yaml b/contrib/bentoml/sources/kustomization-template.yaml new file mode 100644 index 0000000000..b6b8eeb903 --- /dev/null +++ b/contrib/bentoml/sources/kustomization-template.yaml @@ -0,0 +1,2 @@ +resources: +- resources.yaml diff --git a/contrib/bentoml/sources/yatai-deployment-values.yaml b/contrib/bentoml/sources/yatai-deployment-values.yaml new file mode 100644 index 0000000000..2008f2663d --- /dev/null +++ b/contrib/bentoml/sources/yatai-deployment-values.yaml @@ -0,0 +1,20 @@ +yataiSystem: + namespace: "kubeflow" + +yatai: + endpoint: '' + +layers: + network: + ingressClass: nginx + ingressAnnotations: {} + + ingressPath: / + ingressPathType: ImplementationSpecific + + domainSuffix: '' + + automaticDomainSuffixGeneration: false + +bentoDeploymentNamespaces: ["kubeflow"] + diff --git a/contrib/bentoml/sources/yatai-image-builder-values.yaml b/contrib/bentoml/sources/yatai-image-builder-values.yaml new file mode 100644 index 0000000000..10e26d4362 --- /dev/null +++ b/contrib/bentoml/sources/yatai-image-builder-values.yaml @@ -0,0 +1,13 @@ +yataiSystem: + namespace: "kubeflow" + +yatai: + endpoint: '' + +dockerRegistry: + bentoRepositoryName: yatai-bentos + inClusterServer: docker-registry.kubeflow.svc.cluster.local:5000 + password: "" + secure: false + server: 127.0.0.1:5000 + username: "" diff --git a/contrib/bentoml/test.sh b/contrib/bentoml/test.sh new file mode 100755 index 0000000000..664f602ff6 --- /dev/null +++ b/contrib/bentoml/test.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -xe + +kubectl create ns kubeflow || echo "namespace kubeflow already exists" +kustomize build bentoml-yatai-stack/default | kubectl apply --server-side -f - +kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/yatai-image-builder +kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/yatai-deployment +sleep 5 +kubectl apply -n kubeflow -f example.yaml +sleep 5 +kubectl -n kubeflow logs deploy/yatai-deployment +sleep 5 +kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/test-yatai +kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/test-yatai-runner-0 + +kubectl -n kubeflow port-forward svc/test-yatai 3333:3000 & +PID=$! + +function trap_handler { + kill $PID + kubectl -n kubeflow logs -l yatai.ai/bento-deployment=test-yatai --tail=100 + kubectl -n kubeflow delete -f example.yaml + kustomize build bentoml-yatai-stack/default | kubectl delete -f - +} + +trap trap_handler EXIT + +sleep 5 + +output=$(curl --fail -X 'POST' http://localhost:3333/classify -d '[[0,1,2,3]]') +echo "output: '${output}'" +if [[ $output != *'[2]'* ]]; then + echo "Test failed" + exit 1 +fi From 0e8a328f9a82642a2ef69ff3ea80f7b4eb319b3a Mon Sep 17 00:00:00 2001 From: Yihong Wang Date: Wed, 1 Feb 2023 05:25:31 -0800 Subject: [PATCH 19/74] Update kubeflow/kfp-tekton manifests from v1.5.1 (#2363) Signed-off-by: Yihong Wang --- README.md | 2 +- .../base/cache-deployer/kustomization.yaml | 2 +- .../upstream/base/cache/kustomization.yaml | 2 +- .../generic/pipeline-install-config.yaml | 4 +- .../base/metadata/base/kustomization.yaml | 2 +- .../base/pipeline/apiserver-deployment.yaml | 19 + .../base/pipeline/kfp-pipeline-config.yaml | 6 +- .../upstream/base/pipeline/kustomization.yaml | 14 +- .../metadata-writer/kustomization.yaml | 2 +- ...-pipeline-persistenceagent-deployment.yaml | 2 + .../ml-pipeline-persistenceagent-role.yaml | 1 + .../cert-manager/base/cache-cert-issuer.yaml | 6 + .../env/cert-manager/base/cache-cert.yaml | 15 + .../base/cache-webhook-config.yaml | 25 + .../env/cert-manager/base/kustomization.yaml | 13 + .../env/cert-manager/base/params.yaml | 13 + .../kustomization.yaml | 7 + .../dev/delete-cache-deployer.yaml | 18 + .../env/cert-manager/dev/kustomization.yaml | 47 + .../env/cert-manager/dev/namespace.yaml | 4 + .../upstream/env/cert-manager/dev/params.yaml | 4 + .../delete-cache-deployer.yaml | 36 + .../kustomization.yaml | 28 + .../env/gcp/inverse-proxy/kustomization.yaml | 2 +- .../platform-agnostic-kind/kustomization.yaml | 7 + .../plain-kind/kustomization.yaml | 18 + .../workflow-controller-configmap-patch.yaml | 6 +- .../workflow-controller-configmap-patch.yaml | 6 +- .../workflow-controller-deployment-patch.yaml | 4 +- .../argo/upstream/manifests/Kptfile | 6 +- .../argo-server/argo-server-deployment.yaml | 4 + .../argoproj.io_clusterworkflowtemplates.yaml | 1027 +++++- .../crds/full/argoproj.io_cronworkflows.yaml | 1029 +++++- .../argoproj.io_workfloweventbindings.yaml | 2 + .../base/crds/full/argoproj.io_workflows.yaml | 2921 ++++++++++++++--- .../full/argoproj.io_workflowtaskresults.yaml | 426 +++ .../full/argoproj.io_workflowtasksets.yaml | 219 +- .../full/argoproj.io_workflowtemplates.yaml | 1027 +++++- .../base/crds/full/kustomization.yaml | 1 + .../argoproj.io_workflowtaskresults.yaml | 425 +++ .../minimal/argoproj.io_workflowtasksets.yaml | 2 + .../base/crds/minimal/kustomization.yaml | 1 + .../workflow-controller/kustomization.yaml | 1 + .../workflow-controller-deployment.yaml | 1 + .../workflow-controller-metrics-service.yaml | 5 + .../workflow-controller-priorityclass.yaml | 5 + .../argo-server-clusterole.yaml | 3 + .../cluster-install/kustomization.yaml | 1 + .../workflow-controller-clusterrole.yaml | 10 + .../argo-server-rbac/argo-server-role.yaml | 3 + .../overlays/argo-server-deployment.json | 7 - .../workflow-controller-deployment.json | 7 - .../workflow-controller-role.yaml | 17 + .../base/agent-default-rolebinding.yaml | 11 + .../quick-start/base/agent-role.yaml | 24 + .../base/executor-default-rolebinding.yaml | 11 + .../base/executor/docker/executor-role.yaml | 17 + .../base/executor/emissary/executor-role.yaml | 15 + .../base/executor/k8sapi/executor-role.yaml | 36 + .../base/executor/kubelet/executor-role.yaml | 17 + .../kubelet-executor-clusterrole.yaml | 0 ...t-executor-default-clusterrolebinding.yaml | 0 .../base/executor/pns/executor-role.yaml | 27 + .../quick-start/base/kustomization.yaml | 12 +- .../base/memoizer-default-rolebinding.yaml | 11 + .../quick-start/base/memoizer-role.yaml | 16 + .../quick-start/base/minio/minio-deploy.yaml | 2 +- .../quick-start/base/minio/minio-pod.yaml | 34 - .../workflow-controller-configmap.yaml | 9 +- .../base/pod-manager-default-rolebinding.yaml | 11 + .../quick-start/base/pod-manager-role.yaml | 17 + .../base/workflow-default-rolebinding.yaml | 2 +- .../workflow-manager-default-rolebinding.yaml | 11 + .../base/workflow-manager-role.yaml | 16 + .../quick-start/base/workflow-role.yaml | 63 - .../quick-start/minimal/kustomization.yaml | 2 + .../workflow-controller-configmap.yaml | 9 + .../workflow-controller-configmap.yaml | 4 + .../workflow-controller-configmap.yaml | 4 + .../workflow-controller-configmap.yaml | 3 +- .../kfp-csi-s3/csi-s3-deployment.yaml | 82 +- .../mysql/base/mysql-deployment.yaml | 2 +- .../tekton-custom-task/kustomization.yaml | 4 +- .../pipeline-loops/204-cache-config.yaml | 33 + .../pipeline-loops/301-breaktask.yaml | 51 + .../pipeline-loops/500-controller.yaml | 10 + .../pipeline-loops/500-webhook.yaml | 10 + .../pipeline-loops/kustomization.yaml | 2 + .../tekton-dashboard-release.yaml | 51 +- .../base/tektoncd-install/kustomization.yaml | 9 + .../base/tektoncd-install/tekton-config.yaml | 2 +- .../tektoncd-install/tekton-controller.yaml | 18 + .../base/tektoncd-install/tekton-default.yaml | 10 + .../base/tektoncd-install/tekton-release.yaml | 1266 +++++-- 94 files changed, 8199 insertions(+), 1200 deletions(-) create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert-issuer.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/base/cache-webhook-config.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/base/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/base/params.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/dev/delete-cache-deployer.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/dev/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/dev/namespace.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/dev/params.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml create mode 100644 apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/env/platform-agnostic-kind/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/env/platform-agnostic-kind/plain-kind/kustomization.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-priorityclass.yaml delete mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/argo-server-deployment.json delete mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/workflow-controller-deployment.json create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-default-rolebinding.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor-default-rolebinding.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/docker/executor-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/emissary/executor-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/k8sapi/executor-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/executor-role.yaml rename apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/{ => executor/kubelet}/kubelet-executor-clusterrole.yaml (100%) rename apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/{ => executor/kubelet}/kubelet-executor-default-clusterrolebinding.yaml (100%) create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/pns/executor-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-default-rolebinding.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-role.yaml delete mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-pod.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-default-rolebinding.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-role.yaml delete mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-role.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/overlays/workflow-controller-configmap.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml create mode 100644 apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml diff --git a/README.md b/README.md index ce21ac5c75..5fdc5984ac 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ This repo periodically syncs all official Kubeflow components from their respect | KServe | contrib/kserve/kserve | [release-0.8](https://github.com/kserve/kserve/tree/8079f375cbcedc4d45a1b4aade2e2308ea6f9ae8/install/v0.8.0) | | KServe Models Web App | contrib/kserve/models-web-app | [v0.8.1](https://github.com/kserve/models-web-app/tree/v0.8.1/config) | | Kubeflow Pipelines | apps/pipeline/upstream | [2.0.0-alpha.3](https://github.com/kubeflow/pipelines/tree/2.0.0-alpha.3/manifests/kustomize) | -| Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v1.2.1](https://github.com/kubeflow/kfp-tekton/tree/v1.2.1/manifests/kustomize) | +| Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v1.5.1](https://github.com/kubeflow/kfp-tekton/tree/v1.5.1/manifests/kustomize) | The following is also a matrix with versions from common components that are used from the different projects of Kubeflow: diff --git a/apps/kfp-tekton/upstream/base/cache-deployer/kustomization.yaml b/apps/kfp-tekton/upstream/base/cache-deployer/kustomization.yaml index 949fe6300d..90043027d4 100644 --- a/apps/kfp-tekton/upstream/base/cache-deployer/kustomization.yaml +++ b/apps/kfp-tekton/upstream/base/cache-deployer/kustomization.yaml @@ -10,4 +10,4 @@ commonLabels: app: cache-deployer images: - name: gcr.io/ml-pipeline/cache-deployer - newTag: 1.8.1 + newTag: 1.8.4 diff --git a/apps/kfp-tekton/upstream/base/cache/kustomization.yaml b/apps/kfp-tekton/upstream/base/cache/kustomization.yaml index 8e3a0d7bfa..b26abfe4e4 100644 --- a/apps/kfp-tekton/upstream/base/cache/kustomization.yaml +++ b/apps/kfp-tekton/upstream/base/cache/kustomization.yaml @@ -11,4 +11,4 @@ commonLabels: images: - name: gcr.io/ml-pipeline/cache-server newName: docker.io/aipipeline/cache-server - newTag: 1.2.1 + newTag: 1.5.1 diff --git a/apps/kfp-tekton/upstream/base/installs/generic/pipeline-install-config.yaml b/apps/kfp-tekton/upstream/base/installs/generic/pipeline-install-config.yaml index f9cf6d31d3..0a44ea9cae 100644 --- a/apps/kfp-tekton/upstream/base/installs/generic/pipeline-install-config.yaml +++ b/apps/kfp-tekton/upstream/base/installs/generic/pipeline-install-config.yaml @@ -11,12 +11,14 @@ data: until the changes take effect. A quick way to restart all deployments in a namespace: `kubectl rollout restart deployment -n `. appName: pipeline - appVersion: 1.8.1 + appVersion: 1.8.4 dbHost: mysql dbPort: "3306" mlmdDb: metadb cacheDb: cachedb pipelineDb: mlpipeline + objectStoreHost: minio-service + objectStorePort: "9000" bucketName: mlpipeline ## defaultPipelineRoot: Optional. Default pipeline root in v2 compatible mode. ## https://www.kubeflow.org/docs/components/pipelines/sdk/v2/v2-compatibility/ diff --git a/apps/kfp-tekton/upstream/base/metadata/base/kustomization.yaml b/apps/kfp-tekton/upstream/base/metadata/base/kustomization.yaml index a621def5b3..4a8ea63c0c 100644 --- a/apps/kfp-tekton/upstream/base/metadata/base/kustomization.yaml +++ b/apps/kfp-tekton/upstream/base/metadata/base/kustomization.yaml @@ -9,4 +9,4 @@ resources: - metadata-grpc-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-envoy - newTag: 1.8.1 + newTag: 1.8.4 diff --git a/apps/kfp-tekton/upstream/base/pipeline/apiserver-deployment.yaml b/apps/kfp-tekton/upstream/base/pipeline/apiserver-deployment.yaml index 52cc9f75dd..09ae34aa00 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/apiserver-deployment.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/apiserver-deployment.yaml @@ -12,8 +12,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: OBJECTSTORECONFIG_HOST + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: objectStoreHost + - name: OBJECTSTORECONFIG_PORT + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: objectStorePort - name: OBJECTSTORECONFIG_SECURE value: "false" + - name: CLIENTQPS + value: "50" + - name: CLIENTBURST + value: "50" - name: OBJECTSTORECONFIG_BUCKETNAME valueFrom: configMapKeyRef: @@ -96,6 +110,11 @@ spec: configMapKeyRef: name: kfp-tekton-config key: artifact_image + - name: MOVERESULTS_IMAGE + valueFrom: + configMapKeyRef: + name: kfp-tekton-config + key: moveresults_image - name: INJECT_DEFAULT_SCRIPT valueFrom: configMapKeyRef: diff --git a/apps/kfp-tekton/upstream/base/pipeline/kfp-pipeline-config.yaml b/apps/kfp-tekton/upstream/base/pipeline/kfp-pipeline-config.yaml index bf8778d4d6..cd3c231399 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/kfp-pipeline-config.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/kfp-pipeline-config.yaml @@ -8,16 +8,16 @@ data: artifact_endpoint_scheme: "http://" artifact_image: "minio/mc:RELEASE.2020-11-25T23-04-07Z" archive_logs: "true" + moveresults_image: "busybox:1.34.1" track_artifacts: "true" strip_eof: "true" inject_default_script: "true" apply_tekton_custom_resource: "true" terminate_status: "Cancelled" artifact_script: |- - #!/usr/bin/env sh push_artifact() { - if [ -f "$2" ]; then - tar -cvzf $1.tgz $2 + if [ -f "$2" ] || [ -d "$2" ]; then + tar -cvzf $1.tgz -C $(dirname $2) $(basename $2) mc cp $1.tgz storage/$ARTIFACT_BUCKET/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz else echo "$2 file does not exist. Skip artifact tracking for $1" diff --git a/apps/kfp-tekton/upstream/base/pipeline/kustomization.yaml b/apps/kfp-tekton/upstream/base/pipeline/kustomization.yaml index 52d43a533f..84f151dfe2 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/kustomization.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/kustomization.yaml @@ -43,20 +43,20 @@ patchesStrategicMerge: images: - name: gcr.io/ml-pipeline/api-server newName: docker.io/aipipeline/api-server - newTag: 1.2.1 + newTag: 1.5.1 - name: gcr.io/ml-pipeline/persistenceagent newName: docker.io/aipipeline/persistenceagent - newTag: 1.2.1 + newTag: 1.5.1 - name: gcr.io/ml-pipeline/scheduledworkflow newName: docker.io/aipipeline/scheduledworkflow - newTag: 1.2.1 + newTag: 1.5.1 - name: gcr.io/ml-pipeline/frontend newName: docker.io/aipipeline/frontend - newTag: 1.2.1 + newTag: 1.5.1 - name: gcr.io/ml-pipeline/viewer-crd-controller - newTag: 1.8.1 + newTag: 1.8.4 - name: gcr.io/ml-pipeline/visualization-server - newTag: 1.8.1 + newTag: 1.8.4 - name: gcr.io/ml-pipeline/metadata-writer newName: docker.io/aipipeline/metadata-writer - newTag: 1.2.1 + newTag: 1.5.1 diff --git a/apps/kfp-tekton/upstream/base/pipeline/metadata-writer/kustomization.yaml b/apps/kfp-tekton/upstream/base/pipeline/metadata-writer/kustomization.yaml index 5b49a9ffbf..aaf34a584a 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/metadata-writer/kustomization.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/metadata-writer/kustomization.yaml @@ -7,4 +7,4 @@ resources: - metadata-writer-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-writer - newTag: 1.8.1 + newTag: 1.8.4 diff --git a/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml b/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml index bc5032e51a..d6fda26b1c 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml @@ -25,6 +25,8 @@ spec: value: "86400" - name: NUM_WORKERS value: "2" + - name: CHILDREFERENCES_KINDS + value: "PipelineLoop" image: gcr.io/ml-pipeline/persistenceagent:dummy imagePullPolicy: IfNotPresent name: ml-pipeline-persistenceagent diff --git a/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml b/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml index 7e7f976819..eb843f2267 100644 --- a/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml +++ b/apps/kfp-tekton/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml @@ -25,6 +25,7 @@ rules: - pipelineruns - taskruns - conditions + - runs verbs: - create - get diff --git a/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert-issuer.yaml b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert-issuer.yaml new file mode 100644 index 0000000000..1c0ba59611 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kfp-cache-selfsigned-issuer +spec: + selfSigned: {} \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert.yaml b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert.yaml new file mode 100644 index 0000000000..7d1136729a --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-cert.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kfp-cache-cert +spec: + commonName: kfp-cache-cert + isCA: true + dnsNames: + - cache-server + - cache-server.$(kfp-namespace) + - cache-server.$(kfp-namespace).svc + issuerRef: + kind: Issuer + name: kfp-cache-selfsigned-issuer + secretName: webhook-server-tls \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/base/cache-webhook-config.yaml b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-webhook-config.yaml new file mode 100644 index 0000000000..0f6b43c4fd --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/base/cache-webhook-config.yaml @@ -0,0 +1,25 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cache-webhook-kubeflow + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-cache-cert +webhooks: + - name: cache-server.$(kfp-namespace).svc + clientConfig: + service: + name: cache-server + namespace: $(kfp-namespace) + path: "/mutate" + failurePolicy: Ignore + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None + timeoutSeconds: 5 + objectSelector: + matchLabels: + pipelines.kubeflow.org/cache_enabled: "true" + admissionReviewVersions: ["v1beta1"] \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/base/kustomization.yaml b/apps/kfp-tekton/upstream/env/cert-manager/base/kustomization.yaml new file mode 100644 index 0000000000..75633f3f06 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/base/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: + - cache-cert-issuer.yaml + - cache-cert.yaml + - cache-webhook-config.yaml +commonLabels: + app: cache-server-cert-manager + +configurations: +- params.yaml diff --git a/apps/kfp-tekton/upstream/env/cert-manager/base/params.yaml b/apps/kfp-tekton/upstream/env/cert-manager/base/params.yaml new file mode 100644 index 0000000000..8ee2b1b3c9 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/base/params.yaml @@ -0,0 +1,13 @@ +varReference: + - path: spec/commonName + kind: Certificate + - path: spec/dnsNames + kind: Certificate + - path: spec/issuerRef/name + kind: Certificate + - path: metadata/annotations + kind: MutatingWebhookConfiguration + - path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration + - path: webhooks/name + kind: MutatingWebhookConfiguration \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml b/apps/kfp-tekton/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml new file mode 100644 index 0000000000..c5df9e990b --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/cluster-scoped-resources/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../../third-party/application/cluster-scoped +- ../../../third-party/argo/installs/namespace/cluster-scoped +- ../../../base/pipeline/cluster-scoped \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/dev/delete-cache-deployer.yaml b/apps/kfp-tekton/upstream/env/cert-manager/dev/delete-cache-deployer.yaml new file mode 100644 index 0000000000..3a71d7d2bc --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/dev/delete-cache-deployer.yaml @@ -0,0 +1,18 @@ +# Delete cache deployer related resources as we use the cert-manager instead +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-deployer-deployment +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubeflow-pipelines-cache-deployer-role +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-rolebinding +$patch: delete \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/dev/kustomization.yaml b/apps/kfp-tekton/upstream/env/cert-manager/dev/kustomization.yaml new file mode 100644 index 0000000000..90738fe776 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/dev/kustomization.yaml @@ -0,0 +1,47 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../dev + - ../base +namespace: kubeflow + +# Delete the cache deployer as we use the cert-manager instead +patchesStrategicMerge: + - ./delete-cache-deployer.yaml + +resources: +- namespace.yaml + +vars: +# NOTE: var name must be unique globally to allow composition of multiple kustomize +# packages. Therefore, we added prefix `kfp-dev-` to distinguish it from +# others. +- name: kfp-dev-namespace + objref: + # ml-pipeline sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml + # so that we only need to change kustomization.yaml's namespace field for namespace customization. + kind: ServiceAccount + name: ml-pipeline + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +configurations: +- params.yaml + +# Pass proper arguments to cache-server to use cert-manager certificate +patches: +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_cert_filename=tls.crt" + target: + kind: Deployment + name: cache-server +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_key_filename=tls.key" + target: + kind: Deployment + name: cache-server diff --git a/apps/kfp-tekton/upstream/env/cert-manager/dev/namespace.yaml b/apps/kfp-tekton/upstream/env/cert-manager/dev/namespace.yaml new file mode 100644 index 0000000000..51de7acfd8 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/dev/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: '$(kfp-dev-namespace)' diff --git a/apps/kfp-tekton/upstream/env/cert-manager/dev/params.yaml b/apps/kfp-tekton/upstream/env/cert-manager/dev/params.yaml new file mode 100644 index 0000000000..cc253fe266 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/dev/params.yaml @@ -0,0 +1,4 @@ +# Allow Kustomize var to replace following fields. +varReference: +- path: metadata/name + kind: Namespace diff --git a/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml b/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml new file mode 100644 index 0000000000..6e05a9e94b --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/delete-cache-deployer.yaml @@ -0,0 +1,36 @@ +# Delete cache deployer as we use the cert-manager instead +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipelines-cache-deployer-clusterrole +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-clusterrolebinding +$patch: delete +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeflow-pipelines-cache-deployer-sa +$patch: delete +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-deployer-deployment +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubeflow-pipelines-cache-deployer-role +$patch: delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubeflow-pipelines-cache-deployer-rolebinding +$patch: delete \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml b/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml new file mode 100644 index 0000000000..00a522d823 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../platform-agnostic-multi-user + - ../base +namespace: kubeflow + +# Delete the cache deployer as we use the cert-manager instead +patchesStrategicMerge: + - ./delete-cache-deployer.yaml + +# Pass proper arguments to cache-server to use cert-manager certificate +patches: +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_cert_filename=tls.crt" + target: + kind: Deployment + name: cache-server +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_key_filename=tls.key" + target: + kind: Deployment + name: cache-server diff --git a/apps/kfp-tekton/upstream/env/gcp/inverse-proxy/kustomization.yaml b/apps/kfp-tekton/upstream/env/gcp/inverse-proxy/kustomization.yaml index f9081522b4..f837e97e59 100644 --- a/apps/kfp-tekton/upstream/env/gcp/inverse-proxy/kustomization.yaml +++ b/apps/kfp-tekton/upstream/env/gcp/inverse-proxy/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: gcr.io/ml-pipeline/inverse-proxy-agent - newTag: 1.8.1 + newTag: 1.8.4 resources: - proxy-configmap.yaml - proxy-deployment.yaml diff --git a/apps/kfp-tekton/upstream/env/platform-agnostic-kind/kustomization.yaml b/apps/kfp-tekton/upstream/env/platform-agnostic-kind/kustomization.yaml new file mode 100644 index 0000000000..6c01c48b93 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/platform-agnostic-kind/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../third-party/tekton/installs/cluster + - ../../third-party/tekton-custom-task + - ./plain-kind diff --git a/apps/kfp-tekton/upstream/env/platform-agnostic-kind/plain-kind/kustomization.yaml b/apps/kfp-tekton/upstream/env/platform-agnostic-kind/plain-kind/kustomization.yaml new file mode 100644 index 0000000000..3a72034d80 --- /dev/null +++ b/apps/kfp-tekton/upstream/env/platform-agnostic-kind/plain-kind/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../../base/installs/generic + - ../../../base/metadata/base + - ../../../third-party/minio/base + - ../../../third-party/mysql/base + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +commonLabels: + application-crd-id: kubeflow-pipelines + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow diff --git a/apps/kfp-tekton/upstream/env/platform-agnostic-multi-user-emissary/workflow-controller-configmap-patch.yaml b/apps/kfp-tekton/upstream/env/platform-agnostic-multi-user-emissary/workflow-controller-configmap-patch.yaml index 64d4b40220..410a8f4c59 100644 --- a/apps/kfp-tekton/upstream/env/platform-agnostic-multi-user-emissary/workflow-controller-configmap-patch.yaml +++ b/apps/kfp-tekton/upstream/env/platform-agnostic-multi-user-emissary/workflow-controller-configmap-patch.yaml @@ -4,9 +4,9 @@ metadata: name: workflow-controller-configmap data: # References: - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/config/config.go - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/docs/workflow-controller-configmap.md - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/docs/workflow-controller-configmap.yaml + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/config/config.go + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/docs/workflow-controller-configmap.md + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/docs/workflow-controller-configmap.yaml # Emissary Executor: https://argoproj.github.io/argo-workflows/workflow-executors/#emissary-emissary containerRuntimeExecutor: emissary diff --git a/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml b/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml index 654b98b713..96a6ccf995 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml @@ -4,9 +4,9 @@ metadata: name: workflow-controller-configmap data: # References: - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/config/config.go - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/docs/workflow-controller-configmap.md - # * https://github.com/argoproj/argo-workflows/blob/v3.2.3/docs/workflow-controller-configmap.yaml + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/config/config.go + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/docs/workflow-controller-configmap.md + # * https://github.com/argoproj/argo-workflows/blob/v3.3.8/docs/workflow-controller-configmap.yaml # emissary executor is a more portable default, see https://github.com/kubeflow/pipelines/issues/1654. containerRuntimeExecutor: emissary diff --git a/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml b/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml index 2efbeb1f8f..770b86a8a8 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml @@ -7,12 +7,12 @@ spec: spec: containers: - name: workflow-controller - image: gcr.io/ml-pipeline/workflow-controller:v3.2.3-license-compliance + image: gcr.io/ml-pipeline/workflow-controller:v3.3.8-license-compliance args: - --configmap - workflow-controller-configmap - --executor-image - - gcr.io/ml-pipeline/argoexec:v3.2.3-license-compliance + - gcr.io/ml-pipeline/argoexec:v3.3.8-license-compliance resources: requests: cpu: 100m diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/Kptfile b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/Kptfile index 9f7d43c895..3b21f24bbe 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/Kptfile +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/Kptfile @@ -7,12 +7,12 @@ upstream: git: repo: https://github.com/argoproj/argo-workflows directory: /manifests - ref: v3.2.3 + ref: v3.3.8 updateStrategy: resource-merge upstreamLock: type: git git: repo: https://github.com/argoproj/argo-workflows directory: /manifests - ref: v3.2.3 - commit: e5dc961b7846efe0fe36ab3a0964180eaedd2672 + ref: v3.3.8 + commit: 621b0d1a8e09634666ebe403ee7b8fc29db1dc4e diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/argo-server/argo-server-deployment.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/argo-server/argo-server-deployment.yaml index b1f16b8d5a..479de12103 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/argo-server/argo-server-deployment.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/argo-server/argo-server-deployment.yaml @@ -16,10 +16,14 @@ spec: - name: argo-server image: quay.io/argoproj/argocli:latest securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false capabilities: drop: - ALL args: [server] + env: [] ports: - name: web containerPort: 2746 diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml index 3e833bb1a2..149d63b6df 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml @@ -726,88 +726,495 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string type: array - globalName: - type: string - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + artifactRepositoryRef: + properties: + configMap: + type: string + key: + type: string + type: object + automountServiceAccountToken: + type: boolean + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + dnsPolicy: + type: string + entrypoint: + type: string + executor: + properties: + serviceAccountName: + type: string + type: object + hooks: + additionalProperties: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: type: string - optional: - type: boolean - required: - - key - type: object - default: - type: string - event: - type: string - expression: - type: string - jqFilter: - type: string - jsonPath: - type: string - parameter: - type: string - path: - type: string - supplied: - type: object - type: object - required: - - name + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array type: object - type: array - type: object - artifactRepositoryRef: - properties: - configMap: - type: string - key: - type: string - type: object - automountServiceAccountToken: - type: boolean - dnsConfig: - properties: - nameservers: - items: + expression: type: string - type: array - options: - items: + template: + type: string + templateRef: properties: + clusterScope: + type: boolean name: type: string - value: + template: type: string type: object - type: array - searches: - items: - type: string - type: array - type: object - dnsPolicy: - type: string - entrypoint: - type: string - executor: - properties: - serviceAccountName: - type: string + type: object type: object hostAliases: items: @@ -1072,6 +1479,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1974,6 +2383,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2068,6 +2487,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2198,6 +2627,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2214,6 +2645,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2534,6 +2975,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2628,6 +3079,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2758,6 +3219,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2774,6 +3237,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2878,6 +3351,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -3252,6 +3737,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3653,6 +4140,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3698,10 +4187,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -4151,8 +4649,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -4372,6 +4874,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4468,6 +4980,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4598,6 +5120,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -4614,6 +5138,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5058,6 +5592,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5549,6 +6085,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5599,6 +6137,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -5868,6 +6408,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5962,6 +6512,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6092,6 +6652,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6110,6 +6672,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6272,6 +6844,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6489,6 +7063,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6585,6 +7169,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6715,6 +7309,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6731,6 +7327,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -7091,6 +7697,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -8424,6 +9042,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8518,6 +9146,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8648,6 +9286,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -8664,6 +9304,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8984,6 +9634,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9078,6 +9738,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9208,6 +9878,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -9224,6 +9896,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9328,6 +10010,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -9702,6 +10396,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10103,6 +10799,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10148,10 +10846,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -10601,8 +11308,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -10822,6 +11533,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -10918,6 +11639,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11048,6 +11779,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -11064,6 +11797,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11508,6 +12251,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -11999,6 +12744,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12049,6 +12796,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -12318,6 +13067,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12412,6 +13171,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12542,6 +13311,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12560,6 +13331,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12722,6 +13503,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12939,6 +13722,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13035,6 +13828,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13165,6 +13968,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -13181,6 +13986,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13541,6 +14356,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14064,6 +14891,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14119,6 +14958,14 @@ spec: items: type: string type: array + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object capacity: additionalProperties: anyOf: @@ -14151,6 +14998,8 @@ spec: type: array phase: type: string + resizeStatus: + type: string type: object type: object type: array @@ -14361,6 +15210,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14823,6 +15684,24 @@ spec: type: object type: array workflowMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + labelsFrom: + additionalProperties: + properties: + expression: + type: string + required: + - expression + type: object + type: object type: object workflowTemplateRef: properties: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml index cf9c144d7e..a29cb602cc 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml @@ -747,88 +747,495 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string type: array - globalName: - type: string - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + artifactRepositoryRef: + properties: + configMap: + type: string + key: + type: string + type: object + automountServiceAccountToken: + type: boolean + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + dnsPolicy: + type: string + entrypoint: + type: string + executor: + properties: + serviceAccountName: + type: string + type: object + hooks: + additionalProperties: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: type: string - optional: - type: boolean - required: - - key - type: object - default: - type: string - event: - type: string - expression: - type: string - jqFilter: - type: string - jsonPath: - type: string - parameter: - type: string - path: - type: string - supplied: - type: object - type: object - required: - - name + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array type: object - type: array - type: object - artifactRepositoryRef: - properties: - configMap: - type: string - key: - type: string - type: object - automountServiceAccountToken: - type: boolean - dnsConfig: - properties: - nameservers: - items: + expression: type: string - type: array - options: - items: + template: + type: string + templateRef: properties: + clusterScope: + type: boolean name: type: string - value: + template: type: string type: object - type: array - searches: - items: - type: string - type: array - type: object - dnsPolicy: - type: string - entrypoint: - type: string - executor: - properties: - serviceAccountName: - type: string + type: object type: object hostAliases: items: @@ -1093,6 +1500,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1995,6 +2404,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2089,6 +2508,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2219,6 +2648,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2235,6 +2666,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2555,6 +2996,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2649,6 +3100,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2779,6 +3240,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2795,6 +3258,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2899,6 +3372,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -3273,6 +3758,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3674,6 +4161,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3719,10 +4208,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -4172,8 +4670,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -4393,6 +4895,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4489,6 +5001,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4619,6 +5141,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -4635,6 +5159,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5079,6 +5613,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5570,6 +6106,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5620,6 +6158,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -5889,6 +6429,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5983,6 +6533,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6113,6 +6673,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6131,6 +6693,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6293,6 +6865,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6510,6 +7084,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6606,6 +7190,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6736,6 +7330,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6752,6 +7348,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -7112,6 +7718,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -8445,6 +9063,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8539,6 +9167,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8669,6 +9307,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -8685,6 +9325,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9005,6 +9655,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9099,6 +9759,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9229,6 +9899,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -9245,6 +9917,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9349,6 +10031,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -9723,6 +10417,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10124,6 +10820,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10169,10 +10867,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -10622,8 +11329,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -10843,6 +11554,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -10939,6 +11660,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11069,6 +11800,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -11085,6 +11818,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11529,6 +12272,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12020,6 +12765,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12070,6 +12817,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -12339,6 +13088,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12433,6 +13192,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12563,6 +13332,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12581,6 +13352,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12743,6 +13524,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12960,6 +13743,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13056,6 +13849,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13186,6 +13989,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -13202,6 +14007,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13562,6 +14377,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14085,6 +14912,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14140,6 +14979,14 @@ spec: items: type: string type: array + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object capacity: additionalProperties: anyOf: @@ -14172,6 +15019,8 @@ spec: type: array phase: type: string + resizeStatus: + type: string type: object type: object type: array @@ -14382,6 +15231,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14843,6 +15704,26 @@ spec: - name type: object type: array + workflowMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + labelsFrom: + additionalProperties: + properties: + expression: + type: string + required: + - expression + type: object + type: object + type: object workflowTemplateRef: properties: clusterScope: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml index 18ef078678..b94ed5b9a6 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml @@ -375,6 +375,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml index ff123591ef..ac4e73396c 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml @@ -735,6 +735,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -818,6 +820,411 @@ spec: serviceAccountName: type: string type: object + hooks: + additionalProperties: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + expression: + type: string + template: + type: string + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object + type: object + type: object hostAliases: items: properties: @@ -1081,6 +1488,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1983,6 +2392,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2077,6 +2496,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2207,6 +2636,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2223,6 +2654,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2543,6 +2984,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2637,6 +3088,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2767,6 +3228,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2783,6 +3246,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2887,6 +3360,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -3261,6 +3746,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3662,6 +4149,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3707,10 +4196,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -4160,8 +4658,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -4381,6 +4883,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4477,6 +4989,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4607,6 +5129,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -4623,6 +5147,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5067,6 +5601,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5558,6 +6094,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5608,6 +6146,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -5877,6 +6417,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5971,6 +6521,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6101,6 +6661,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6119,6 +6681,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6281,6 +6853,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6498,6 +7072,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6594,6 +7178,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6724,6 +7318,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6740,6 +7336,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -7100,6 +7706,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -8433,100 +9051,120 @@ spec: failureThreshold: format: int32 type: integer - httpGet: + grpc: properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - path: - type: string port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true required: - port type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - name: - type: string - ports: - items: - properties: - containerPort: - format: int32 - type: integer - hostIP: - type: string - hostPort: - format: int32 - type: integer - name: - type: string - protocol: - default: TCP - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - failureThreshold: - format: int32 - type: integer httpGet: properties: host: @@ -8657,6 +9295,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -8673,6 +9313,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8993,6 +9643,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9087,152 +9747,174 @@ spec: failureThreshold: format: int32 type: integer - httpGet: + grpc: properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - path: - type: string port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true required: - port type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - runAsUserName: - type: string - type: object - type: object - startupProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - failureThreshold: - format: int32 - type: integer httpGet: properties: host: @@ -9337,6 +10019,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -9711,6 +10405,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10112,6 +10808,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10157,10 +10855,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -10610,8 +11317,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -10831,6 +11542,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -10927,6 +11648,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11057,6 +11788,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -11073,6 +11806,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11517,6 +12260,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12008,6 +12753,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12058,6 +12805,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -12327,6 +13076,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12421,6 +13180,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12551,6 +13320,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12569,6 +13340,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12731,6 +13512,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12948,6 +13731,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13044,6 +13837,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13174,6 +13977,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -13190,6 +13995,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13550,6 +14365,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14073,6 +14900,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14128,6 +14967,14 @@ spec: items: type: string type: array + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object capacity: additionalProperties: anyOf: @@ -14160,6 +15007,8 @@ spec: type: array phase: type: string + resizeStatus: + type: string type: object type: object type: array @@ -14370,6 +15219,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14831,6 +15692,26 @@ spec: - name type: object type: array + workflowMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + labelsFrom: + additionalProperties: + properties: + expression: + type: string + required: + - expression + type: object + type: object + type: object workflowTemplateRef: properties: clusterScope: @@ -15446,6 +16327,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -15854,6 +16737,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -16285,6 +17170,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -16539,6 +17426,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -17883,6 +18782,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -17977,6 +18886,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -18107,6 +19026,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -18123,6 +19044,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -18443,6 +19374,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -18537,6 +19478,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -18667,6 +19618,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -18683,6 +19636,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -18787,6 +19750,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -19161,6 +20136,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -19562,6 +20539,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -19607,10 +20586,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -20060,8 +21048,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -20281,6 +21273,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -20377,6 +21379,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -20507,6 +21519,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -20523,6 +21537,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -20967,6 +21991,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -21458,6 +22484,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -21508,6 +22536,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -21777,100 +22807,120 @@ spec: failureThreshold: format: int32 type: integer - httpGet: + grpc: properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - path: - type: string port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true required: - port type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - name: - type: string - ports: - items: - properties: - containerPort: - format: int32 - type: integer - hostIP: - type: string - hostPort: - format: int32 - type: integer - name: - type: string - protocol: - default: TCP - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - failureThreshold: - format: int32 - type: integer httpGet: properties: host: @@ -22001,6 +23051,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -22019,6 +23071,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -22181,6 +23243,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -22398,6 +23462,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -22494,152 +23568,174 @@ spec: failureThreshold: format: int32 type: integer - httpGet: + grpc: properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - path: - type: string port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true required: - port type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - runAsUserName: - type: string - type: object - type: object - startupProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - failureThreshold: - format: int32 - type: integer httpGet: properties: host: @@ -23000,6 +24096,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -24164,6 +25272,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -24247,6 +25357,411 @@ spec: serviceAccountName: type: string type: object + hooks: + additionalProperties: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + expression: + type: string + template: + type: string + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object + type: object + type: object hostAliases: items: properties: @@ -24510,6 +26025,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -25412,6 +26929,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -25506,6 +27033,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -25636,6 +27173,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -25652,6 +27191,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -25972,6 +27521,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -26066,6 +27625,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -26196,6 +27765,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -26212,6 +27783,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -26316,6 +27897,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -26690,6 +28283,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -27091,6 +28686,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -27136,10 +28733,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -27589,8 +29195,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -27810,6 +29420,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -27906,6 +29526,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -28036,6 +29666,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -28052,6 +29684,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -28496,6 +30138,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -28987,6 +30631,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -29037,6 +30683,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -29306,6 +30954,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -29400,6 +31058,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -29530,6 +31198,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -29548,6 +31218,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -29710,6 +31390,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -29927,6 +31609,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -30023,6 +31715,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -30153,6 +31855,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -30169,6 +31873,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -30529,6 +32243,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -31862,6 +33588,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -31956,6 +33692,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -32086,6 +33832,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -32102,6 +33850,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -32422,6 +34180,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -32516,6 +34284,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -32646,6 +34424,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -32662,6 +34442,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -32766,6 +34556,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -33140,6 +34942,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -33541,6 +35345,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -33586,10 +35392,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -34039,8 +35854,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -34260,6 +36079,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -34356,6 +36185,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -34486,6 +36325,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -34502,6 +36343,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -34946,6 +36797,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -35437,6 +37290,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -35487,6 +37342,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -35756,6 +37613,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -35850,6 +37717,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -35980,6 +37857,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -35998,6 +37877,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -36160,6 +38049,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -36377,6 +38268,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -36473,6 +38374,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -36603,6 +38514,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -36619,6 +38532,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -36979,6 +38902,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -37502,6 +39437,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -37557,6 +39504,14 @@ spec: items: type: string type: array + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object capacity: additionalProperties: anyOf: @@ -37589,6 +39544,8 @@ spec: type: array phase: type: string + resizeStatus: + type: string type: object type: object type: array @@ -37799,6 +39756,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -38260,6 +40229,26 @@ spec: - name type: object type: array + workflowMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + labelsFrom: + additionalProperties: + properties: + expression: + type: string + required: + - expression + type: object + type: object + type: object workflowTemplateRef: properties: clusterScope: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml new file mode 100644 index 0000000000..8d7803e208 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml @@ -0,0 +1,426 @@ +# This is an auto-generated file. DO NOT EDIT +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /workflowtaskresults.argoproj.io + name: workflowtaskresults.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTaskResult + listKind: WorkflowTaskResultList + plural: workflowtaskresults + singular: workflowtaskresult + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + message: + type: string + metadata: + type: object + outputs: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + exitCode: + type: string + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + result: + type: string + type: object + phase: + type: string + progress: + type: string + required: + - metadata + type: object + served: true + storage: true diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml index 627eb7681d..de25052a2b 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml @@ -897,6 +897,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -991,6 +1001,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -1121,6 +1141,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1137,6 +1159,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -1457,6 +1489,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -1551,6 +1593,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -1681,6 +1733,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1697,6 +1751,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -1801,6 +1865,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -2175,6 +2251,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -2576,6 +2654,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -2621,10 +2701,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -3074,8 +3163,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -3295,6 +3388,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -3391,6 +3494,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -3521,6 +3634,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -3537,6 +3652,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -3981,6 +4106,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -4472,6 +4599,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -4522,6 +4651,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -4791,6 +4922,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4885,6 +5026,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5015,6 +5166,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -5033,6 +5186,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5195,6 +5358,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -5412,6 +5577,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5508,6 +5683,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5638,6 +5823,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -5654,6 +5841,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6014,6 +6211,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -6827,6 +7036,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -6876,6 +7087,8 @@ spec: type: object phase: type: string + progress: + type: string type: object type: object type: object @@ -6885,3 +7098,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml index 409389e0d3..5b713755aa 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml @@ -725,88 +725,495 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string type: array - globalName: - type: string - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + artifactRepositoryRef: + properties: + configMap: + type: string + key: + type: string + type: object + automountServiceAccountToken: + type: boolean + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + dnsPolicy: + type: string + entrypoint: + type: string + executor: + properties: + serviceAccountName: + type: string + type: object + hooks: + additionalProperties: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: type: string - optional: - type: boolean - required: - - key - type: object - default: - type: string - event: - type: string - expression: - type: string - jqFilter: - type: string - jsonPath: - type: string - parameter: - type: string - path: - type: string - supplied: - type: object - type: object - required: - - name + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array type: object - type: array - type: object - artifactRepositoryRef: - properties: - configMap: - type: string - key: - type: string - type: object - automountServiceAccountToken: - type: boolean - dnsConfig: - properties: - nameservers: - items: + expression: type: string - type: array - options: - items: + template: + type: string + templateRef: properties: + clusterScope: + type: boolean name: type: string - value: + template: type: string type: object - type: array - searches: - items: - type: string - type: array - type: object - dnsPolicy: - type: string - entrypoint: - type: string - executor: - properties: - serviceAccountName: - type: string + type: object type: object hostAliases: items: @@ -1071,6 +1478,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -1973,6 +2382,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2067,6 +2486,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2197,6 +2626,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2213,6 +2644,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2533,6 +2974,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2627,6 +3078,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2757,6 +3218,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -2773,6 +3236,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -2877,6 +3350,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -3251,6 +3736,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3652,6 +4139,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -3697,10 +4186,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -4150,8 +4648,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -4371,6 +4873,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4467,6 +4979,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -4597,6 +5119,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -4613,6 +5137,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5057,6 +5591,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5548,6 +6084,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -5598,6 +6136,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -5867,6 +6407,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -5961,6 +6511,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6091,6 +6651,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6109,6 +6671,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6271,6 +6843,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6488,6 +7062,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6584,6 +7168,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -6714,6 +7308,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -6730,6 +7326,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -7090,6 +7696,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -8423,6 +9041,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8517,6 +9145,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8647,6 +9285,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -8663,6 +9303,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -8983,6 +9633,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9077,6 +9737,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9207,6 +9877,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -9223,6 +9895,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -9327,6 +10009,18 @@ spec: - name type: object type: array + retryStrategy: + properties: + duration: + type: string + retries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - retries + type: object volumeMounts: items: properties: @@ -9701,6 +10395,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10102,6 +10798,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -10147,10 +10845,19 @@ spec: type: object type: array type: object + expression: + type: string template: type: string - required: - - template + templateRef: + properties: + clusterScope: + type: boolean + name: + type: string + template: + type: string + type: object type: object type: object inline: {} @@ -10600,8 +11307,12 @@ spec: - name type: object type: array + insecureSkipVerify: + type: boolean method: type: string + successCondition: + type: string timeoutSeconds: format: int64 type: integer @@ -10821,6 +11532,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -10917,6 +11638,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11047,6 +11778,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -11063,6 +11796,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -11507,6 +12250,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -11998,6 +12743,8 @@ spec: properties: default: type: string + description: + type: string enum: items: type: string @@ -12048,6 +12795,8 @@ spec: parallelism: format: int64 type: integer + plugin: + type: object podSpecPatch: type: string priority: @@ -12317,6 +13066,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12411,6 +13170,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12541,6 +13310,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12559,6 +13330,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -12721,6 +13502,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -12938,6 +13721,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13034,6 +13827,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13164,6 +13967,8 @@ spec: type: string gmsaCredentialSpecName: type: string + hostProcess: + type: boolean runAsUserName: type: string type: object @@ -13180,6 +13985,16 @@ spec: failureThreshold: format: int32 type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object httpGet: properties: host: @@ -13540,6 +14355,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14063,6 +14890,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14118,6 +14957,14 @@ spec: items: type: string type: array + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object capacity: additionalProperties: anyOf: @@ -14150,6 +14997,8 @@ spec: type: array phase: type: string + resizeStatus: + type: string type: object type: object type: array @@ -14360,6 +15209,18 @@ spec: - kind - name type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object resources: properties: limits: @@ -14822,6 +15683,24 @@ spec: type: object type: array workflowMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + labelsFrom: + additionalProperties: + properties: + expression: + type: string + required: + - expression + type: object + type: object type: object workflowTemplateRef: properties: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/kustomization.yaml index 9204c2a296..62ba49061d 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/full/kustomization.yaml @@ -7,3 +7,4 @@ resources: - argoproj.io_workflowtemplates.yaml - argoproj.io_workfloweventbindings.yaml - argoproj.io_workflowtasksets.yaml +- argoproj.io_workflowtaskresults.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml new file mode 100644 index 0000000000..6ef09a57c2 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml @@ -0,0 +1,425 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /workflowtaskresults.argoproj.io + name: workflowtaskresults.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTaskResult + listKind: WorkflowTaskResultList + plural: workflowtaskresults + singular: workflowtaskresult + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + message: + type: string + metadata: + type: object + outputs: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + exitCode: + type: string + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + result: + type: string + type: object + phase: + type: string + progress: + type: string + required: + - metadata + type: object + served: true + storage: true diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtasksets.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtasksets.yaml index 0cb8b6adcd..9620d8e72e 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtasksets.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtasksets.yaml @@ -37,3 +37,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/kustomization.yaml index 9204c2a296..62ba49061d 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/crds/minimal/kustomization.yaml @@ -7,3 +7,4 @@ resources: - argoproj.io_workflowtemplates.yaml - argoproj.io_workfloweventbindings.yaml - argoproj.io_workflowtasksets.yaml +- argoproj.io_workflowtaskresults.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/kustomization.yaml index e3b2bf3b74..9b852afc6d 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/kustomization.yaml @@ -5,3 +5,4 @@ resources: - workflow-controller-deployment.yaml - workflow-controller-sa.yaml - workflow-controller-metrics-service.yaml +- workflow-controller-priorityclass.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-deployment.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-deployment.yaml index 6d8315b5db..27ebd138dc 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-deployment.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-deployment.yaml @@ -11,6 +11,7 @@ spec: labels: app: workflow-controller spec: + priorityClassName: workflow-controller serviceAccountName: argo containers: - name: workflow-controller diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-metrics-service.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-metrics-service.yaml index c646a2482f..525f0a2092 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-metrics-service.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-metrics-service.yaml @@ -4,6 +4,11 @@ metadata: # kpt-merge: /workflow-controller-metrics name: workflow-controller-metrics labels: app: workflow-controller + annotations: + workflows.argoproj.io/description: | + This service is deprecated. It will be removed in v3.4. + + https://github.com/argoproj/argo-workflows/issues/8441 spec: selector: app: workflow-controller diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-priorityclass.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-priorityclass.yaml new file mode 100644 index 0000000000..37a7716a44 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/base/workflow-controller/workflow-controller-priorityclass.yaml @@ -0,0 +1,5 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: # kpt-merge: /workflow-controller + name: workflow-controller +value: 1000000 diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml index 506221526a..fa214417ce 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml @@ -18,6 +18,8 @@ rules: verbs: - get - create + - list + - watch - apiGroups: - "" resources: @@ -44,6 +46,7 @@ rules: verbs: - get - list + - watch - apiGroups: - argoproj.io resources: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/kustomization.yaml index 7f5d34ea7f..bfdc9ec83d 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ../base - ./workflow-controller-rbac - ./argo-server-rbac +namespace: argo diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml index 043dda81d0..e14d00ba84 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml @@ -28,8 +28,10 @@ rules: - "" resources: - persistentvolumeclaims + - persistentvolumeclaims/finalizers verbs: - create + - update - delete - get - apiGroups: @@ -58,6 +60,14 @@ rules: - get - list - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection - apiGroups: - "" resources: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/argo-server-rbac/argo-server-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/argo-server-rbac/argo-server-role.yaml index ca14f4c34f..cff53deabb 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/argo-server-rbac/argo-server-role.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/argo-server-rbac/argo-server-role.yaml @@ -18,6 +18,8 @@ rules: verbs: - get - create + - list + - watch - apiGroups: - "" resources: @@ -44,6 +46,7 @@ rules: verbs: - get - list + - watch - apiGroups: - argoproj.io resources: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/argo-server-deployment.json b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/argo-server-deployment.json deleted file mode 100644 index b8d82b0c75..0000000000 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/argo-server-deployment.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "op": "add", - "path": "/spec/template/spec/containers/0/args/-", - "value": "--namespaced" - } -] diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/workflow-controller-deployment.json b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/workflow-controller-deployment.json deleted file mode 100644 index b8d82b0c75..0000000000 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/overlays/workflow-controller-deployment.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "op": "add", - "path": "/spec/template/spec/containers/0/args/-", - "value": "--namespaced" - } -] diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml index 5aeb8791fc..22a7751bde 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml @@ -36,8 +36,10 @@ rules: - "" resources: - persistentvolumeclaims + - persistentvolumeclaims/finalizers verbs: - create + - update - delete - get - apiGroups: @@ -71,6 +73,21 @@ rules: verbs: - get - list + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list - apiGroups: - "" resources: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-default-rolebinding.yaml new file mode 100644 index 0000000000..0c21120ca4 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: /agent-default + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: + - kind: ServiceAccount + name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml new file mode 100644 index 0000000000..6bd90ea719 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml @@ -0,0 +1,24 @@ +# https://argoproj.github.io/argo-workflows/workflow-rbac/ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /agent + name: agent + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + + If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: + - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor-default-rolebinding.yaml new file mode 100644 index 0000000000..428373639a --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: /executor-default + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: + - kind: ServiceAccount + name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/docker/executor-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/docker/executor-role.yaml new file mode 100644 index 0000000000..6cf15278da --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/docker/executor-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /executor + name: executor + annotations: + workflows.argoproj.io/description: | + Recommended minimum permissions for the `docker` executor. + + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/emissary/executor-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/emissary/executor-role.yaml new file mode 100644 index 0000000000..89a3b410fc --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/emissary/executor-role.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /executor + name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/k8sapi/executor-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/k8sapi/executor-role.yaml new file mode 100644 index 0000000000..02da8765e1 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/k8sapi/executor-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /executor + name: executor + annotations: + workflows.argoproj.io/description: | + Recommended minimum permissions for `k8siapi` executor. + + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/executor-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/executor-role.yaml new file mode 100644 index 0000000000..22340524d4 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/executor-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /executor + name: executor + annotations: + workflows.argoproj.io/description: | + Recommended minimum permissions for `kubelet` executor. + + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kubelet-executor-clusterrole.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/kubelet-executor-clusterrole.yaml similarity index 100% rename from apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kubelet-executor-clusterrole.yaml rename to apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/kubelet-executor-clusterrole.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kubelet-executor-default-clusterrolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/kubelet-executor-default-clusterrolebinding.yaml similarity index 100% rename from apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kubelet-executor-default-clusterrolebinding.yaml rename to apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/kubelet/kubelet-executor-default-clusterrolebinding.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/pns/executor-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/pns/executor-role.yaml new file mode 100644 index 0000000000..50fae28073 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/executor/pns/executor-role.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /executor + name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for `pns` executor. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml index 8d9f7a8d40..ceef08adfb 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml @@ -5,10 +5,14 @@ resources: - minio - webhooks - argo-server-sso-secret.yaml - - workflow-role.yaml - - kubelet-executor-clusterrole.yaml - - kubelet-executor-default-clusterrolebinding.yaml - - workflow-default-rolebinding.yaml + - executor/emissary/executor-role.yaml + - executor-default-rolebinding.yaml + - pod-manager-role.yaml + - pod-manager-default-rolebinding.yaml + - workflow-manager-role.yaml + - workflow-manager-default-rolebinding.yaml + - agent-role.yaml + - agent-default-rolebinding.yaml - cluster-workflow-template-rbac.yaml - artifact-repositories-configmap.yaml patchesStrategicMerge: diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-default-rolebinding.yaml new file mode 100644 index 0000000000..926858e36d --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: /memoizer-default + name: memoizer-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: memoizer +subjects: + - kind: ServiceAccount + name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-role.yaml new file mode 100644 index 0000000000..84ddab79e4 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/memoizer-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /memoizer + name: memoizer + annotations: + workflows.argoproj.io/description: | + Only needed if you are using ConfigMap-based cache for memoization. +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-deploy.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-deploy.yaml index 4a75c8316e..2ac1da545b 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-deploy.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-deploy.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: main - image: minio/minio:RELEASE.2019-12-17T23-16-33Z + image: minio/minio env: - name: MINIO_ACCESS_KEY value: admin diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-pod.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-pod.yaml deleted file mode 100644 index 8c617a68fa..0000000000 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/minio-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: # kpt-merge: /minio - name: minio - labels: - app: minio -spec: - containers: - - name: main - image: minio/minio:RELEASE.2019-12-17T23-16-33Z - env: - - name: MINIO_ACCESS_KEY - value: admin - - name: MINIO_SECRET_KEY - value: password - ports: - - containerPort: 9000 - command: [minio, server, /data] - lifecycle: - postStart: - exec: - command: [mkdir, -p, /data/my-bucket] - readinessProbe: - httpGet: - path: /minio/health/ready - port: 9000 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 5 - periodSeconds: 10 diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/workflow-controller-configmap.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/workflow-controller-configmap.yaml index 4cc36b4c6f..89e4fbfa6e 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/workflow-controller-configmap.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/workflow-controller-configmap.yaml @@ -5,16 +5,15 @@ data: requests: cpu: 10m memory: 64Mi - containerRuntimeExecutor: docker containerRuntimeExecutors: | - - name: k8sapi - selector: - matchLabels: - workflows.argoproj.io/container-runtime-executor: k8sapi - name: emissary selector: matchLabels: workflows.argoproj.io/container-runtime-executor: emissary + - name: pns + selector: + matchLabels: + workflows.argoproj.io/container-runtime-executor: pns images: | argoproj/argosay:v1: command: [cowsay] diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-default-rolebinding.yaml new file mode 100644 index 0000000000..a2e1c35075 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: /pod-manager-default + name: pod-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-manager +subjects: + - kind: ServiceAccount + name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-role.yaml new file mode 100644 index 0000000000..e98f0df1c9 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/pod-manager-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /pod-manager + name: pod-manager + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - get + - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-default-rolebinding.yaml index 52ec46ba53..ebfc4c7dca 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-default-rolebinding.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-default-rolebinding.yaml @@ -5,7 +5,7 @@ metadata: # kpt-merge: /workflow-default-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: workflow subjects: - kind: ServiceAccount name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml new file mode 100644 index 0000000000..5c4b9d2d5c --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: /workflow-manager-default + name: workflow-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: workflow-manager +subjects: + - kind: ServiceAccount + name: default diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-role.yaml new file mode 100644 index 0000000000..7cebf4b977 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-manager-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: # kpt-merge: /workflow-manager + name: workflow-manager + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service +rules: + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-role.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-role.yaml deleted file mode 100644 index d46bb06677..0000000000 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/base/workflow-role.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# https://argoproj.github.io/argo-workflows/workflow-rbac/ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: # kpt-merge: /workflow-role - name: workflow-role -rules: - # pod get/watch is used to identify the container IDs of the current pod - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location) - # This is ONLY needed if the step/task has outputs that are used by another step or task. - - patch - # logs get/watch are used to get the pods logs for script outputs, and for log archival - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch - # Only needed if you are running the `k8sapi` executor. - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - # Only needed if you are using ConfigMap-based cache for memoization. - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - update - # This allows one workflow to create another. - # This is only needed for resource templates. - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - create - - get - # This allows agent pod to update the taskset. - # This is only needed for http templates. - - apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowtasksets/finalizers - verbs: - - list - - watch - - get - - update - - patch diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml index 27bb5cb0b4..b376c091eb 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml @@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base +patchesStrategicMerge: + - overlays/workflow-controller-configmap.yaml diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/overlays/workflow-controller-configmap.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/overlays/workflow-controller-configmap.yaml new file mode 100644 index 0000000000..870c83a3ab --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/minimal/overlays/workflow-controller-configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + retentionPolicy: | + completed: 10 + failed: 3 + errored: 3 +kind: ConfigMap +metadata: # kpt-merge: /workflow-controller-configmap + name: workflow-controller-configmap diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/mysql/overlays/workflow-controller-configmap.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/mysql/overlays/workflow-controller-configmap.yaml index 31b15d50bd..146893289b 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/mysql/overlays/workflow-controller-configmap.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/mysql/overlays/workflow-controller-configmap.yaml @@ -19,6 +19,10 @@ data: passwordSecret: name: argo-mysql-config key: password + retentionPolicy: | + completed: 10 + failed: 3 + errored: 3 kind: ConfigMap metadata: # kpt-merge: /workflow-controller-configmap name: workflow-controller-configmap diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/postgres/overlays/workflow-controller-configmap.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/postgres/overlays/workflow-controller-configmap.yaml index 28daa5b87e..7c7eb92000 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/postgres/overlays/workflow-controller-configmap.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/postgres/overlays/workflow-controller-configmap.yaml @@ -19,6 +19,10 @@ data: passwordSecret: name: argo-postgres-config key: password + retentionPolicy: | + completed: 10 + failed: 3 + errored: 3 kind: ConfigMap metadata: # kpt-merge: /workflow-controller-configmap name: workflow-controller-configmap diff --git a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml index a5dcef1dba..fb694c07ff 100644 --- a/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml +++ b/apps/kfp-tekton/upstream/third-party/argo/upstream/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml @@ -2,7 +2,7 @@ apiVersion: v1 data: sso: | issuer: http://dex:5556/dex - issuerAlias: http://mydex:5556/dex + issuerAlias: http://dex:5556/dex clientId: name: argo-server-sso key: clientID @@ -13,6 +13,7 @@ data: scopes: - groups - email + - profile rbac: enabled: true kind: ConfigMap diff --git a/apps/kfp-tekton/upstream/third-party/kfp-csi-s3/csi-s3-deployment.yaml b/apps/kfp-tekton/upstream/third-party/kfp-csi-s3/csi-s3-deployment.yaml index 04dd38bd2e..f97a6dcba9 100644 --- a/apps/kfp-tekton/upstream/third-party/kfp-csi-s3/csi-s3-deployment.yaml +++ b/apps/kfp-tekton/upstream/third-party/kfp-csi-s3/csi-s3-deployment.yaml @@ -22,7 +22,7 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - name: csi-attacher + name: kfp-csi-attacher # replace with non-default namespace name namespace: kubeflow labels: @@ -42,7 +42,7 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - name: csi-provisioner + name: kfp-csi-provisioner # replace with non-default namespace name namespace: kubeflow labels: @@ -104,7 +104,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: external-attacher-runner + name: kfp-external-attacher-runner labels: app.kubernetes.io/name: "kubeflow" rules: @@ -132,7 +132,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: external-provisioner-runner + name: kfp-external-provisioner-runner labels: app.kubernetes.io/name: "kubeflow" namespace: kubeflow @@ -195,35 +195,35 @@ roleRef: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-attacher-role + name: kfp-csi-attacher-role labels: app.kubernetes.io/name: "kubeflow" subjects: - kind: ServiceAccount - name: csi-attacher + name: kfp-csi-attacher # replace with non-default namespace name namespace: kubeflow roleRef: kind: ClusterRole - name: external-attacher-runner + name: kfp-external-attacher-runner apiGroup: rbac.authorization.k8s.io --- # Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-provisioner-role + name: kfp-csi-provisioner-role labels: app.kubernetes.io/name: "kubeflow" namespace: kubeflow subjects: - kind: ServiceAccount - name: csi-provisioner + name: kfp-csi-provisioner # replace with non-default namespace name namespace: kubeflow roleRef: kind: ClusterRole - name: external-provisioner-runner + name: kfp-external-provisioner-runner apiGroup: rbac.authorization.k8s.io --- # Source: dlf-chart/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml @@ -234,7 +234,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: # replace with non-default namespace name namespace: kubeflow - name: external-attacher-cfg + name: kfp-external-attacher-cfg labels: app.kubernetes.io/name: "kubeflow" rules: @@ -250,7 +250,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: # replace with non-default namespace name namespace: kubeflow - name: external-provisioner-cfg + name: kfp-external-provisioner-cfg labels: app.kubernetes.io/name: "kubeflow" rules: @@ -282,38 +282,38 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-attacher-role-cfg + name: kfp-csi-attacher-role-cfg # replace with non-default namespace name namespace: kubeflow labels: app.kubernetes.io/name: "kubeflow" subjects: - kind: ServiceAccount - name: csi-attacher + name: kfp-csi-attacher # replace with non-default namespace name namespace: kubeflow roleRef: kind: Role - name: external-attacher-cfg + name: kfp-external-attacher-cfg apiGroup: rbac.authorization.k8s.io --- # Source: dlf-chart/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-provisioner-role-cfg + name: kfp-csi-provisioner-role-cfg # replace with non-default namespace name namespace: kubeflow labels: app.kubernetes.io/name: "kubeflow" subjects: - kind: ServiceAccount - name: csi-provisioner + name: kfp-csi-provisioner # replace with non-default namespace name namespace: kubeflow roleRef: kind: Role - name: external-provisioner-cfg + name: kfp-external-provisioner-cfg apiGroup: rbac.authorization.k8s.io --- # Source: dlf-chart/charts/csi-s3-chart/templates/attacher.yaml @@ -321,14 +321,14 @@ roleRef: kind: Service apiVersion: v1 metadata: - name: csi-attacher-s3 + name: kfp-csi-attacher-s3 namespace: kubeflow labels: - app: csi-attacher-s3 + app: kfp-csi-attacher-s3 app.kubernetes.io/name: "kubeflow" spec: selector: - app: csi-attacher-s3 + app: kfp-csi-attacher-s3 ports: - name: dummy port: 12345 @@ -337,14 +337,14 @@ spec: kind: Service apiVersion: v1 metadata: - name: csi-provisioner-s3 + name: kfp-csi-provisioner-s3 namespace: kubeflow labels: - app: csi-provisioner-s3 + app: kfp-csi-provisioner-s3 app.kubernetes.io/name: "kubeflow" spec: selector: - app: csi-provisioner-s3 + app: kfp-csi-provisioner-s3 ports: - name: dummy port: 12345 @@ -370,7 +370,7 @@ spec: serviceAccountName: kfp-csi-s3 containers: - name: driver-registrar - image: "quay.io/k8scsi/csi-node-driver-registrar:v1.2.0" + image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0" imagePullPolicy: Always args: - --v=5 @@ -380,7 +380,7 @@ spec: # This is necessary only for systems with SELinux, where # non-privileged sidecar containers cannot access unix domain socket # created by privileged CSI driver container. - privileged: true + privileged: false env: - name: KUBE_NODE_NAME valueFrom: @@ -393,7 +393,7 @@ spec: - mountPath: /registration name: registration-dir - name: kfp-csi-s3 - image: "quay.io/datashim/csi-s3:latest-amd64" + image: "quay.io/datashim-io/csi-s3:latest" imagePullPolicy: Always args: - "--v=5" @@ -441,26 +441,26 @@ spec: kind: StatefulSet apiVersion: apps/v1 metadata: - name: csi-attacher-s3 + name: kfp-csi-attacher-s3 namespace: kubeflow labels: app.kubernetes.io/name: "kubeflow" spec: - serviceName: "csi-attacher-s3" + serviceName: "kfp-csi-attacher-s3" replicas: 1 selector: matchLabels: - app: csi-attacher-s3 + app: kfp-csi-attacher-s3 template: metadata: labels: app.kubernetes.io/name: "kubeflow" - app: csi-attacher-s3 + app: kfp-csi-attacher-s3 spec: - serviceAccountName: csi-attacher + serviceAccountName: kfp-csi-attacher containers: - - name: csi-attacher - image: "quay.io/k8scsi/csi-attacher:v2.2.0" + - name: kfp-csi-attacher + image: "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0" imagePullPolicy: Always args: - --v=5 @@ -483,25 +483,25 @@ spec: kind: StatefulSet apiVersion: apps/v1 metadata: - name: csi-provisioner-s3 + name: kfp-csi-provisioner-s3 labels: app.kubernetes.io/name: "kubeflow" namespace: kubeflow spec: - serviceName: "csi-provisioner-s3" + serviceName: "kfp-csi-provisioner-s3" replicas: 1 selector: matchLabels: - app: csi-provisioner-s3 + app: kfp-csi-provisioner-s3 template: metadata: labels: - app: csi-provisioner-s3 + app: kfp-csi-provisioner-s3 spec: - serviceAccountName: csi-provisioner + serviceAccountName: kfp-csi-provisioner containers: - - name: csi-provisioner - image: "quay.io/k8scsi/csi-provisioner:v2.0.2" + - name: kfp-csi-provisioner + image: "k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2" imagePullPolicy: Always args: - -v=5 diff --git a/apps/kfp-tekton/upstream/third-party/mysql/base/mysql-deployment.yaml b/apps/kfp-tekton/upstream/third-party/mysql/base/mysql-deployment.yaml index c7174d44b4..c56ba13105 100644 --- a/apps/kfp-tekton/upstream/third-party/mysql/base/mysql-deployment.yaml +++ b/apps/kfp-tekton/upstream/third-party/mysql/base/mysql-deployment.yaml @@ -26,7 +26,7 @@ spec: env: - name: MYSQL_ALLOW_EMPTY_PASSWORD value: "true" - image: gcr.io/ml-pipeline/mysql:5.7 + image: gcr.io/ml-pipeline/mysql:5.7-debian name: mysql ports: - containerPort: 3306 diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/kustomization.yaml index a3bd083211..f06fd11297 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/kustomization.yaml @@ -8,6 +8,6 @@ namespace: tekton-pipelines images: - name: docker.io/aipipeline/pipelineloop-controller - newTag: 1.2.1 + newTag: 1.5.1 - name: docker.io/aipipeline/pipelineloop-webhook - newTag: 1.2.1 + newTag: 1.5.1 diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml new file mode 100644 index 0000000000..b64ca72f3f --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml @@ -0,0 +1,33 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: cache-config + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines-loops +data: + disabled: "true" + driver: "mysql" + host: "mysql.kubeflow.svc.cluster.local" + port: "3306" + dbName: "cachedb" + user: "root" + password: "" + timeout: "6m" + extraParams: "" + mysqlDBGroupConcatMaxLen: "4194304" diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml new file mode 100644 index 0000000000..4efdfe4ce3 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml @@ -0,0 +1,51 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: breaktasks.custom.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: custom.tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: BreakTask + plural: breaktasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml index 9b71b96479..4b4ee86391 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml @@ -54,3 +54,13 @@ spec: value: config-observability - name: METRICS_DOMAIN value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml index 08b5728f93..a75b88c43d 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml @@ -64,6 +64,16 @@ spec: containerPort: 8008 - name: https-webhook containerPort: 8443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml index 0490fc690e..f888cfc5e0 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml @@ -8,7 +8,9 @@ resources: - 201-rolebinding.yaml - 202-clusterrolebinding.yaml - 203-object-store-config.yaml + - 204-cache-config.yaml - 300-pipelineloop.yaml + - 301-breaktask.yaml - 500-controller.yaml - 500-webhook-configuration.yaml - 500-webhook.yaml diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml index c5d4b3dac0..d8421b12b3 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml @@ -97,7 +97,6 @@ rules: - tekton.dev resources: - clustertasks - - clustertasks/status verbs: - get - list @@ -132,7 +131,6 @@ rules: - tekton.dev resources: - clustertasks - - clustertasks/status verbs: - create - update @@ -185,13 +183,7 @@ rules: - pipelines - pipelineruns - pipelineresources - - conditions - - tasks/status - - taskruns/status - - pipelines/status - - pipelineruns/status - - taskruns/finalizers - - pipelineruns/finalizers + - runs verbs: - get - list @@ -215,13 +207,7 @@ rules: - pipelines - pipelineruns - pipelineresources - - conditions - - taskruns/finalizers - - pipelineruns/finalizers - - tasks/status - - taskruns/status - - pipelines/status - - pipelineruns/status + - runs verbs: - create - update @@ -264,6 +250,7 @@ metadata: app.kubernetes.io/component: dashboard app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-dashboard + rbac.dashboard.tekton.dev/subject: tekton-dashboard name: tekton-dashboard-backend roleRef: apiGroup: rbac.authorization.k8s.io @@ -276,7 +263,7 @@ subjects: --- apiVersion: v1 data: - version: v0.24.1 + version: v0.30.0 kind: ConfigMap metadata: labels: @@ -294,9 +281,9 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/name: dashboard app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.24.1 - dashboard.tekton.dev/release: v0.24.1 - version: v0.24.1 + app.kubernetes.io/version: v0.30.0 + dashboard.tekton.dev/release: v0.30.0 + version: v0.30.0 name: tekton-dashboard namespace: tekton-pipelines spec: @@ -320,9 +307,9 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/name: dashboard app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.24.1 - dashboard.tekton.dev/release: v0.24.1 - version: v0.24.1 + app.kubernetes.io/version: v0.30.0 + dashboard.tekton.dev/release: v0.30.0 + version: v0.30.0 name: tekton-dashboard namespace: tekton-pipelines spec: @@ -341,7 +328,7 @@ spec: app.kubernetes.io/instance: default app.kubernetes.io/name: dashboard app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.24.1 + app.kubernetes.io/version: v0.30.0 name: tekton-dashboard spec: containers: @@ -361,7 +348,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.24.1@sha256:fe4febbb74ca3e7027c29719e32e38074b3af6be588ee08cca5826f21fa003a1 + image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.30.0@sha256:85f7d38086fadb07556052ce873d44861c29ef690f47735f32d7e6a153ca8a92 livenessProbe: httpGet: path: /health @@ -373,11 +360,18 @@ spec: httpGet: path: /readiness port: 9097 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux - securityContext: - runAsNonRoot: true - runAsUser: 65532 serviceAccountName: tekton-dashboard volumes: [] @@ -390,6 +384,7 @@ metadata: app.kubernetes.io/component: dashboard app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-dashboard + rbac.dashboard.tekton.dev/subject: tekton-dashboard name: tekton-dashboard-tenant roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml index 666bc3dd58..62fd8a48b7 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml @@ -4,6 +4,15 @@ resources: - tekton-release.yaml patchesStrategicMerge: - tekton-config.yaml +- tekton-default.yaml +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: tekton-pipelines-controller + namespace: tekton-pipelines + path: tekton-controller.yaml images: - name: $(registry)/$(controller) newName: $(registry)/$(controller) diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml index 856d2d6cf0..8ec837133b 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml @@ -8,4 +8,4 @@ metadata: app.kubernetes.io/part-of: tekton-pipelines data: enable-custom-tasks: "true" - enable-api-fields: "alpha" + embedded-status: "full" diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml new file mode 100644 index 0000000000..ddd4b74a1b --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml @@ -0,0 +1,18 @@ +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "4" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-threads-per-controller" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "50" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-kube-api-burst" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "50" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-kube-api-qps" diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml new file mode 100644 index 0000000000..8755f6e023 --- /dev/null +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + default-timeout-minutes: "0" \ No newline at end of file diff --git a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml index 55a99f2487..8b52001591 100644 --- a/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml +++ b/apps/kfp-tekton/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml @@ -19,56 +19,10 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines + pod-security.kubernetes.io/enforce: restricted --- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'emptyDir' - - 'configMap' - - 'secret' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - ---- -# Copyright 2020 The Tekton Authors +# Copyright 2020-2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -98,7 +52,7 @@ rules: # Controller needs cluster access to all of the CRDs that it is responsible for # managing. - apiGroups: ["tekton.dev"] - resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "runs"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["tekton.dev"] resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"] @@ -106,6 +60,10 @@ rules: - apiGroups: ["tekton.dev"] resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # resolution.tekton.dev + - apiGroups: ["resolution.tekton.dev"] + resources: ["resolutionrequests", "resolutionrequests/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -117,10 +75,14 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines rules: - # Read-write access to create Pods, K8s Events and PVCs (for Workspaces) + # Read-write access to create Pods and PVCs (for Workspaces) - apiGroups: [""] - resources: ["pods", "pods/log", "events", "persistentvolumeclaims"] + resources: ["pods", "persistentvolumeclaims"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Write permissions to publish events. + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] # Read-only access to these. - apiGroups: [""] resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] @@ -139,11 +101,24 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines rules: - # The webhook needs to be able to list and update customresourcedefinitions, + # The webhook needs to be able to get and update customresourcedefinitions, # mainly to update the webhook certificates. - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "update", "patch", "watch"] + verbs: ["get", "update", "patch"] + resourceNames: + - pipelines.tekton.dev + - pipelineruns.tekton.dev + - runs.tekton.dev + - tasks.tekton.dev + - clustertasks.tekton.dev + - taskruns.tekton.dev + - pipelineresources.tekton.dev + - resolutionrequests.resolution.tekton.dev + # knative.dev/pkg needs list/watch permissions to set up informers for the webhook. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] # The webhook performs a reconciliation on these two resources and continuously # updates configuration. @@ -166,10 +141,6 @@ rules: # When there are changes to the configs or secrets, knative updates the validatingwebhook config # with the updated certificates or the refreshed set of rules. verbs: ["get", "update", "delete"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get"] @@ -216,10 +187,6 @@ rules: resources: ["configmaps"] verbs: ["get"] resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -249,10 +216,6 @@ rules: resources: ["secrets"] verbs: ["get", "update"] resourceNames: ["webhook-certs"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -518,30 +481,12 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev preserveUnknownFields: false versions: - - name: v1alpha1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - name: v1beta1 served: true storage: true @@ -563,6 +508,7 @@ spec: names: kind: ClusterTask plural: clustertasks + singular: clustertask categories: - tekton - tekton-pipelines @@ -594,18 +540,21 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: conditions.tekton.dev + name: pipelines.tekton.dev labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev + preserveUnknownFields: false versions: - - name: v1alpha1 + - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: type: object @@ -617,17 +566,40 @@ spec: # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true + - name: v1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields + # and use the schema in tooling such as `kubectl explain`. + # Using "x-kubernetes-preserve-unknown-fields: true" + # at the root of the schema (or within it) allows arbitrary fields. + # We currently perform our own validation separately. + # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema + # for more info. + x-kubernetes-preserve-unknown-fields: true # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} names: - kind: Condition - plural: conditions + kind: Pipeline + plural: pipelines + singular: pipeline categories: - tekton - tekton-pipelines scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -647,23 +619,19 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: pipelines.tekton.dev + name: pipelineruns.tekton.dev labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev preserveUnknownFields: false versions: - - name: v1alpha1 + - name: v1beta1 served: true - storage: false - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} + storage: true schema: openAPIV3Schema: type: object @@ -675,13 +643,26 @@ spec: # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true - - name: v1beta1 - served: true - storage: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} + - name: v1 + served: false + storage: false schema: openAPIV3Schema: type: object @@ -693,24 +674,45 @@ spec: # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} names: - kind: Pipeline - plural: pipelines + kind: PipelineRun + plural: pipelineruns + singular: pipelinerun categories: - tekton - tekton-pipelines + shortNames: + - pr + - prs scope: Namespaced conversion: strategy: Webhook webhook: - conversionReviewVersions: ["v1beta1"] + conversionReviewVersions: ["v1beta1", "v1"] clientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- -# Copyright 2019 The Tekton Authors +# Copyright 2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -727,19 +729,29 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: pipelineruns.tekton.dev + name: resolutionrequests.resolution.tekton.dev labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + resolution.tekton.dev/release: devel spec: - group: tekton.dev - preserveUnknownFields: false + group: resolution.tekton.dev + scope: Namespaced + names: + kind: ResolutionRequest + plural: resolutionrequests + singular: resolutionrequest + categories: + - tekton + - tekton-pipelines + shortNames: + - resolutionrequest + - resolutionrequests versions: - name: v1alpha1 served: true + deprecated: true storage: false + subresources: + status: {} schema: openAPIV3Schema: type: object @@ -754,23 +766,15 @@ spec: additionalPrinterColumns: - name: Succeeded type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" - name: Reason type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} + jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: type: object @@ -783,40 +787,24 @@ spec: # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true additionalPrinterColumns: + - name: OwnerKind + type: string + jsonPath: ".metadata.ownerReferences[0].kind" + - name: Owner + type: string + jsonPath: ".metadata.ownerReferences[0].name" - name: Succeeded type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" - name: Reason type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: PipelineRun - plural: pipelineruns - categories: - - tekton - - tekton-pipelines - shortNames: - - pr - - prs - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines + type: string + jsonPath: .metadata.creationTimestamp + - name: EndTime + type: string + jsonPath: .status.conditions[?(@.type=='Succeeded')].lastTransitionTime --- # Copyright 2019 The Tekton Authors @@ -840,8 +828,8 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev versions: @@ -866,6 +854,7 @@ spec: names: kind: PipelineResource plural: pipelineresources + singular: pipelineresource categories: - tekton - tekton-pipelines @@ -893,8 +882,8 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev preserveUnknownFields: false @@ -933,6 +922,7 @@ spec: names: kind: Run plural: runs + singular: run categories: - tekton - tekton-pipelines @@ -960,15 +950,15 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev preserveUnknownFields: false versions: - - name: v1alpha1 + - name: v1beta1 served: true - storage: false + storage: true schema: openAPIV3Schema: type: object @@ -984,19 +974,20 @@ spec: # starts to increment subresources: status: {} - - name: v1beta1 - served: true - storage: true + - name: v1 + served: false + storage: false schema: openAPIV3Schema: type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 + # TODO(#1461): Add OpenAPIV3 schema + # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields + # and use the schema in tooling such as `kubectl explain`. + # Using "x-kubernetes-preserve-unknown-fields: true" + # at the root of the schema (or within it) allows arbitrary fields. + # We currently perform our own validation separately. + # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema + # for more info. x-kubernetes-preserve-unknown-fields: true # Opt into the status subresource so metadata.generation # starts to increment @@ -1005,6 +996,7 @@ spec: names: kind: Task plural: tasks + singular: task categories: - tekton - tekton-pipelines @@ -1012,7 +1004,7 @@ spec: conversion: strategy: Webhook webhook: - conversionReviewVersions: ["v1beta1"] + conversionReviewVersions: ["v1beta1", "v1"] clientConfig: service: name: tekton-pipelines-webhook @@ -1040,15 +1032,15 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" - version: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" + version: "v0.41.0" spec: group: tekton.dev preserveUnknownFields: false versions: - - name: v1alpha1 + - name: v1beta1 served: true - storage: false + storage: true schema: openAPIV3Schema: type: object @@ -1077,9 +1069,9 @@ spec: # starts to increment subresources: status: {} - - name: v1beta1 - served: true - storage: true + - name: v1 + served: false + storage: false schema: openAPIV3Schema: type: object @@ -1111,6 +1103,7 @@ spec: names: kind: TaskRun plural: taskruns + singular: taskrun categories: - tekton - tekton-pipelines @@ -1121,7 +1114,7 @@ spec: conversion: strategy: Webhook webhook: - conversionReviewVersions: ["v1beta1"] + conversionReviewVersions: ["v1beta1", "v1"] clientConfig: service: name: tekton-pipelines-webhook @@ -1151,7 +1144,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # The data is populated at install time. --- apiVersion: admissionregistration.k8s.io/v1 @@ -1162,7 +1155,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" webhooks: - admissionReviewVersions: ["v1"] clientConfig: @@ -1181,7 +1174,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" webhooks: - admissionReviewVersions: ["v1"] clientConfig: @@ -1200,7 +1193,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" webhooks: - admissionReviewVersions: ["v1"] clientConfig: @@ -1215,7 +1208,7 @@ webhooks: app.kubernetes.io/part-of: tekton-pipelines --- -# Copyright 2019 The Tekton Authors +# Copyright 2019-2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -1247,7 +1240,7 @@ rules: - pipelines - pipelineruns - pipelineresources - - conditions + - runs verbs: - create - delete @@ -1259,7 +1252,7 @@ rules: - watch --- -# Copyright 2019 The Tekton Authors +# Copyright 2019-2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -1290,7 +1283,7 @@ rules: - pipelines - pipelineruns - pipelineresources - - conditions + - runs verbs: - get - list @@ -1415,11 +1408,17 @@ data: # label, the user's request supercedes. default-managed-by-label-value: "tekton-pipelines" - # default-pod-template contains the default pod template to use - # TaskRun and PipelineRun, if none is specified. If a pod template - # is specified, the default pod template is ignored. + # default-pod-template contains the default pod template to use for + # TaskRun and PipelineRun. If a pod template is specified on the + # PipelineRun, the default-pod-template is merged with that one. # default-pod-template: + # default-affinity-assistant-pod-template contains the default pod template + # to use for affinity assistant pods. If a pod template is specified on the + # PipelineRun, the default-affinity-assistant-pod-template is merged with + # that one. + # default-affinity-assistant-pod-template: + # default-cloud-events-sink contains the default CloudEvents sink to be # used for TaskRun and PipelineRun, when no sink is specified. # Note that right now it is still not possible to set a PipelineRun or @@ -1433,6 +1432,10 @@ data: # default-task-run-workspace-binding: | # emptyDir: {} + # default-max-matrix-combinations-count contains the default maximum number + # of combinations from a Matrix, if none is specified. + default-max-matrix-combinations-count: "256" + --- # Copyright 2019 The Tekton Authors # @@ -1466,18 +1469,6 @@ data: # https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#affinity-assistant-and-specifying-workspace-order-in-a-pipeline # or https://github.com/tektoncd/pipeline/pull/2630 for more info. disable-affinity-assistant: "false" - # Setting this flag to "false" will allow Tekton to override your - # Task container's $HOME environment variable. - # - # See https://github.com/tektoncd/pipeline/issues/2013 for more - # info. - disable-home-env-overwrite: "true" - # Setting this flag to "false" will allow Tekton to override your - # Task container's working directory. - # - # See https://github.com/tektoncd/pipeline/issues/1836 for more - # info. - disable-working-directory-overwrite: "true" # Setting this flag to "true" will prevent Tekton scanning attached # service accounts and injecting any credentials it finds into your # Steps. @@ -1492,6 +1483,14 @@ data: # See https://github.com/tektoncd/pipeline/issues/2791 for more # info. disable-creds-init: "false" + # Setting this flag to "false" will stop Tekton from waiting for a + # TaskRun's sidecar containers to be running before starting the first + # step. This will allow Tasks to be run in environments that don't + # support the DownwardAPI volume type, but may lead to unintended + # behaviour if sidecars are used. + # + # See https://github.com/tektoncd/pipeline/issues/4937 for more info. + await-sidecar-readiness: "true" # This option should be set to false when Pipelines is running in a # cluster that does not use injected sidecars such as Istio. Setting # it to false should decrease the time it takes for a TaskRun to start @@ -1516,11 +1515,11 @@ data: # an alpha feature. enable-custom-tasks: "false" # Setting this flag will determine which gated features are enabled. - # Acceptable values are "stable" or "alpha". + # Acceptable values are "stable", "beta", or "alpha". enable-api-fields: "stable" - # Setting this flag to "true" scopes when expressions to guard a Task only - # instead of a Task and its dependent Tasks. - scope-when-expressions-to-task: "false" + # Setting this flag to "true" enables CloudEvents for Runs, as long as a + # CloudEvents sink is configured in the config-defaults config map + send-cloudevents-for-runs: "false" --- # Copyright 2021 The Tekton Authors @@ -1551,7 +1550,7 @@ data: # this ConfigMap such that even if we don't have access to # other resources in the namespace we still can have access to # this ConfigMap. - version: "v0.31.4" + version: "v0.41.0" --- # Copyright 2020 Tekton Authors LLC @@ -1577,10 +1576,35 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines data: - # An inactive but valid configuration follows; see example. - leaseDuration: "15s" - renewDeadline: "10s" - retryPeriod: "2s" + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" --- # Copyright 2019 Tekton Authors LLC @@ -1606,7 +1630,6 @@ metadata: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines data: - # Common configuration for all knative codebase zap-logger-config: | { "level": "info", @@ -1619,11 +1642,11 @@ data: "errorOutputPaths": ["stderr"], "encoding": "json", "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", + "timeKey": "timestamp", + "levelKey": "severity", "nameKey": "logger", "callerKey": "caller", - "messageKey": "msg", + "messageKey": "message", "stacktraceKey": "stacktrace", "lineEnding": "", "levelEncoder": "", @@ -1693,9 +1716,9 @@ data: # charge. If metrics.backend-destination is not Stackdriver, this is # ignored. metrics.allow-stackdriver-custom-metrics: "false" - metrics.taskrun.level: "taskrun" + metrics.taskrun.level: "task" metrics.taskrun.duration-type: "histogram" - metrics.pipelinerun.level: "pipelinerun" + metrics.pipelinerun.level: "pipeline" metrics.pipelinerun.duration-type: "histogram" --- @@ -1749,12 +1772,12 @@ metadata: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup - version: "v0.31.4" + version: "v0.41.0" spec: replicas: 1 selector: @@ -1769,13 +1792,13 @@ spec: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-controller - version: "v0.31.4" + version: "v0.41.0" spec: affinity: nodeAffinity: @@ -1789,17 +1812,17 @@ spec: serviceAccountName: tekton-pipelines-controller containers: - name: tekton-pipelines-controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.31.4@sha256:bd9dc22532c8e1bd9b253775734c0b2464d62065b39d6b552d3c52bb6d33e20f + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.41.0@sha256:556953d6367b28504b7ad32f58a50b3e3609f60aaddfca3aad217e93465551e7 args: [ # These images are built on-demand by `ko resolve` and are replaced # by image references by digest. - "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.31.4@sha256:5182c126e793399a24a08caecc646c823d22fafb0df718409fb7595d623e1003", "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.31.4@sha256:7912a676c596fd72c1510da443c59900e0738b33824cb467c40cc5dd554f1682", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.31.4@sha256:8ffaa8e1cd3b6dc917f4ad578c29d33d5a1b7e6f4220ad1e7bfd5cfdf67aac95", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.31.4@sha256:9fe4a289b5d1e728462c244926d76b337c916df71b683c0ff04263abb62c6e32", "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.31.4@sha256:6f61182ba273e66d8bd2a817c5cfe5c9702bee0e1660a6c7d98830dcf3a25936", "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.31.4@sha256:9e7cc9d725cc33849def805b4b6cb1a9fc7ddbd3e485ef1a9eea84193214e4bc", + "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.41.0@sha256:4beb725e4c210397c67737e551cf18e1ef716294d566b7927e2bfcc22639a42c", "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.41.0@sha256:249081d967c05371fecf9c6ed423fa9cafbfcb2a206c5d5df5d5249859458160", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.41.0@sha256:8dfef3faaa3367221300c783a85e04e59528f07d06b10da707bf827726347e01", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.41.0@sha256:0172171680b81f3c559b8b94e7336f16d3bca59b0af75fdb122770f7b63452a2", "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.41.0@sha256:a26e65e04e6358b1c885d25e8cafd795eb3ea17113fabd32fb7a7f731d754c16", "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.41.0@sha256:34103fa8d2b08ec094b8a415a52d268d53505ca8ca4b7933457e26db3973be4d", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.41.0@sha256:6b4ef00488a962ce152f50a1c6760b1bc95878d3b95ffa3a82e1a36f6c34362f", # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", - # The shell image must be root in order to create directories and copy files to PVCs. - # gcr.io/distroless/base:debug as of October 21, 2021 + # The shell image must allow root in order to create directories and copy files to PVCs. + # cgr.dev/chainguard/busybox as of April 14 2022 # image shall not contains tag, so it will be supported on a runtime like cri-o - "-shell-image", "gcr.io/distroless/base@sha256:cfdc553400d41b47fd231b028403469811fcdbc0e69d66ea8030c5a0b5fbac2b", + "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791", # for script mode to work with windows we need a powershell image # pinning to nanoserver tag as of July 15 2021 "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"] @@ -1813,16 +1836,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - # These phony AWS credentials are here to work around a bug in the aws go sdk - # that causes extremely long delays in the execution of tasks after the initial - # deployment of the Tekton Pipelines controller. See issue https://github.com/tektoncd/pipeline/issues/4087 - # for more information. - - name: AWS_ACCESS_KEY_ID - value: foobarbaz - - name: AWS_SECRET_ACCESS_KEY - value: foobarbaz - - name: AWS_DEFAULT_REGION - value: foobarbaz # If you are changing these names, you will also need to update # the controller's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. @@ -1850,10 +1863,13 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all - # User 65532 is the distroless nonroot user ID + - "ALL" + # User 65532 is the nonroot user ID runAsUser: 65532 runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -1892,13 +1908,13 @@ metadata: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-controller - version: "v0.31.4" + version: "v0.41.0" name: tekton-pipelines-controller namespace: tekton-pipelines spec: @@ -1919,13 +1935,13 @@ spec: app.kubernetes.io/part-of: tekton-pipelines --- -# Copyright 2020 The Tekton Authors +# Copyright 2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# https://www.apache.org/licenses/LICENSE-2.0 +# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -1933,36 +1949,18 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler +apiVersion: v1 +kind: Namespace metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines + name: tekton-pipelines-resolvers labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook + app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" - # labels below are related to istio and should not be used for resource lookup - version: "v0.31.4" -spec: - minReplicas: 1 - maxReplicas: 5 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: tekton-pipelines-webhook - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 100 + pod-security.kubernetes.io/enforce: restricted --- -# Copyright 2020 The Tekton Authors +# Copyright 2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -1976,8 +1974,702 @@ spec: # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: apps/v1 -kind: Deployment +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # ClusterRole for resolvers to monitor and update resolutionrequests. + name: tekton-pipelines-resolvers-resolution-request-updates + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: ["resolution.tekton.dev"] + resources: ["resolutionrequests", "resolutionrequests/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks", "pipelines"] + verbs: ["get", "list"] + # Read-only access to these. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-resolvers-namespace-rbac + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # Needed to watch and load configuration and secret data. + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "update", "watch"] + # This is needed by leader election to run the controller in HA. + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers +roleRef: + kind: ClusterRole + name: tekton-pipelines-resolvers-resolution-request-updates + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-resolvers-namespace-rbac + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers +roleRef: + kind: Role + name: tekton-pipelines-resolvers-namespace-rbac + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: bundleresolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # the default service account name to use for bundle requests. + default-service-account: "default" + # The default layer kind in the bundle image. + default-kind: "task" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-resolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # The default kind to fetch. + default-kind: "task" + # The default namespace to look for resources in. + default-namespace: "" + # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. + allowed-namespaces: "" + # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. + blocked-namespaces: "" + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: resolvers-feature-flags + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Setting this flag to "true" enables remote resolution of Tekton OCI bundles. + enable-bundles-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines via the Tekton Hub. + enable-hub-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories. + enable-git-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster. + enable-cluster-resolver: "true" + +--- +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" + +--- +# Copyright 2019 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-logging + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + zap-logger-config: | + { + "level": "info", + "development": false, + "sampling": { + "initial": 100, + "thereafter": 100 + }, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "timestamp", + "levelKey": "severity", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "message", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + # Log level overrides + loglevel.controller: "info" + loglevel.webhook: "info" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-observability + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # If non-empty, this enables queue proxy writing request logs to stdout. + # The value determines the shape of the request logs and it must be a valid go text/template. + # It is important to keep this as a single line. Multiple lines are parsed as separate entities + # by most collection agents and will split the request logs into multiple records. + # + # The following fields and functions are available to the template: + # + # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) + # representing an HTTP request received by the server. + # + # Response: + # struct { + # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) + # Size int // An int representing the size of the response. + # Latency float64 // A float64 representing the latency of the response in seconds. + # } + # + # Revision: + # struct { + # Name string // Knative revision name + # Namespace string // Knative revision namespace + # Service string // Knative service name + # Configuration string // Knative configuration name + # PodName string // Name of the pod hosting the revision + # PodIP string // IP of the pod hosting the revision + # } + # + logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using stackdriver will incur additional charges + metrics.backend-destination: prometheus + + # metrics.request-metrics-backend-destination specifies the request metrics + # destination. If non-empty, it enables queue proxy to send request metrics. + # Currently supported values: prometheus, stackdriver. + metrics.request-metrics-backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used if this field is not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to + # Stackdriver using "global" resource type and custom metric type if the + # metrics are not supported by "knative_revision" resource type. Setting this + # flag to "true" could cause extra Stackdriver charge. + # If metrics.backend-destination is not Stackdriver, this is ignored. + metrics.allow-stackdriver-custom-metrics: "false" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: git-resolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # The maximum amount of time a single anonymous cloning resolution may take. + fetch-timeout: "1m" + # The git url to fetch the remote resource from when using anonymous cloning. + default-url: "https://github.com/tektoncd/catalog.git" + # The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API. + default-revision: "main" + # The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud + scm-type: "github" + # The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud + server-url: "" + # The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API. + api-token-secret-name: "" + # The key in the API token secret containing the actual token. Required when using the authenticated API. + api-token-secret-key: "" + # The namespace containing the API token secret. Defaults to "default". + api-token-secret-namespace: "default" + # The default organization to look for repositories under when using the authenticated API, + # if not specified in the resolver parameters. Optional. + default-org: "" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: hubresolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # the default Tekton Hub catalog from where to pull the resource. + default-tekton-hub-catalog: "Tekton" + # the default Artifact Hub Task catalog from where to pull the resource. + default-artifact-hub-task-catalog: "tekton-catalog-tasks" + # the default Artifact Hub Pipeline catalog from where to pull the resource. + default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines" + # the default layer kind in the hub image. + default-kind: "task" + # the default hub source to pull the resource from. + default-type: "artifact" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelines-remote-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.41.0" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.41.0" + # labels below are related to istio and should not be used for resource lookup + version: "v0.41.0" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + labels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.41.0" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.41.0" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-resolvers + version: "v0.41.0" + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + topologyKey: kubernetes.io/hostname + weight: 100 + serviceAccountName: tekton-pipelines-resolvers + containers: + - name: controller + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.41.0@sha256:de08fa01e521144d9852dd14fe64f75da0b471c7379b0f721043f69fc86a8647 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1000m + memory: 1000Mi + ports: + - name: metrics + containerPort: 9090 + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: METRICS_DOMAIN + value: tekton.dev/resolution + # Override this env var to set a private hub api endpoint + - name: ARTIFACT_HUB_API + value: "https://artifacthub.io/" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - "ALL" + seccompProfile: + type: RuntimeDefault + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.41.0" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.41.0" + # labels below are related to istio and should not be used for resource lookup + version: "v0.41.0" +spec: + minReplicas: 1 + maxReplicas: 5 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: tekton-pipelines-webhook + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 100 + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment metadata: # Note: the Deployment name must be the same as the Service name specified in # config/400-webhook-service.yaml. If you change this name, you must also @@ -1988,14 +2680,13 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup - version: "v0.31.4" + version: "v0.41.0" spec: - replicas: 1 selector: matchLabels: app.kubernetes.io/name: webhook @@ -2008,13 +2699,13 @@ spec: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-webhook - version: "v0.31.4" + version: "v0.41.0" spec: affinity: nodeAffinity: @@ -2041,7 +2732,7 @@ spec: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.31.4@sha256:915029563a15cc8ca6491cd253f2ed8f8ad5f9824650899503b8a8a1f25d3c12 + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.41.0@sha256:f4e766d21b0ea2735f487888c0155c9d8287f04ac77a4948a616250d24175475 # Resource request required for autoscaler to take any action for a metric resources: requests: @@ -2076,10 +2767,13 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - "ALL" # User 65532 is the distroless nonroot user ID runAsUser: 65532 runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ports: - name: metrics containerPort: 9090 @@ -2113,13 +2807,13 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.31.4" + app.kubernetes.io/version: "v0.41.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.31.4" + pipeline.tekton.dev/release: "v0.41.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-webhook - version: "v0.31.4" + version: "v0.41.0" name: tekton-pipelines-webhook namespace: tekton-pipelines spec: From 466ebbc86a0873be9757cff9af8f11d88740af43 Mon Sep 17 00:00:00 2001 From: Kimonas Sotirchos Date: Wed, 1 Feb 2023 18:06:42 +0200 Subject: [PATCH 20/74] Update kubeflow/kubeflow manifests from a74094c3a (#2370) --- README.md | 16 +- apps/admission-webhook/upstream/base/crd.yaml | 2105 ++++++++++++++++- .../upstream/base/kustomization.yaml | 3 +- .../upstream/base/kustomization.yaml | 3 +- .../upstream/base/cluster-role.yaml | 8 + .../base/configs/spawner_ui_config.yaml | 20 +- .../upstream/base/deployment.yaml | 3 - .../upstream/base/kustomization.yaml | 10 +- .../overlays/istio/authorization-policy.yaml | 14 + .../overlays/istio/destination-rule.yaml | 9 + .../overlays/istio/kustomization.yaml | 2 + .../upstream/base/kustomization.yaml | 3 +- .../crd/bases/kubeflow.org_notebooks.yaml | 18 + .../upstream/manager/kustomization.yaml | 5 +- .../upstream/manager/manager.yaml | 22 +- .../upstream/manager/params.env | 4 + .../upstream/samples/_v1_notebook.yaml | 2 +- .../upstream/samples/_v1alpha1_notebook.yaml | 2 +- .../upstream/samples/_v1beta1_notebook.yaml | 2 +- .../profiles/upstream/base/kustomization.yaml | 3 +- apps/profiles/upstream/manager/manager.yaml | 12 +- .../overlays/kubeflow/kustomization.yaml | 3 +- .../overlays/kubeflow/patches/kfam.yaml | 2 +- .../upstream/samples/_v1_profile.yaml | 6 +- .../upstream/samples/_v1_profile_aws_iam.yaml | 12 + .../upstream/base/kustomization.yaml | 5 +- .../upstream/base/deployment.yaml | 3 - .../upstream/base/kustomization.yaml | 10 +- .../overlays/istio/authorization-policy.yaml | 14 + .../overlays/istio/destination-rule.yaml | 9 + .../overlays/istio/kustomization.yaml | 2 + .../upstream/base/cluster-role.yaml | 6 + .../upstream/base/deployment.yaml | 3 - .../upstream/base/kustomization.yaml | 10 +- .../overlays/istio/authorization-policy.yaml | 14 + .../overlays/istio/destination-rule.yaml | 9 + .../overlays/istio/kustomization.yaml | 2 + 37 files changed, 2264 insertions(+), 112 deletions(-) create mode 100644 apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml create mode 100644 apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml create mode 100644 apps/profiles/upstream/samples/_v1_profile_aws_iam.yaml create mode 100644 apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/authorization-policy.yaml create mode 100644 apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/destination-rule.yaml create mode 100644 apps/volumes-web-app/upstream/overlays/istio/authorization-policy.yaml create mode 100644 apps/volumes-web-app/upstream/overlays/istio/destination-rule.yaml diff --git a/README.md b/README.md index 5fdc5984ac..d3cfa04d89 100644 --- a/README.md +++ b/README.md @@ -42,14 +42,14 @@ This repo periodically syncs all official Kubeflow components from their respect | Component | Local Manifests Path | Upstream Revision | | - | - | - | | Training Operator | apps/training-operator/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/training-operator/tree/v1.6.0-rc.0/manifests) | -| Notebook Controller | apps/jupyter/notebook-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/notebook-controller/config) | -| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/tensorboard-controller/config) | -| Central Dashboard | apps/centraldashboard/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/centraldashboard/manifests) | -| Profiles + KFAM | apps/profiles/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/profile-controller/config) | -| PodDefaults Webhook | apps/admission-webhook/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/admission-webhook/manifests) | -| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/jupyter/manifests) | -| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/tensorboards/manifests) | -| Volumes Web App | apps/volumes-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/volumes/manifests) | +| Notebook Controller | apps/jupyter/notebook-controller/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/notebook-controller/config) | +| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/tensorboard-controller/config) | +| Central Dashboard | apps/centraldashboard/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/centraldashboard/manifests) | +| Profiles + KFAM | apps/profiles/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/profile-controller/config) | +| PodDefaults Webhook | apps/admission-webhook/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/admission-webhook/manifests) | +| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/jupyter/manifests) | +| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/tensorboards/manifests) | +| Volumes Web App | apps/volumes-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/volumes/manifests) | | Katib | apps/katib/upstream | [v0.14.0-rc.0](https://github.com/kubeflow/katib/tree/v0.14.0-rc.0/manifests/v1beta1) | | KServe | contrib/kserve/kserve | [release-0.8](https://github.com/kserve/kserve/tree/8079f375cbcedc4d45a1b4aade2e2308ea6f9ae8/install/v0.8.0) | | KServe Models Web App | contrib/kserve/models-web-app | [v0.8.1](https://github.com/kserve/models-web-app/tree/v0.8.1/config) | diff --git a/apps/admission-webhook/upstream/base/crd.yaml b/apps/admission-webhook/upstream/base/crd.yaml index c1bb44786f..b719b5d704 100644 --- a/apps/admission-webhook/upstream/base/crd.yaml +++ b/apps/admission-webhook/upstream/base/crd.yaml @@ -1,69 +1,2066 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null name: poddefaults.kubeflow.org spec: group: kubeflow.org names: kind: PodDefault + listKind: PodDefaultList plural: poddefaults singular: poddefault - preserveUnknownFields: false scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - desc: + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + annotations: + additionalProperties: type: string - serviceAccountName: + type: object + args: + items: type: string - automountServiceAccountToken: - type: boolean - env: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - x-kubernetes-preserve-unknown-fields: true - envFrom: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - x-kubernetes-preserve-unknown-fields: true - selector: + type: array + automountServiceAccountToken: + type: boolean + command: + items: + type: string + type: array + desc: + type: string + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name type: object - x-kubernetes-preserve-unknown-fields: true - volumeMounts: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - x-kubernetes-preserve-unknown-fields: true - volumes: - items: + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + imagePullSecrets: + items: + properties: + name: + type: string + type: object + type: array + initContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + labels: + additionalProperties: + type: string + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string type: object - x-kubernetes-preserve-unknown-fields: true - type: array - x-kubernetes-preserve-unknown-fields: true - required: - - selector - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - x-kubernetes-preserve-unknown-fields: true + type: object + serviceAccountName: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + type: string + type: object + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + storageClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - selector + type: object + status: + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/apps/admission-webhook/upstream/base/kustomization.yaml b/apps/admission-webhook/upstream/base/kustomization.yaml index 4c382cc87e..792ff34364 100644 --- a/apps/admission-webhook/upstream/base/kustomization.yaml +++ b/apps/admission-webhook/upstream/base/kustomization.yaml @@ -15,7 +15,8 @@ commonLabels: app.kubernetes.io/name: poddefaults images: - name: docker.io/kubeflownotebookswg/poddefaults-webhook - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/poddefaults-webhook + newTag: v1.7.0-rc.0 namespace: kubeflow generatorOptions: disableNameSuffixHash: true diff --git a/apps/centraldashboard/upstream/base/kustomization.yaml b/apps/centraldashboard/upstream/base/kustomization.yaml index 220ca23ec5..4b25b23854 100644 --- a/apps/centraldashboard/upstream/base/kustomization.yaml +++ b/apps/centraldashboard/upstream/base/kustomization.yaml @@ -17,7 +17,8 @@ commonLabels: app.kubernetes.io/name: centraldashboard images: - name: docker.io/kubeflownotebookswg/centraldashboard - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/centraldashboard + newTag: v1.7.0-rc.0 configMapGenerator: - envs: - params.env diff --git a/apps/jupyter/jupyter-web-app/upstream/base/cluster-role.yaml b/apps/jupyter/jupyter-web-app/upstream/base/cluster-role.yaml index 8fe8c3cb87..b9eb15ede3 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/cluster-role.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/cluster-role.yaml @@ -46,6 +46,14 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - list + - get --- diff --git a/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml b/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml index 21b3dac6ac..5fa1efad9b 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml @@ -17,23 +17,23 @@ spawnerFormDefaults: image: # The container Image for the user's Jupyter Notebook - value: kubeflownotebookswg/jupyter-scipy:v1.6.0-rc.1 + value: kubeflownotebookswg/jupyter-scipy:v1.7.0-rc.0 # The list of available standard container Images options: - - kubeflownotebookswg/jupyter-scipy:v1.6.0-rc.1 - - kubeflownotebookswg/jupyter-pytorch-full:v1.6.0-rc.1 - - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.6.0-rc.1 - - kubeflownotebookswg/jupyter-tensorflow-full:v1.6.0-rc.1 - - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.6.0-rc.1 + - kubeflownotebookswg/jupyter-scipy:v1.7.0-rc.0 + - kubeflownotebookswg/jupyter-pytorch-full:v1.7.0-rc.0 + - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.7.0-rc.0 + - kubeflownotebookswg/jupyter-tensorflow-full:v1.7.0-rc.0 + - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.7.0-rc.0 imageGroupOne: # The container Image for the user's Group One Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` # is applied to notebook in this group, configuring # the Istio rewrite for containers that host their web UI at `/` - value: kubeflownotebookswg/codeserver-python:v1.6.0-rc.1 + value: kubeflownotebookswg/codeserver-python:v1.7.0-rc.0 # The list of available standard container Images options: - - kubeflownotebookswg/codeserver-python:v1.6.0-rc.1 + - kubeflownotebookswg/codeserver-python:v1.7.0-rc.0 imageGroupTwo: # The container Image for the user's Group Two Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` @@ -42,10 +42,10 @@ spawnerFormDefaults: # The annotation `notebooks.kubeflow.org/http-headers-request-set` # is applied to notebook in this group, configuring Istio # to add the `X-RStudio-Root-Path` header to requests - value: kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.1 + value: kubeflownotebookswg/rstudio-tidyverse:v1.7.0-rc.0 # The list of available standard container Images options: - - kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.1 + - kubeflownotebookswg/rstudio-tidyverse:v1.7.0-rc.0 # If true, hide registry and/or tag name in the image selection dropdown hideRegistry: true hideTag: false diff --git a/apps/jupyter/jupyter-web-app/upstream/base/deployment.yaml b/apps/jupyter/jupyter-web-app/upstream/base/deployment.yaml index 662171b375..e492267fc2 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/deployment.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/deployment.yaml @@ -5,9 +5,6 @@ metadata: spec: replicas: 1 template: - metadata: - annotations: - sidecar.istio.io/inject: "false" spec: containers: - name: jupyter-web-app diff --git a/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml b/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml index 6d5f355861..86a87cb5bc 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml @@ -22,7 +22,8 @@ commonLabels: kustomize.component: jupyter-web-app images: - name: docker.io/kubeflownotebookswg/jupyter-web-app - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/jupyter-web-app + newTag: v1.7.0-rc.0 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -75,3 +76,10 @@ vars: apiVersion: v1 kind: ConfigMap name: parameters +- name: JWA_APP_SECURE_COOKIES + fieldref: + fieldPath: data.JWA_APP_SECURE_COOKIES + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml new file mode 100644 index 0000000000..b81b95e49d --- /dev/null +++ b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: jupyter-web-app +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account + selector: + matchLabels: + app: jupyter-web-app diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml new file mode 100644 index 0000000000..bd651c5cfc --- /dev/null +++ b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: jupyter-web-app +spec: + host: jupyter-web-app-service.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml index 6e3fd68553..a647f10977 100644 --- a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization resources: - ../../base - virtual-service.yaml +- authorization-policy.yaml +- destination-rule.yaml namespace: kubeflow commonLabels: app: jupyter-web-app diff --git a/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml b/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml index 6f1213aec4..a0d4fb5c67 100644 --- a/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml +++ b/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml @@ -4,4 +4,5 @@ resources: - ../default images: - name: docker.io/kubeflownotebookswg/notebook-controller - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/notebook-controller + newTag: v1.7.0-rc.0 diff --git a/apps/jupyter/notebook-controller/upstream/crd/bases/kubeflow.org_notebooks.yaml b/apps/jupyter/notebook-controller/upstream/crd/bases/kubeflow.org_notebooks.yaml index f1a8ff13a7..1ca9aac8fc 100644 --- a/apps/jupyter/notebook-controller/upstream/crd/bases/kubeflow.org_notebooks.yaml +++ b/apps/jupyter/notebook-controller/upstream/crd/bases/kubeflow.org_notebooks.yaml @@ -3076,13 +3076,19 @@ spec: lastProbeTime: format: date-time type: string + lastTransitionTime: + format: date-time + type: string message: type: string reason: type: string + status: + type: string type: type: string required: + - status - type type: object type: array @@ -6199,13 +6205,19 @@ spec: lastProbeTime: format: date-time type: string + lastTransitionTime: + format: date-time + type: string message: type: string reason: type: string + status: + type: string type: type: string required: + - status - type type: object type: array @@ -9322,13 +9334,19 @@ spec: lastProbeTime: format: date-time type: string + lastTransitionTime: + format: date-time + type: string message: type: string reason: type: string + status: + type: string type: type: string required: + - status - type type: object type: array diff --git a/apps/jupyter/notebook-controller/upstream/manager/kustomization.yaml b/apps/jupyter/notebook-controller/upstream/manager/kustomization.yaml index 05426bb2f0..4cc3f3094e 100644 --- a/apps/jupyter/notebook-controller/upstream/manager/kustomization.yaml +++ b/apps/jupyter/notebook-controller/upstream/manager/kustomization.yaml @@ -4,6 +4,5 @@ resources: - service.yaml configMapGenerator: - name: config - literals: - - USE_ISTIO=true - - ISTIO_GATEWAY=kubeflow/kubeflow-gateway + envs: + - params.env diff --git a/apps/jupyter/notebook-controller/upstream/manager/manager.yaml b/apps/jupyter/notebook-controller/upstream/manager/manager.yaml index b478868c3c..c51a7b1cd8 100644 --- a/apps/jupyter/notebook-controller/upstream/manager/manager.yaml +++ b/apps/jupyter/notebook-controller/upstream/manager/manager.yaml @@ -32,7 +32,27 @@ spec: configMapKeyRef: name: config key: ISTIO_GATEWAY - imagePullPolicy: Always + - name: CLUSTER_DOMAIN + valueFrom: + configMapKeyRef: + name: config + key: CLUSTER_DOMAIN + - name: ENABLE_CULLING + valueFrom: + configMapKeyRef: + name: config + key: ENABLE_CULLING + - name: CULL_IDLE_TIME + valueFrom: + configMapKeyRef: + name: config + key: CULL_IDLE_TIME + - name: IDLENESS_CHECK_PERIOD + valueFrom: + configMapKeyRef: + name: config + key: IDLENESS_CHECK_PERIOD + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz diff --git a/apps/jupyter/notebook-controller/upstream/manager/params.env b/apps/jupyter/notebook-controller/upstream/manager/params.env index 5fa00071df..8ab2bf275c 100644 --- a/apps/jupyter/notebook-controller/upstream/manager/params.env +++ b/apps/jupyter/notebook-controller/upstream/manager/params.env @@ -1,2 +1,6 @@ USE_ISTIO=true ISTIO_GATEWAY=kubeflow/kubeflow-gateway +CLUSTER_DOMAIN=cluster.local +ENABLE_CULLING=false +CULL_IDLE_TIME=1440 +IDLENESS_CHECK_PERIOD=1 \ No newline at end of file diff --git a/apps/jupyter/notebook-controller/upstream/samples/_v1_notebook.yaml b/apps/jupyter/notebook-controller/upstream/samples/_v1_notebook.yaml index 9334cd95d7..b062e8cb76 100644 --- a/apps/jupyter/notebook-controller/upstream/samples/_v1_notebook.yaml +++ b/apps/jupyter/notebook-controller/upstream/samples/_v1_notebook.yaml @@ -8,4 +8,4 @@ spec: spec: containers: - name: notebook-sample-v1 - image: kubeflownotebookswg/jupyter:v1.6.0-rc.0 + image: kubeflownotebookswg/jupyter:latest diff --git a/apps/jupyter/notebook-controller/upstream/samples/_v1alpha1_notebook.yaml b/apps/jupyter/notebook-controller/upstream/samples/_v1alpha1_notebook.yaml index 62c08927af..94b41078cd 100644 --- a/apps/jupyter/notebook-controller/upstream/samples/_v1alpha1_notebook.yaml +++ b/apps/jupyter/notebook-controller/upstream/samples/_v1alpha1_notebook.yaml @@ -8,4 +8,4 @@ spec: spec: containers: - name: notebook-sample-v1 - image: kubeflownotebookswg/jupyter:v1.6.0-rc.0 + image: kubeflownotebookswg/jupyter:latest diff --git a/apps/jupyter/notebook-controller/upstream/samples/_v1beta1_notebook.yaml b/apps/jupyter/notebook-controller/upstream/samples/_v1beta1_notebook.yaml index 6fcdb2a367..da7d8be355 100644 --- a/apps/jupyter/notebook-controller/upstream/samples/_v1beta1_notebook.yaml +++ b/apps/jupyter/notebook-controller/upstream/samples/_v1beta1_notebook.yaml @@ -8,4 +8,4 @@ spec: spec: containers: - name: notebook-sample-v1 - image: kubeflownotebookswg/jupyter:v1.6.0-rc.0 + image: kubeflownotebookswg/jupyter:latest diff --git a/apps/profiles/upstream/base/kustomization.yaml b/apps/profiles/upstream/base/kustomization.yaml index 48d7e6c3d7..8fefc12998 100644 --- a/apps/profiles/upstream/base/kustomization.yaml +++ b/apps/profiles/upstream/base/kustomization.yaml @@ -11,7 +11,8 @@ patchesStrategicMerge: images: - name: docker.io/kubeflownotebookswg/profile-controller - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/profile-controller + newTag: v1.7.0-rc.0 configMapGenerator: - name: namespace-labels-data diff --git a/apps/profiles/upstream/manager/manager.yaml b/apps/profiles/upstream/manager/manager.yaml index 840ed86469..9dcbf4772e 100644 --- a/apps/profiles/upstream/manager/manager.yaml +++ b/apps/profiles/upstream/manager/manager.yaml @@ -29,18 +29,8 @@ spec: - configMapRef: name: config image: docker.io/kubeflownotebookswg/profile-controller - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: manager - livenessProbe: - httpGet: - path: /metrics - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 30 - ports: - - containerPort: 8080 - name: manager-http - protocol: TCP livenessProbe: httpGet: path: /healthz diff --git a/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml b/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml index e6bee083c1..ce7d0076bf 100644 --- a/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml +++ b/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml @@ -28,4 +28,5 @@ vars: images: - name: docker.io/kubeflownotebookswg/kfam - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/kfam + newTag: v1.7.0-rc.0 diff --git a/apps/profiles/upstream/overlays/kubeflow/patches/kfam.yaml b/apps/profiles/upstream/overlays/kubeflow/patches/kfam.yaml index 96cf296e7f..5abcb5aee3 100644 --- a/apps/profiles/upstream/overlays/kubeflow/patches/kfam.yaml +++ b/apps/profiles/upstream/overlays/kubeflow/patches/kfam.yaml @@ -21,7 +21,7 @@ spec: - configMapRef: name: config image: docker.io/kubeflownotebookswg/kfam - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: kfam livenessProbe: httpGet: diff --git a/apps/profiles/upstream/samples/_v1_profile.yaml b/apps/profiles/upstream/samples/_v1_profile.yaml index 5a87ff0750..ef0a94afc7 100644 --- a/apps/profiles/upstream/samples/_v1_profile.yaml +++ b/apps/profiles/upstream/samples/_v1_profile.yaml @@ -1,6 +1,8 @@ apiVersion: kubeflow.org/v1 kind: Profile metadata: - name: profile-sample + name: test-user-profile spec: - # TODO(user): Add fields here + owner: + kind: User + name: test-user@kubeflow.org diff --git a/apps/profiles/upstream/samples/_v1_profile_aws_iam.yaml b/apps/profiles/upstream/samples/_v1_profile_aws_iam.yaml new file mode 100644 index 0000000000..f5bc85aa1d --- /dev/null +++ b/apps/profiles/upstream/samples/_v1_profile_aws_iam.yaml @@ -0,0 +1,12 @@ +apiVersion: kubeflow.org/v1 +kind: Profile +metadata: + name: profile-aws-iam +spec: + owner: + kind: User + name: test-user@kubeflow.org + plugins: + - kind: AwsIamForServiceAccount + spec: + awsIamRole: arn:aws:iam::account-id:role/s3-reader \ No newline at end of file diff --git a/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml b/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml index b20097ddda..abbcd898bb 100644 --- a/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml +++ b/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml @@ -6,10 +6,11 @@ configMapGenerator: - name: tensorboard-controller-config literals: - RWO_PVC_SCHEDULING="True" - - TENSORBOARD_IMAGE=tensorflow/tensorflow:2.1.0 + - TENSORBOARD_IMAGE=tensorflow/tensorflow:2.5.1 - ISTIO_GATEWAY=kubeflow/kubeflow-gateway patchesStrategicMerge: - patches/add_controller_config.yaml images: - name: docker.io/kubeflownotebookswg/tensorboard-controller - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/tensorboard-controller + newTag: v1.7.0-rc.0 diff --git a/apps/tensorboard/tensorboards-web-app/upstream/base/deployment.yaml b/apps/tensorboard/tensorboards-web-app/upstream/base/deployment.yaml index 6c44af5937..5676e61b70 100644 --- a/apps/tensorboard/tensorboards-web-app/upstream/base/deployment.yaml +++ b/apps/tensorboard/tensorboards-web-app/upstream/base/deployment.yaml @@ -5,9 +5,6 @@ metadata: spec: replicas: 1 template: - metadata: - annotations: - sidecar.istio.io/inject: "false" spec: containers: - name: tensorboards-web-app diff --git a/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml b/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml index ff83819d1b..d998d651c8 100644 --- a/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml +++ b/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml @@ -13,7 +13,8 @@ commonLabels: kustomize.component: tensorboards-web-app images: - name: docker.io/kubeflownotebookswg/tensorboards-web-app - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/tensorboards-web-app + newTag: v1.7.0-rc.0 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -56,3 +57,10 @@ vars: apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: + fieldPath: data.TWA_APP_SECURE_COOKIES + name: TWA_APP_SECURE_COOKIES + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/authorization-policy.yaml b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/authorization-policy.yaml new file mode 100644 index 0000000000..e7440147a0 --- /dev/null +++ b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: tensorboards-web-app +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account + selector: + matchLabels: + app: tensorboards-web-app diff --git a/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/destination-rule.yaml b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/destination-rule.yaml new file mode 100644 index 0000000000..496932be48 --- /dev/null +++ b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/destination-rule.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: tensorboards-web-app +spec: + host: tensorboards-web-app-service.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml index c6d57ca81e..45e308307c 100644 --- a/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml +++ b/apps/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization resources: - ../../base - virtual-service.yaml +- authorization-policy.yaml +- destination-rule.yaml namespace: kubeflow commonLabels: app: tensorboards-web-app diff --git a/apps/volumes-web-app/upstream/base/cluster-role.yaml b/apps/volumes-web-app/upstream/base/cluster-role.yaml index c1b5964ce8..b914348930 100644 --- a/apps/volumes-web-app/upstream/base/cluster-role.yaml +++ b/apps/volumes-web-app/upstream/base/cluster-role.yaml @@ -43,6 +43,12 @@ rules: - events verbs: - list +- apiGroups: + - kubeflow.org + resources: + - notebooks + verbs: + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/apps/volumes-web-app/upstream/base/deployment.yaml b/apps/volumes-web-app/upstream/base/deployment.yaml index ecd098cc91..638ac406de 100644 --- a/apps/volumes-web-app/upstream/base/deployment.yaml +++ b/apps/volumes-web-app/upstream/base/deployment.yaml @@ -5,9 +5,6 @@ metadata: spec: replicas: 1 template: - metadata: - annotations: - sidecar.istio.io/inject: "false" spec: containers: - name: volumes-web-app diff --git a/apps/volumes-web-app/upstream/base/kustomization.yaml b/apps/volumes-web-app/upstream/base/kustomization.yaml index 5e159ef82d..eeeb2ea387 100644 --- a/apps/volumes-web-app/upstream/base/kustomization.yaml +++ b/apps/volumes-web-app/upstream/base/kustomization.yaml @@ -13,7 +13,8 @@ commonLabels: kustomize.component: volumes-web-app images: - name: docker.io/kubeflownotebookswg/volumes-web-app - newTag: v1.6.0-rc.1 + newName: docker.io/kubeflownotebookswg/volumes-web-app + newTag: v1.7.0-rc.0 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -56,3 +57,10 @@ vars: apiVersion: v1 kind: ConfigMap name: parameters +- name: VWA_APP_SECURE_COOKIES + fieldref: + fieldPath: data.VWA_APP_SECURE_COOKIES + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/apps/volumes-web-app/upstream/overlays/istio/authorization-policy.yaml b/apps/volumes-web-app/upstream/overlays/istio/authorization-policy.yaml new file mode 100644 index 0000000000..8cd7119cc0 --- /dev/null +++ b/apps/volumes-web-app/upstream/overlays/istio/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: volumes-web-app +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account + selector: + matchLabels: + app: volumes-web-app diff --git a/apps/volumes-web-app/upstream/overlays/istio/destination-rule.yaml b/apps/volumes-web-app/upstream/overlays/istio/destination-rule.yaml new file mode 100644 index 0000000000..fb760fe5ee --- /dev/null +++ b/apps/volumes-web-app/upstream/overlays/istio/destination-rule.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: volumes-web-app +spec: + host: volumes-web-app-service.kubeflow.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/apps/volumes-web-app/upstream/overlays/istio/kustomization.yaml b/apps/volumes-web-app/upstream/overlays/istio/kustomization.yaml index a5f4c33f3e..1d8d0ac0fc 100644 --- a/apps/volumes-web-app/upstream/overlays/istio/kustomization.yaml +++ b/apps/volumes-web-app/upstream/overlays/istio/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization resources: - ../../base - virtual-service.yaml +- authorization-policy.yaml +- destination-rule.yaml namespace: kubeflow commonLabels: app: volumes-web-app From 5c0329e273219a1a363ace56fc2db9a15b5de579 Mon Sep 17 00:00:00 2001 From: Kimonas Sotirchos Date: Thu, 2 Feb 2023 12:45:30 +0200 Subject: [PATCH 21/74] Add Julius von Kohout as reviewer for /contrib (#2371) Signed-off-by: Kimonas Sotirchos --- contrib/OWNERS | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 contrib/OWNERS diff --git a/contrib/OWNERS b/contrib/OWNERS new file mode 100644 index 0000000000..200b152359 --- /dev/null +++ b/contrib/OWNERS @@ -0,0 +1,2 @@ +reviewers: + - juliusvonkohout From 83aa1abf1cccfeb3382a67490678f6f82434be63 Mon Sep 17 00:00:00 2001 From: Kimonas Sotirchos Date: Thu, 2 Feb 2023 14:45:30 +0200 Subject: [PATCH 22/74] Update the README for kustomize 4.5.7 support (#2362) * Wait for Cert Manager Pods to become Ready We will need to wait for the Cert Manager pods to become Ready, before applying a ClusterIssuer. Previously we would get connection refused errors from the K8s API Server talking to the webhook. A useful troubleshooting guide is: https://cert-manager.io/docs/troubleshooting/webhook/#error-connect-connection-refused Signed-off-by: Kimonas Sotirchos * README: Update instructions for running with Kustomize 4 Signed-off-by: Kimonas Sotirchos --------- Signed-off-by: Kimonas Sotirchos --- README.md | 39 +++++++++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d3cfa04d89..9569b2ac51 100644 --- a/README.md +++ b/README.md @@ -81,12 +81,9 @@ The `example` directory contains an example kustomization for the single command ### Prerequisites -- `Kubernetes` (up to `1.21`) with a default [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/) - - :warning: Kubeflow 1.5.0 is not compatible with version 1.22 and onwards. - You can track the remaining work for K8s 1.22 support in - [kubeflow/kubeflow#6353](https://github.com/kubeflow/kubeflow/issues/6353) -- `kustomize` (version `3.2.0`) ([download link](https://github.com/kubernetes-sigs/kustomize/releases/tag/v3.2.0)) - - :warning: Kubeflow 1.5.0 is not compatible with the latest versions of of kustomize 4.x. This is due to changes in the order resources are sorted and printed. Please see [kubernetes-sigs/kustomize#3794](https://github.com/kubernetes-sigs/kustomize/issues/3794) and [kubeflow/manifests#1797](https://github.com/kubeflow/manifests/issues/1797). We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can. +- `Kubernetes` (up to `1.25`) with a default [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/) +- `kustomize` (version [`3.2.0`](https://github.com/kubernetes-sigs/kustomize/releases/tag/v3.2.0) or [`4.5.7`](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.7)) + - :warning: Kubeflow is compatible with Kustomize 4.5.7 only for [installing the individual components](#install-individual-components). The one-liner will need Kustomize 3.2, since versions from 4 and onwards have a regression on the order resources are sorted and printed. Please see [kubernetes-sigs/kustomize#3794](https://github.com/kubernetes-sigs/kustomize/issues/3794) and [kubeflow/manifests#1797](https://github.com/kubeflow/manifests/issues/1797). We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can. - `kubectl` --- @@ -117,6 +114,22 @@ If all the following commands are executed, the result is the same as in the abo - Provide a description of each component and insight on how it gets installed. - Enable the user or distribution owner to pick and choose only the components they need. +--- +**Troubleshooting note** + +We've seen errors like the following when applying the kustomizations of different components: +``` +error: resource mapping not found for name: "" namespace: "" from "STDIN": no matches for kind "" in version "" +ensure CRDs are installed first +``` + +This is because a kustomization applies both a CRD and a CR very quickly, and the CRD +hasn't become [`Established`](https://github.com/kubernetes/apiextensions-apiserver/blob/a7ee7f91a2d0805f729998b85680a20cfba208d2/pkg/apis/apiextensions/types.go#L276-L279) yet. You can learn more about this in https://github.com/kubernetes/kubectl/issues/1117 and https://github.com/helm/helm/issues/4925. + +If you bump into this error we advise to re-apply the kustomization of the component. + +--- + #### cert-manager cert-manager is used by many Kubeflow components to provide certificates for @@ -126,9 +139,18 @@ Install cert-manager: ```sh kustomize build common/cert-manager/cert-manager/base | kubectl apply -f - +kubectl wait --for=condition=ready pod -l 'app in (cert-manager,webhook)' --timeout=180s -n cert-manager kustomize build common/cert-manager/kubeflow-issuer/base | kubectl apply -f - ``` +In case you get this error: +``` +Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.202.64:443: connect: connection refused +``` +This is because the webhook is not yet ready to receive request. Wait a couple seconds and retry applying the manfiests. + +For more troubleshooting info also check out https://cert-manager.io/docs/troubleshooting/webhook/ + #### Istio Istio is used by many Kubeflow components to secure their traffic, enforce @@ -412,8 +434,9 @@ For security reasons, we don't want to use the default password for the default ## Frequently Asked Questions -- **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow 1.4? \ +- **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \ **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions in `common` are the ones we have validated. - **Q:** Can I use the latest Kustomize version (`v4.x`)? \ - **A:** Kubeflow 1.4.0 is not compatible with the latest versions of of kustomize 4.x. This is due to changes in the order resources are sorted and printed. Please see [kubernetes-sigs/kustomize#3794](https://github.com/kubernetes-sigs/kustomize/issues/3794) and [kubeflow/manifests#1797](https://github.com/kubeflow/manifests/issues/1797). We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can. + **A:** Kubeflow is compatible with Kustomize 4.5.7 only for [installing the individual components](#install-individual-components). The one-liner will need Kustomize 3.2, since versions from 4 and onwards have a regression on the order resources are sorted and printed. Please see [kubernetes-sigs/kustomize#3794](https://github.com/kubernetes-sigs/kustomize/issues/3794) and [kubeflow/manifests#1797](https://github.com/kubeflow/manifests/issues/1797). We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can. + From ea9592cb32e52278ed9c5ddea83bc2896ab7c31e Mon Sep 17 00:00:00 2001 From: Kimonas Sotirchos Date: Thu, 2 Feb 2023 15:55:29 +0200 Subject: [PATCH 23/74] Update kubeflow/kubeflow manifests from v1.7.0-rc.0 (#2377) --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 9569b2ac51..fdd48b8a68 100644 --- a/README.md +++ b/README.md @@ -42,14 +42,14 @@ This repo periodically syncs all official Kubeflow components from their respect | Component | Local Manifests Path | Upstream Revision | | - | - | - | | Training Operator | apps/training-operator/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/training-operator/tree/v1.6.0-rc.0/manifests) | -| Notebook Controller | apps/jupyter/notebook-controller/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/notebook-controller/config) | -| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/tensorboard-controller/config) | -| Central Dashboard | apps/centraldashboard/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/centraldashboard/manifests) | -| Profiles + KFAM | apps/profiles/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/profile-controller/config) | -| PodDefaults Webhook | apps/admission-webhook/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/admission-webhook/manifests) | -| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/jupyter/manifests) | -| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/tensorboards/manifests) | -| Volumes Web App | apps/volumes-web-app/upstream | [a74094c3a](https://github.com/kubeflow/kubeflow/tree/a74094c3a/components/crud-web-apps/volumes/manifests) | +| Notebook Controller | apps/jupyter/notebook-controller/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/notebook-controller/config) | +| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/tensorboard-controller/config) | +| Central Dashboard | apps/centraldashboard/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/centraldashboard/manifests) | +| Profiles + KFAM | apps/profiles/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/profile-controller/config) | +| PodDefaults Webhook | apps/admission-webhook/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/admission-webhook/manifests) | +| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/crud-web-apps/jupyter/manifests) | +| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/crud-web-apps/tensorboards/manifests) | +| Volumes Web App | apps/volumes-web-app/upstream | [v1.7.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.7.0-rc.0/components/crud-web-apps/volumes/manifests) | | Katib | apps/katib/upstream | [v0.14.0-rc.0](https://github.com/kubeflow/katib/tree/v0.14.0-rc.0/manifests/v1beta1) | | KServe | contrib/kserve/kserve | [release-0.8](https://github.com/kserve/kserve/tree/8079f375cbcedc4d45a1b4aade2e2308ea6f9ae8/install/v0.8.0) | | KServe Models Web App | contrib/kserve/models-web-app | [v0.8.1](https://github.com/kserve/models-web-app/tree/v0.8.1/config) | From 95078d9eb639f42b3008d63cb35c6ce48b4ebf5a Mon Sep 17 00:00:00 2001 From: DomFleischmann Date: Mon, 6 Feb 2023 08:14:01 +0100 Subject: [PATCH 24/74] Update kubeflow/pipelines manifests from 2.0.0-alpha.6 (#2376) --- README.md | 2 +- .../base/cache-deployer/kustomization.yaml | 2 +- .../upstream/base/cache/cache-deployment.yaml | 10 +++++++ .../upstream/base/cache/kustomization.yaml | 2 +- .../generic/pipeline-install-config.yaml | 17 +++++++++++- .../persistence-agent/cluster-role.yaml | 6 +++++ .../persistence-agent/deployment-patch.yaml | 7 +++++ .../persistence-agent/kustomization.yaml | 4 +++ .../multi-user/persistence-agent/params.env | 1 + .../multi-user/view-edit-cluster-roles.yaml | 11 +++++++- .../base/metadata/base/kustomization.yaml | 2 +- .../upstream/base/pipeline/kustomization.yaml | 12 ++++----- .../metadata-writer/kustomization.yaml | 2 +- ...-pipeline-persistenceagent-deployment.yaml | 4 +++ .../ml-pipeline-persistenceagent-role.yaml | 8 +++++- .../env/gcp/inverse-proxy/kustomization.yaml | 2 +- .../mysql/base/mysql-deployment.yaml | 27 ++++++++++++++++--- 17 files changed, 100 insertions(+), 19 deletions(-) create mode 100644 apps/pipeline/upstream/base/installs/multi-user/persistence-agent/params.env diff --git a/README.md b/README.md index fdd48b8a68..c8eb8a9ebb 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ This repo periodically syncs all official Kubeflow components from their respect | Katib | apps/katib/upstream | [v0.14.0-rc.0](https://github.com/kubeflow/katib/tree/v0.14.0-rc.0/manifests/v1beta1) | | KServe | contrib/kserve/kserve | [release-0.8](https://github.com/kserve/kserve/tree/8079f375cbcedc4d45a1b4aade2e2308ea6f9ae8/install/v0.8.0) | | KServe Models Web App | contrib/kserve/models-web-app | [v0.8.1](https://github.com/kserve/models-web-app/tree/v0.8.1/config) | -| Kubeflow Pipelines | apps/pipeline/upstream | [2.0.0-alpha.3](https://github.com/kubeflow/pipelines/tree/2.0.0-alpha.3/manifests/kustomize) | +| Kubeflow Pipelines | apps/pipeline/upstream | [2.0.0-alpha.6](https://github.com/kubeflow/pipelines/tree/2.0.0-alpha.6/manifests/kustomize) | | Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | [v1.5.1](https://github.com/kubeflow/kfp-tekton/tree/v1.5.1/manifests/kustomize) | The following is also a matrix with versions from common components that are diff --git a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml index 912d6c290d..ad05f2baae 100644 --- a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml @@ -8,4 +8,4 @@ commonLabels: app: cache-deployer images: - name: gcr.io/ml-pipeline/cache-deployer - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 diff --git a/apps/pipeline/upstream/base/cache/cache-deployment.yaml b/apps/pipeline/upstream/base/cache/cache-deployment.yaml index 58512e1e6e..9ff1919f1d 100644 --- a/apps/pipeline/upstream/base/cache/cache-deployment.yaml +++ b/apps/pipeline/upstream/base/cache/cache-deployment.yaml @@ -18,6 +18,16 @@ spec: - name: server image: gcr.io/ml-pipeline/cache-server:dummy env: + - name: DEFAULT_CACHE_STALENESS + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: DEFAULT_CACHE_STALENESS + - name: MAXIMUM_CACHE_STALENESS + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: MAXIMUM_CACHE_STALENESS - name: CACHE_IMAGE valueFrom: configMapKeyRef: diff --git a/apps/pipeline/upstream/base/cache/kustomization.yaml b/apps/pipeline/upstream/base/cache/kustomization.yaml index ed3f731ac9..d9724156a9 100644 --- a/apps/pipeline/upstream/base/cache/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache/kustomization.yaml @@ -10,4 +10,4 @@ commonLabels: app: cache-server images: - name: gcr.io/ml-pipeline/cache-server - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 diff --git a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml index 7f77cd404d..e834e1efe4 100644 --- a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml +++ b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml @@ -11,7 +11,7 @@ data: until the changes take effect. A quick way to restart all deployments in a namespace: `kubectl rollout restart deployment -n `. appName: pipeline - appVersion: 2.0.0-alpha.3 + appVersion: 2.0.0-alpha.6 dbHost: mysql dbPort: "3306" mlmdDb: metadb @@ -68,6 +68,21 @@ data: ## any node and avoid defaulting to specific nodes. Allowed values are: ## 'false' and 'true'. cacheNodeRestrictions: "false" + ## MAXIMUM_CACHE_STALENESS configures caching according to + ## https://www.kubeflow.org/docs/components/pipelines/overview/caching/ and + ## https://www.kubeflow.org/docs/components/pipelines/overview/caching-v2/. + ## Larger than MAXIMUM_CACHE_STALENESS per pipeline user set values are + ## reduced to MAXIMUM_CACHE_STALENESS. + ## The administrator of the storage backend can rely on it to delete old cache + ## artifacts. + MAXIMUM_CACHE_STALENESS: "" + ## MAXIMUM_CACHE_STALENESS: "P30D" + ## DEFAULT_CACHE_STALENESS configures caching according to + ## https://www.kubeflow.org/docs/components/pipelines/overview/caching/ and + ## https://www.kubeflow.org/docs/components/pipelines/overview/caching-v2/. + ## This value is used if the user did not set a value in the pipeline. + DEFAULT_CACHE_STALENESS: "" + ## DEFAULT_CACHE_STALENESS: "P7D" ## ConMaxLifeTime will set the connection max lifetime for MySQL ## this is very important to setup when using external databases. ## See this issue for more details: https://github.com/kubeflow/pipelines/issues/5329 diff --git a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/cluster-role.yaml b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/cluster-role.yaml index b3053317b5..cf3b34a82f 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/cluster-role.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/cluster-role.yaml @@ -19,3 +19,9 @@ rules: - get - list - watch +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get \ No newline at end of file diff --git a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/deployment-patch.yaml b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/deployment-patch.yaml index 1e165def42..a5e7a9fc26 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/deployment-patch.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/deployment-patch.yaml @@ -7,7 +7,14 @@ spec: spec: containers: - name: ml-pipeline-persistenceagent + envFrom: + - configMapRef: + name: persistenceagent-config env: - name: NAMESPACE value: '' valueFrom: null + - name: KUBEFLOW_USERID_HEADER + value: kubeflow-userid + - name: KUBEFLOW_USERID_PREFIX + value: "" \ No newline at end of file diff --git a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/kustomization.yaml index b1f65469e1..560e0fc893 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/kustomization.yaml @@ -3,3 +3,7 @@ kind: Kustomization resources: - cluster-role.yaml - cluster-role-binding.yaml +configMapGenerator: +- name: persistenceagent-config + envs: + - params.env \ No newline at end of file diff --git a/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/params.env b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/params.env new file mode 100644 index 0000000000..4c3bab70f9 --- /dev/null +++ b/apps/pipeline/upstream/base/installs/multi-user/persistence-agent/params.env @@ -0,0 +1 @@ +MULTIUSER=true diff --git a/apps/pipeline/upstream/base/installs/multi-user/view-edit-cluster-roles.yaml b/apps/pipeline/upstream/base/installs/multi-user/view-edit-cluster-roles.yaml index 626e005a94..abb531ee5a 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/view-edit-cluster-roles.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/view-edit-cluster-roles.yaml @@ -69,6 +69,8 @@ rules: - retry - terminate - unarchive + - reportMetrics + - readArtifact - apiGroups: - pipelines.kubeflow.org resources: @@ -111,11 +113,18 @@ rules: - pipelines - pipelines/versions - experiments - - runs - jobs verbs: - get - list +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - get + - list + - readArtifact - apiGroups: - kubeflow.org resources: diff --git a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml index 7f57134927..34320a4144 100644 --- a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml +++ b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml @@ -9,4 +9,4 @@ resources: - metadata-grpc-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-envoy - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 diff --git a/apps/pipeline/upstream/base/pipeline/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/kustomization.yaml index 38a66d0114..033b464c14 100644 --- a/apps/pipeline/upstream/base/pipeline/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/kustomization.yaml @@ -37,14 +37,14 @@ resources: - kfp-launcher-configmap.yaml images: - name: gcr.io/ml-pipeline/api-server - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 - name: gcr.io/ml-pipeline/persistenceagent - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 - name: gcr.io/ml-pipeline/scheduledworkflow - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 - name: gcr.io/ml-pipeline/frontend - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 - name: gcr.io/ml-pipeline/viewer-crd-controller - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 - name: gcr.io/ml-pipeline/visualization-server - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 diff --git a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml index 4bbe387cfd..35ddb4d68d 100644 --- a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml @@ -7,4 +7,4 @@ resources: - metadata-writer-sa.yaml images: - name: gcr.io/ml-pipeline/metadata-writer - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml index bc5032e51a..74c19c9d79 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml @@ -25,6 +25,10 @@ spec: value: "86400" - name: NUM_WORKERS value: "2" + - name: KUBEFLOW_USERID_HEADER + value: kubeflow-userid + - name: KUBEFLOW_USERID_PREFIX + value: "" image: gcr.io/ml-pipeline/persistenceagent:dummy imagePullPolicy: IfNotPresent name: ml-pipeline-persistenceagent diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml index 830ee8b14e..2a288092c1 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml @@ -18,4 +18,10 @@ rules: verbs: - get - list - - watch \ No newline at end of file + - watch +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get \ No newline at end of file diff --git a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml index 32d425c474..1a9e2d84cc 100644 --- a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml +++ b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: gcr.io/ml-pipeline/inverse-proxy-agent - newTag: 2.0.0-alpha.3 + newTag: 2.0.0-alpha.6 resources: - proxy-configmap.yaml - proxy-deployment.yaml diff --git a/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml b/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml index c56ba13105..d5592fd0c7 100644 --- a/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml +++ b/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml @@ -17,16 +17,35 @@ spec: spec: serviceAccountName: mysql containers: - # https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_ignore-db-dir - # Ext4, Btrfs etc. volumes root directories have a lost+found directory that should not be treated as a database. - args: - - --ignore-db-dir=lost+found + # https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_ignore-db-dir + # Ext4, Btrfs etc. volumes root directories have a lost+found directory that should not be treated as a database. + # ignore-db-dir option has been deprecated in mysql v5.7.16. + # + # If upgrading MySQL to v8.0 fails, try removing /var/lib/mysql/lost+found folder in + # mysql-pv-claim (mysql-persistent-storage): + # + # kubectl exec -it -n kubeflow -- bash + # rm -rf /var/lib/mysql/lost+found + # + # More details on upgrading MySQL can be found here: + # https://dev.mysql.com/doc/refman/8.0/en/upgrade-prerequisites.html + # https://dev.mysql.com/doc/refman/8.0/en/upgrade-docker-mysql.html - --datadir - /var/lib/mysql + # MLMD workloads (metadata-grpc-deployment and metadata-writer) depend on mysql_native_password authentication plugin. + # mysql_native_password plugin implements native authentication; that is, authentication based on the password + # hashing method in use from before the introduction of pluggable authentication in MySQL 8.0. + # + # As default_authentication_plugin option is deprecated in MySQL 8.0.27 this needs to be replaced with + # appropriate authentication_policy in the next upgrade. See more details: + # https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin + # https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_authentication_policy + - --default-authentication-plugin=mysql_native_password env: - name: MYSQL_ALLOW_EMPTY_PASSWORD value: "true" - image: gcr.io/ml-pipeline/mysql:5.7-debian + image: gcr.io/ml-pipeline/mysql:8.0.26 name: mysql ports: - containerPort: 3306 From a114d5821f87e0ea43298885dfda7bfa23b108bf Mon Sep 17 00:00:00 2001 From: Thang Minh Vu <5120965+ittus@users.noreply.github.com> Date: Mon, 6 Feb 2023 16:17:00 +0900 Subject: [PATCH 25/74] feat: upgrade oidc-authservice (#2150) * feat: upgrade oidc-authservice * Update common/oidc-authservice/base/params.env --- common/dex/base/config-map.yaml | 2 +- .../oidc-authservice/base/kustomization.yaml | 1 + common/oidc-authservice/base/params.env | 4 +-- common/oidc-authservice/base/rbac.yaml | 30 +++++++++++++++++++ common/oidc-authservice/base/statefulset.yaml | 3 +- 5 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 common/oidc-authservice/base/rbac.yaml diff --git a/common/dex/base/config-map.yaml b/common/dex/base/config-map.yaml index 5d5d4e25f8..e2cf9edac8 100644 --- a/common/dex/base/config-map.yaml +++ b/common/dex/base/config-map.yaml @@ -27,6 +27,6 @@ data: staticClients: # https://github.com/dexidp/dex/pull/1664 - idEnv: OIDC_CLIENT_ID - redirectURIs: ["/login/oidc"] + redirectURIs: ["/authservice/oidc/callback"] name: 'Dex Login Application' secretEnv: OIDC_CLIENT_SECRET diff --git a/common/oidc-authservice/base/kustomization.yaml b/common/oidc-authservice/base/kustomization.yaml index ccae0f0688..a9ca90612a 100644 --- a/common/oidc-authservice/base/kustomization.yaml +++ b/common/oidc-authservice/base/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- rbac.yaml - service.yaml - statefulset.yaml - envoy-filter.yaml diff --git a/common/oidc-authservice/base/params.env b/common/oidc-authservice/base/params.env index f41839b8ba..81b5f88fae 100644 --- a/common/oidc-authservice/base/params.env +++ b/common/oidc-authservice/base/params.env @@ -1,8 +1,8 @@ OIDC_PROVIDER=http://dex.auth.svc.cluster.local:5556/dex OIDC_AUTH_URL=/dex/auth OIDC_SCOPES=profile email groups -REDIRECT_URL=/login/oidc -SKIP_AUTH_URI=/dex +AUTHSERVICE_URL_PREFIX=/authservice/ +SKIP_AUTH_URLS=/dex USERID_HEADER=kubeflow-userid USERID_PREFIX= USERID_CLAIM=email diff --git a/common/oidc-authservice/base/rbac.yaml b/common/oidc-authservice/base/rbac.yaml new file mode 100644 index 0000000000..8399498c1c --- /dev/null +++ b/common/oidc-authservice/base/rbac.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authservice + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: authn-delegator +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: authn-delegators +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: authn-delegator +subjects: + - kind: ServiceAccount + name: authservice diff --git a/common/oidc-authservice/base/statefulset.yaml b/common/oidc-authservice/base/statefulset.yaml index 385de6e1fc..af106d9955 100644 --- a/common/oidc-authservice/base/statefulset.yaml +++ b/common/oidc-authservice/base/statefulset.yaml @@ -15,9 +15,10 @@ spec: labels: app: authservice spec: + serviceAccountName: authservice containers: - name: authservice - image: gcr.io/arrikto/kubeflow/oidc-authservice:6ac9400 + image: gcr.io/arrikto/kubeflow/oidc-authservice:e236439 imagePullPolicy: Always ports: - name: http-api From c7e301d8baa4e1e8d0b318fb635ed56ff6f32822 Mon Sep 17 00:00:00 2001 From: Dominik Fleischmann Date: Mon, 30 Jan 2023 12:10:24 +0100 Subject: [PATCH 26/74] Update kubeflow/katib manifests from v0.15.0-rc.0 --- .../components/controller/controller.yaml | 11 +++ .../components/controller/katib-config.yaml | 30 ++++---- .../upstream/components/controller/rbac.yaml | 77 +++++++++++++++---- .../components/controller/service.yaml | 3 + .../controller/trial-templates.yaml | 8 +- .../components/postgres/kustomization.yaml | 9 +++ .../components/postgres/postgres.yaml | 42 ++++++++++ .../upstream/components/postgres/pvc.yaml | 12 +++ .../upstream/components/postgres/secret.yaml | 10 +++ .../upstream/components/postgres/service.yaml | 16 ++++ apps/katib/upstream/components/ui/rbac.yaml | 12 +++ .../katib-cert-manager/kustomization.yaml | 6 +- .../katib-external-db/kustomization.yaml | 8 +- .../katib-openshift/kustomization.yaml | 6 +- .../kustomization.yaml | 41 ++++++++++ .../patches/db-manager.yaml | 8 ++ .../katib-standalone/kustomization.yaml | 8 +- .../istio-authorizationpolicy.yaml | 15 ++++ .../kubeflow-katib-roles.yaml | 12 +++ .../katib-with-kubeflow/kustomization.yaml | 28 ++++++- .../patches/enable-ui-authz-checks.yaml | 6 ++ .../patches/istio-sidecar-injection.yaml | 10 +++ .../katib-with-kubeflow/patches/ui-rbac.yaml | 7 ++ 23 files changed, 335 insertions(+), 50 deletions(-) create mode 100644 apps/katib/upstream/components/postgres/kustomization.yaml create mode 100644 apps/katib/upstream/components/postgres/postgres.yaml create mode 100644 apps/katib/upstream/components/postgres/pvc.yaml create mode 100644 apps/katib/upstream/components/postgres/secret.yaml create mode 100644 apps/katib/upstream/components/postgres/service.yaml create mode 100644 apps/katib/upstream/installs/katib-standalone-postgres/kustomization.yaml create mode 100644 apps/katib/upstream/installs/katib-standalone-postgres/patches/db-manager.yaml create mode 100644 apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml create mode 100644 apps/katib/upstream/installs/katib-with-kubeflow/patches/enable-ui-authz-checks.yaml create mode 100644 apps/katib/upstream/installs/katib-with-kubeflow/patches/istio-sidecar-injection.yaml create mode 100644 apps/katib/upstream/installs/katib-with-kubeflow/patches/ui-rbac.yaml diff --git a/apps/katib/upstream/components/controller/controller.yaml b/apps/katib/upstream/components/controller/controller.yaml index 8d18c9c3b6..51487d1631 100644 --- a/apps/katib/upstream/components/controller/controller.yaml +++ b/apps/katib/upstream/components/controller/controller.yaml @@ -40,6 +40,17 @@ spec: - containerPort: 8080 name: metrics protocol: TCP + - containerPort: 18080 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz env: - name: KATIB_CORE_NAMESPACE valueFrom: diff --git a/apps/katib/upstream/components/controller/katib-config.yaml b/apps/katib/upstream/components/controller/katib-config.yaml index 786514f0ba..7fa27c9625 100644 --- a/apps/katib/upstream/components/controller/katib-config.yaml +++ b/apps/katib/upstream/components/controller/katib-config.yaml @@ -8,13 +8,13 @@ data: metrics-collector-sidecar: |- { "StdOut": { - "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.15.0-rc.0" }, "File": { - "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.15.0-rc.0" }, "TensorFlowEvent": { - "image": "docker.io/kubeflowkatib/tfevent-metrics-collector:v0.14.0-rc.0", + "image": "docker.io/kubeflowkatib/tfevent-metrics-collector:v0.15.0-rc.0", "resources": { "limits": { "memory": "1Gi" @@ -25,31 +25,31 @@ data: suggestion: |- { "random": { - "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.15.0-rc.0" }, "tpe": { - "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.15.0-rc.0" }, "grid": { - "image": "docker.io/kubeflowkatib/suggestion-chocolate:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-optuna:v0.15.0-rc.0" }, "hyperband": { - "image": "docker.io/kubeflowkatib/suggestion-hyperband:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-hyperband:v0.15.0-rc.0" }, "bayesianoptimization": { - "image": "docker.io/kubeflowkatib/suggestion-skopt:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-skopt:v0.15.0-rc.0" }, "cmaes": { - "image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.15.0-rc.0" }, "sobol": { - "image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.15.0-rc.0" }, "multivariate-tpe": { - "image": "docker.io/kubeflowkatib/suggestion-optuna:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-optuna:v0.15.0-rc.0" }, "enas": { - "image": "docker.io/kubeflowkatib/suggestion-enas:v0.14.0-rc.0", + "image": "docker.io/kubeflowkatib/suggestion-enas:v0.15.0-rc.0", "resources": { "limits": { "memory": "200Mi" @@ -57,10 +57,10 @@ data: } }, "darts": { - "image": "docker.io/kubeflowkatib/suggestion-darts:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/suggestion-darts:v0.15.0-rc.0" }, "pbt": { - "image": "docker.io/kubeflowkatib/suggestion-pbt:v0.14.0-rc.0", + "image": "docker.io/kubeflowkatib/suggestion-pbt:v0.15.0-rc.0", "persistentVolumeClaimSpec": { "accessModes": [ "ReadWriteMany" @@ -76,6 +76,6 @@ data: early-stopping: |- { "medianstop": { - "image": "docker.io/kubeflowkatib/earlystopping-medianstop:v0.14.0-rc.0" + "image": "docker.io/kubeflowkatib/earlystopping-medianstop:v0.15.0-rc.0" } } diff --git a/apps/katib/upstream/components/controller/rbac.yaml b/apps/katib/upstream/components/controller/rbac.yaml index f6adc65b17..68db66b558 100644 --- a/apps/katib/upstream/components/controller/rbac.yaml +++ b/apps/katib/upstream/components/controller/rbac.yaml @@ -7,39 +7,93 @@ rules: - apiGroups: - "" resources: - - configmaps - - serviceaccounts - services + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - "" + resources: - events - - namespaces + verbs: + - "create" + - "patch" + - "update" + - apiGroups: + - "" + resources: + - serviceaccounts - persistentvolumes - persistentvolumeclaims + verbs: + - "get" + - "list" + - "watch" + - "create" + - apiGroups: + - "" + resources: + - namespaces + - configmaps + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: - pods - - pods/log - pods/status - - secrets verbs: - - "*" + - "get" - apiGroups: - apps resources: - deployments verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings verbs: - - "*" + - "get" + - "create" + - "list" + - "watch" - apiGroups: - batch resources: - jobs - cronjobs verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + - mpijobs + - xgboostjobs + - mxjobs + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" - apiGroups: - kubeflow.org resources: @@ -52,11 +106,6 @@ rules: - suggestions - suggestions/status - suggestions/finalizers - - tfjobs - - pytorchjobs - - mpijobs - - xgboostjobs - - mxjobs verbs: - "*" --- diff --git a/apps/katib/upstream/components/controller/service.yaml b/apps/katib/upstream/components/controller/service.yaml index c10a9df286..f78374792a 100644 --- a/apps/katib/upstream/components/controller/service.yaml +++ b/apps/katib/upstream/components/controller/service.yaml @@ -19,5 +19,8 @@ spec: - name: metrics port: 8080 targetPort: 8080 + - name: healthz + port: 18080 + targetPort: 18080 selector: katib.kubeflow.org/component: controller diff --git a/apps/katib/upstream/components/controller/trial-templates.yaml b/apps/katib/upstream/components/controller/trial-templates.yaml index d7a4820d2d..4d290054cd 100644 --- a/apps/katib/upstream/components/controller/trial-templates.yaml +++ b/apps/katib/upstream/components/controller/trial-templates.yaml @@ -15,7 +15,7 @@ data: spec: containers: - name: training-container - image: docker.io/kubeflowkatib/mxnet-mnist:v0.14.0-rc.0 + image: docker.io/kubeflowkatib/mxnet-mnist:v0.15.0-rc.0 command: - "python3" - "/opt/mxnet-mnist/mnist.py" @@ -33,7 +33,7 @@ data: spec: containers: - name: training-container - image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v0.14.0-rc.0 + image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v0.15.0-rc.0 command: - python3 - -u @@ -54,7 +54,7 @@ data: spec: containers: - name: pytorch - image: docker.io/kubeflowkatib/pytorch-mnist:v0.14.0-rc.0 + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:v0.15.0-rc.0 command: - "python3" - "/opt/pytorch-mnist/mnist.py" @@ -68,7 +68,7 @@ data: spec: containers: - name: pytorch - image: docker.io/kubeflowkatib/pytorch-mnist:v0.14.0-rc.0 + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:v0.15.0-rc.0 command: - "python3" - "/opt/pytorch-mnist/mnist.py" diff --git a/apps/katib/upstream/components/postgres/kustomization.yaml b/apps/katib/upstream/components/postgres/kustomization.yaml new file mode 100644 index 0000000000..0d18841b32 --- /dev/null +++ b/apps/katib/upstream/components/postgres/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - postgres.yaml + - pvc.yaml + - secret.yaml + - service.yaml diff --git a/apps/katib/upstream/components/postgres/postgres.yaml b/apps/katib/upstream/components/postgres/postgres.yaml new file mode 100644 index 0000000000..0d94d7b7e1 --- /dev/null +++ b/apps/katib/upstream/components/postgres/postgres.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-postgres + namespace: kubeflow + labels: + katib.kubeflow.org/component: postgres +spec: + replicas: 1 + selector: + matchLabels: + katib.kubeflow.org/component: postgres + strategy: + type: Recreate + template: + metadata: + labels: + katib.kubeflow.org/component: postgres + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: katib-postgres + image: postgres:14.5-alpine + envFrom: + - secretRef: + name: katib-postgres-secrets + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + ports: + - name: postgres + containerPort: 5432 + protocol: TCP + volumeMounts: + - name: katib-postgres + mountPath: /var/lib/postgresql/data + volumes: + - name: katib-postgres + persistentVolumeClaim: + claimName: katib-postgres diff --git a/apps/katib/upstream/components/postgres/pvc.yaml b/apps/katib/upstream/components/postgres/pvc.yaml new file mode 100644 index 0000000000..d3e45a763b --- /dev/null +++ b/apps/katib/upstream/components/postgres/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: katib-postgres + namespace: kubeflow +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi diff --git a/apps/katib/upstream/components/postgres/secret.yaml b/apps/katib/upstream/components/postgres/secret.yaml new file mode 100644 index 0000000000..184df5a4e8 --- /dev/null +++ b/apps/katib/upstream/components/postgres/secret.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: katib-postgres-secrets +data: + POSTGRES_USER: a2F0aWI= # katib + POSTGRES_PASSWORD: a2F0aWI= # katib + POSTGRES_DB: a2F0aWI= # katib diff --git a/apps/katib/upstream/components/postgres/service.yaml b/apps/katib/upstream/components/postgres/service.yaml new file mode 100644 index 0000000000..b95d5fcc7f --- /dev/null +++ b/apps/katib/upstream/components/postgres/service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: katib-postgres + namespace: kubeflow + labels: + katib.kubeflow.org/component: postgres +spec: + type: ClusterIP + ports: + - port: 5432 + protocol: TCP + name: dbapi + selector: + katib.kubeflow.org/component: postgres diff --git a/apps/katib/upstream/components/ui/rbac.yaml b/apps/katib/upstream/components/ui/rbac.yaml index c549bf351d..85798dc2d2 100644 --- a/apps/katib/upstream/components/ui/rbac.yaml +++ b/apps/katib/upstream/components/ui/rbac.yaml @@ -19,6 +19,18 @@ rules: - suggestions verbs: - "*" + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get --- apiVersion: v1 kind: ServiceAccount diff --git a/apps/katib/upstream/installs/katib-cert-manager/kustomization.yaml b/apps/katib/upstream/installs/katib-cert-manager/kustomization.yaml index b5cf0d2470..32b8cb230a 100644 --- a/apps/katib/upstream/installs/katib-cert-manager/kustomization.yaml +++ b/apps/katib/upstream/installs/katib-cert-manager/kustomization.yaml @@ -22,13 +22,13 @@ resources: images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-ui - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 patchesStrategicMerge: - patches/katib-cert-injection.yaml diff --git a/apps/katib/upstream/installs/katib-external-db/kustomization.yaml b/apps/katib/upstream/installs/katib-external-db/kustomization.yaml index 43644ff60a..9b56980fc9 100644 --- a/apps/katib/upstream/installs/katib-external-db/kustomization.yaml +++ b/apps/katib/upstream/installs/katib-external-db/kustomization.yaml @@ -20,16 +20,16 @@ resources: images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-ui - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/cert-generator newName: docker.io/kubeflowkatib/cert-generator - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 patchesStrategicMerge: - patches/db-manager.yaml # Modify katib-mysql-secrets with parameters for the DB. diff --git a/apps/katib/upstream/installs/katib-openshift/kustomization.yaml b/apps/katib/upstream/installs/katib-openshift/kustomization.yaml index fd913980d4..9013131c32 100644 --- a/apps/katib/upstream/installs/katib-openshift/kustomization.yaml +++ b/apps/katib/upstream/installs/katib-openshift/kustomization.yaml @@ -30,13 +30,13 @@ resources: images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-ui - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 patchesJson6902: # Annotate Service to delegate TLS-secret generation to OpenShift service controller diff --git a/apps/katib/upstream/installs/katib-standalone-postgres/kustomization.yaml b/apps/katib/upstream/installs/katib-standalone-postgres/kustomization.yaml new file mode 100644 index 0000000000..5aeeeb6776 --- /dev/null +++ b/apps/katib/upstream/installs/katib-standalone-postgres/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + # Namespace. + - ../../components/namespace/ + # Katib controller. + - ../../components/controller/ + # Katib CRDs. + - ../../components/crd/ + # Katib DB manager. + - ../../components/db-manager/ + # Katib DB postgres. + - ../../components/postgres/ + # Katib UI. + - ../../components/ui/ + # Katib Cert Generator + - ../../components/cert-generator/ + # Katib webhooks. + - ../../components/webhook/ +images: + - name: docker.io/kubeflowkatib/katib-controller + newName: docker.io/kubeflowkatib/katib-controller + newTag: v0.15.0-rc.0 + - name: docker.io/kubeflowkatib/katib-db-manager + newName: docker.io/kubeflowkatib/katib-db-manager + newTag: v0.15.0-rc.0 + - name: docker.io/kubeflowkatib/katib-ui + newName: docker.io/kubeflowkatib/katib-ui + newTag: v0.15.0-rc.0 + - name: docker.io/kubeflowkatib/cert-generator + newName: docker.io/kubeflowkatib/cert-generator + newTag: v0.15.0-rc.0 +patchesJson6902: + - target: + group: apps + version: v1 + kind: Deployment + name: katib-db-manager + path: ./patches/db-manager.yaml diff --git a/apps/katib/upstream/installs/katib-standalone-postgres/patches/db-manager.yaml b/apps/katib/upstream/installs/katib-standalone-postgres/patches/db-manager.yaml new file mode 100644 index 0000000000..1077f91b0e --- /dev/null +++ b/apps/katib/upstream/installs/katib-standalone-postgres/patches/db-manager.yaml @@ -0,0 +1,8 @@ +--- +- op: replace + path: /spec/template/spec/containers/0/env + value: + - name: DB_NAME + value: "postgres" + - name: DB_PASSWORD + value: "katib" diff --git a/apps/katib/upstream/installs/katib-standalone/kustomization.yaml b/apps/katib/upstream/installs/katib-standalone/kustomization.yaml index 6ec2269afe..147df4d163 100644 --- a/apps/katib/upstream/installs/katib-standalone/kustomization.yaml +++ b/apps/katib/upstream/installs/katib-standalone/kustomization.yaml @@ -22,13 +22,13 @@ resources: images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-ui - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/cert-generator newName: docker.io/kubeflowkatib/cert-generator - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml new file mode 100644 index 0000000000..dd3dbea64f --- /dev/null +++ b/apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: katib-ui + namespace: kubeflow +spec: + action: ALLOW + selector: + matchLabels: + katib.kubeflow.org/component: ui + rules: + - from: + - source: + principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"] diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/kubeflow-katib-roles.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/kubeflow-katib-roles.yaml index 6394146705..57b0fbaf31 100644 --- a/apps/katib/upstream/installs/katib-with-kubeflow/kubeflow-katib-roles.yaml +++ b/apps/katib/upstream/installs/katib-with-kubeflow/kubeflow-katib-roles.yaml @@ -34,6 +34,18 @@ rules: - deletecollection - patch - update + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/kustomization.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/kustomization.yaml index f10c361565..a77a3b3649 100644 --- a/apps/katib/upstream/installs/katib-with-kubeflow/kustomization.yaml +++ b/apps/katib/upstream/installs/katib-with-kubeflow/kustomization.yaml @@ -7,20 +7,42 @@ resources: # Kubeflow Katib components. - kubeflow-katib-roles.yaml - ui-virtual-service.yaml + - istio-authorizationpolicy.yaml images: - name: docker.io/kubeflowkatib/katib-controller newName: docker.io/kubeflowkatib/katib-controller - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-db-manager newName: docker.io/kubeflowkatib/katib-db-manager - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 - name: docker.io/kubeflowkatib/katib-ui newName: docker.io/kubeflowkatib/katib-ui - newTag: v0.14.0-rc.0 + newTag: v0.15.0-rc.0 patchesStrategicMerge: - patches/remove-namespace.yaml +patches: + # Extend RBAC permission list of katib-ui so it can + # create SubjectAccessReview resources. + - target: + kind: ClusterRole + name: katib-ui + group: rbac.authorization.k8s.io + version: v1 + path: patches/ui-rbac.yaml + # Enable RBAC authz checks in UI's backend. + - target: + version: v1 + kind: Deployment + name: katib-ui + path: patches/enable-ui-authz-checks.yaml + # Allow istio sidecar injection in katib-UI Pod. + - target: + kind: Deployment + name: katib-ui + path: patches/istio-sidecar-injection.yaml + vars: - fieldref: fieldPath: metadata.namespace diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/patches/enable-ui-authz-checks.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/patches/enable-ui-authz-checks.yaml new file mode 100644 index 0000000000..70fa1399a4 --- /dev/null +++ b/apps/katib/upstream/installs/katib-with-kubeflow/patches/enable-ui-authz-checks.yaml @@ -0,0 +1,6 @@ +--- +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: APP_DISABLE_AUTH + value: "false" diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/patches/istio-sidecar-injection.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/patches/istio-sidecar-injection.yaml new file mode 100644 index 0000000000..b8a98cf7e8 --- /dev/null +++ b/apps/katib/upstream/installs/katib-with-kubeflow/patches/istio-sidecar-injection.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "katib-ui" +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "true" diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/patches/ui-rbac.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/patches/ui-rbac.yaml new file mode 100644 index 0000000000..9ef137832c --- /dev/null +++ b/apps/katib/upstream/installs/katib-with-kubeflow/patches/ui-rbac.yaml @@ -0,0 +1,7 @@ +--- +- op: add + path: /rules/- + value: + apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] From f7dcb1c6df5f0c07d44e319b9d31399cad804c1b Mon Sep 17 00:00:00 2001 From: Andrews Arokiam <87992092+andyi2it@users.noreply.github.com> Date: Tue, 7 Feb 2023 14:17:31 +0530 Subject: [PATCH 27/74] Kserve documents and Tests - issue# 2311 (#2355) * Add README.md Signed-off-by: Andrews Arokiam * Add UPGRADE.md, makefile Signed-off-by: Andrews Arokiam * Add support for upgrading models web app, add tests and update docs Signed-off-by: Andrews Arokiam * Improve ci/cd workflow test Signed-off-by: Andrews Arokiam * fix makefile, readme, and upgrade.md Signed-off-by: Andrews Arokiam * Add notes to readme Signed-off-by: Andrews Arokiam * Update leader election name to have kserve reference * Remove cluster local gateway Signed-off-by: Andrews Arokiam * Update manifests to kserve 0.10 Signed-off-by: Andrews Arokiam * Add istio cluster-local-gateway and remove knative gateway Signed-off-by: Andrews Arokiam * Try fixing issue with knative installation Most likely a separate PR? Signed-off-by: Andrews Arokiam * Update docs * Add port forwarding Signed-off-by: Andrews Arokiam * Changed models web app name in conditional wait Signed-off-by: Andrews Arokiam --------- Signed-off-by: Andrews Arokiam --- .github/workflows/kserve_kind_test.yaml | 63 +- contrib/kserve/Makefile | 56 + contrib/kserve/README.md | 121 + contrib/kserve/UPGRADE.md | 68 + contrib/kserve/assets/kserve.png | Bin 0 -> 472792 bytes contrib/kserve/kserve/kserve-runtimes.yaml | 83 +- contrib/kserve/kserve/kserve.yaml | 14579 ++++++--- contrib/kserve/kserve/kserve_kubeflow.yaml | 30432 +++++++++++-------- contrib/kserve/kserve/kustomization.yaml | 5 +- contrib/kserve/tests/data/iris_input.json | 6 + contrib/kserve/tests/requirements.txt | 4 + contrib/kserve/tests/test_sklearn.py | 58 + contrib/kserve/tests/utils.py | 89 + tests/gh-actions/install_knative.sh | 12 +- tests/gh-actions/install_kserve.sh | 1 - 15 files changed, 27741 insertions(+), 17836 deletions(-) create mode 100644 contrib/kserve/Makefile create mode 100644 contrib/kserve/README.md create mode 100644 contrib/kserve/UPGRADE.md create mode 100644 contrib/kserve/assets/kserve.png create mode 100644 contrib/kserve/tests/data/iris_input.json create mode 100644 contrib/kserve/tests/requirements.txt create mode 100644 contrib/kserve/tests/test_sklearn.py create mode 100644 contrib/kserve/tests/utils.py diff --git a/.github/workflows/kserve_kind_test.yaml b/.github/workflows/kserve_kind_test.yaml index 4467000a99..9360208829 100644 --- a/.github/workflows/kserve_kind_test.yaml +++ b/.github/workflows/kserve_kind_test.yaml @@ -9,29 +9,54 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v3 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install Istio + run: ./tests/gh-actions/install_istio.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Create kserve experiment - run: | - ./tests/gh-actions/install_knative.sh - kubectl apply -f tests/gh-actions/kf-objects/kserve_test.yaml - kubectl wait --for=condition=ready inferenceservices.serving.kserve.io --all-namespaces --all --timeout 300s + - name: Install knative + run: ./tests/gh-actions/install_knative.sh + + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh + + - name: Create test namespace + run: kubectl create ns kserve-test + + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 + + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt + + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + + - name: Run kserve tests + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests && pytest . + + - name: Run kserve models webapp test + run: | + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app \ No newline at end of file diff --git a/contrib/kserve/Makefile b/contrib/kserve/Makefile new file mode 100644 index 0000000000..df52a5401f --- /dev/null +++ b/contrib/kserve/Makefile @@ -0,0 +1,56 @@ +KSERVE_VERSION ?= 0.10.0 +MODELS_WEBAPP_VERSION ?= 0.8.1 +MODELS_WEBAPP_RELEASE_VERSION := $(shell echo ${MODELS_WEBAPP_VERSION} | cut -d "." -f1-2) + +.PHONY: upgrade-kserve-manifests +upgrade-kserve-manifests: clean-kserve-manifests + curl -sSL 'https://github.com/kserve/kserve/releases/download/v$(KSERVE_VERSION)/kserve_kubeflow.yaml' -o 'kserve/kserve_kubeflow.yaml' + curl -sSL 'https://github.com/kserve/kserve/releases/download/v$(KSERVE_VERSION)/kserve-runtimes.yaml' -o 'kserve/kserve-runtimes.yaml' + curl -sSL 'https://github.com/kserve/kserve/releases/download/v$(KSERVE_VERSION)/kserve.yaml' -o 'kserve/kserve.yaml' + +.PHONY: clean-kserve-manifests +clean-kserve-manifests: + cd kserve && rm -f kserve.yaml kserve-runtimes.yaml kserve_kubeflow.yaml + +.PHONY: install-kserve +install-kserve: + # Create kubeflow namespace if not exists + kubectl create namespace kubeflow || echo "kubeflow namespace exists" + kubectl apply -k kserve + +.PHONY: uninstall-kserve +uninstall-kserve: + kubectl delete -k kserve + +.PHONY: test-kserve +test-kserve: + cd tests && pytest . + +.PHONY: clean-models-webapp-manifests +clean-models-webapp-manifests: + rm -rf models-web-app + +.PHONY: upgrade-models-webapp-manifests +upgrade-models-webapp-manifests: clean-models-webapp-manifests + git clone https://github.com/kserve/models-web-app.git kserve-models-web-app-src + cd kserve-models-web-app-src && git checkout release-${MODELS_WEBAPP_RELEASE_VERSION} + cp -r kserve-models-web-app-src/config ./models-web-app + # cleanup + rm -rf kserve-models-web-app-src + +.PHONY: install-models-web-app +install-models-webapp: + # Create kubeflow namespace if not exists + kubectl create namespace kubeflow || echo "kubeflow namespace exists" + kubectl apply -k models-web-app/overlays/kubeflow + +.PHONY: uninstall-models-web-app +uninstall-models-webapp: + kubectl delete -k models-web-app/overlays/kubeflow + +.PHONY: test-models-webapp +test-models-webapp: install-models-webapp + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app + @echo "Test Passed" + @echo "cleaning up ..." + kubectl delete -k models-web-app/overlays/kubeflow diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md new file mode 100644 index 0000000000..a05e165372 --- /dev/null +++ b/contrib/kserve/README.md @@ -0,0 +1,121 @@ +# KServe +[![Go Report Card](https://goreportcard.com/badge/github.com/kserve/kserve)](https://goreportcard.com/report/github.com/kserve/kserve) +[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/6643/badge)](https://bestpractices.coreinfrastructure.org/projects/6643) +[![Releases](https://img.shields.io/github/release-pre/kserve/kserve.svg?sort=semver)](https://github.com/kserve/kserve/releases) +[![LICENSE](https://img.shields.io/github/license/kserve/kserve.svg)](https://github.com/kserve/kserve/blob/master/LICENSE) + +KServe provides a Kubernetes [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) for serving machine learning (ML) models on arbitrary frameworks. It aims to solve production model serving use cases by providing performant, high abstraction interfaces for common ML frameworks like Tensorflow, XGBoost, ScikitLearn, PyTorch, and ONNX. + +It encapsulates the complexity of autoscaling, networking, health checking, and server configuration to bring cutting edge serving features like GPU Autoscaling, Scale to Zero, and Canary Rollouts to your ML deployments. It enables a simple, pluggable, and complete story for Production ML Serving including prediction, pre-processing, post-processing and explainability. KServe is being [used across various organizations.](https://kserve.github.io/website/master/community/adopters/) + +For more details, visit the [KServe website](https://kserve.github.io/website/). + +![KServe](assets/kserve.png) + +_Since 0.7 [KFServing is rebranded to KServe](https://blog.kubeflow.org/release/official/2021/09/27/kfserving-transition.html), we still support the RTS release +[0.6.x](https://github.com/kserve/kserve/tree/release-0.6), please refer to corresponding release branch for docs_. + +## Why KServe? +- KServe is a standard, cloud agnostic **Model Inference Platform** on Kubernetes, built for highly scalable use cases. +- Provides performant, **standardized inference protocol** across ML frameworks. +- Support modern **serverless inference workload** with **request based autoscaling including scale-to-zero** on **CPU and GPU**. +- Provides **high scalability, density packing and intelligent routing** using **ModelMesh**. +- **Simple and pluggable production serving** for **inference**, **pre/post processing**, **monitoring** and **explainability**. +- Advanced deployments for **canary rollout**, **pipeline**, **ensembles** with **InferenceGraph**. + + +## :hammer_and_wrench: Installation + +### Standalone Installation +- **[Serverless Installation](https://kserve.github.io/website/master/admin/serverless/serverless/)**: KServe by default installs Knative for **serverless deployment** for InferenceService. +- **[Raw Deployment Installation](https://kserve.github.io/website/master/admin/kubernetes_deployment)**: Compared to Serverless Installation, this is a more **lightweight** installation. However, this option does not support canary deployment and request based autoscaling with scale-to-zero. +- **[ModelMesh Installation](https://kserve.github.io/website/master/admin/modelmesh/)**: You can optionally install ModelMesh to enable **high-scale**, **high-density** and **frequently-changing model serving** use cases. +- **[Quick Installation](https://kserve.github.io/website/master/get_started/)**: Install KServe on your local machine. + +### Kubeflow Installation +KServe is an important addon component of Kubeflow, please learn more from the [Kubeflow KServe documentation](https://www.kubeflow.org/docs/external-add-ons/kserve/kserve) and follow [KServe with Kubeflow on AWS](https://awslabs.github.io/kubeflow-manifests/main/docs/component-guides/kserve) to learn how to use KServe on AWS. + +## :hammer_and_pick: Models Web App +The Models web app is responsible for allowing the user to manipulate the Model Servers in their Kubeflow cluster. To achieve this it provides a user friendly way to handle the lifecycle of InferenceService CRs. +Please follow the [Kserve Models UI documentation](https://www.kubeflow.org/docs/external-add-ons/kserve/webapp/) for more information. + +## :rocket: Upgrading +For upgrading see [UPGRADE.md](UPGRADE.md) + +## :microscope: Testing +### Testing Kserve +#### Prerequisite + +1. Install Python >= 3.7 +2. Install requirements + ```sh + pip install -r tests/requirements.txt + ``` +3. Create kubeflow namespace + ```sh + kubectl apply -k ../../common/kubeflow-namespace/base + ``` +4. Install cert manager + ```sh + kubectl apply -k ../../common/cert-manager/cert-manager/base + kubectl apply -k ../../common/cert-manager/kubeflow-issuer/base + ``` +5. Install Istio + ```sh + kubectl apply -k ../../common/istio-1-16/istio-crds/base + kubectl apply -k ../../common/istio-1-16/istio-namespace/base + kubectl apply -k ../../common/istio-1-16/istio-install/base + ``` +6. Install knative + ```sh + kubectl apply -k ../../common/knative/knative-serving/overlays/gateways + kubectl apply -k ../../common/istio-1-16/cluster-local-gateway/base + kubectl apply -k ../../common/istio-1-16/kubeflow-istio-resources/base + ``` +7. Install kserve + ```sh + make install-kserve + ``` +> **_NOTE:_** If resource/crd installation fails please re-run the commands. + +#### Steps +1. Create test namespace + ```sh + kubectl create ns kserve-test + ``` +2. Configure domain name + ```sh + kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving + ``` + +3. Port forward + ```sh + # start a new terminal and run + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 + ``` +4. Run test + ```sh + export KSERVE_INGRESS_HOST_PORT='localhost:8080' + make test-kserve + +### Testing Models WebApp +#### Prerequisite +1. Running kubernetes cluster +2. `kubectl` configured to talk to the desired cluster. + +#### Steps +1. Run the test + ```sh + make test-models-webapp + ``` +## :flight_departure: [Create your first InferenceService](https://kserve.github.io/website/master/get_started/first_isvc) + +## :blue_book: [InferenceService API Reference](https://kserve.github.io/website/master/reference/api/) + +## :handshake: [Adopters](https://kserve.github.io/website/master/community/adopters/) + +## :books: Learn More +To learn more about KServe, how to use various supported features, and how to participate in the KServe community, +please follow the [KServe website documentation](https://kserve.github.io/website). +Additionally, we have compiled a list of [presentations and demos](https://kserve.github.io/website/master/community/presentations/) to dive through various details. diff --git a/contrib/kserve/UPGRADE.md b/contrib/kserve/UPGRADE.md new file mode 100644 index 0000000000..012b44df95 --- /dev/null +++ b/contrib/kserve/UPGRADE.md @@ -0,0 +1,68 @@ +# Upgrade Documentation + +## Upgrade Kserve + +### Prerequisites + +- Running Kubernetes cluster with kubeflow installed. +- `kubectl` configured to talk to the desired cluster. +- `curl` + +> **_NOTE:_** This documentation assumes that you are running the commands in linux. + If you are using another OS, please make sure to update the Makefile commands. + +### To update the kserve manifests to specific version follow the below instructions. + +1. Set the desired version to upgrade. + + ```sh + export KSERVE_VERSION=0.10.0-rc0 + ``` + +2. Rebuild the manifests. + + ```sh + make upgrade-kserve-manifests + ``` + +3. Install the updated manifests. + ```sh + make install-kserve + ``` +> **_NOTE:_** If resource/crd installation fails please re-run the commands. + +### Testing +For testing refer [kserve readme](README.md#testing-kserve). + +## Upgrade Models Webapp +### Prerequisites + +- Running Kubernetes cluster with kubeflow installed. +- `kubectl` configured to talk to the desired cluster. +- `git` + +> **_NOTE:_** This documentation assumes that you are running the commands in linux. +If you are using another OS, please make sure to update the Makefile commands. + +### To update the kserve manifests to specific version follow the below instructions. + +1. Set the desired version to upgrade. + + ```sh + export MODELS_WEBAPP_VERSION=0.8.1 + ``` + +2. Rebuild the manifests. + + ```sh + make upgrade-models-webapp-manifests + ``` + +3. Install the updated manifests. + ```sh + make install-models-webapp + ``` +> **_NOTE:_** If resource/crd installation fails please re-run the commands. + +### Testing +For testing refer [kserve readme](README.md#testing-models-webapp). \ No newline at end of file diff --git a/contrib/kserve/assets/kserve.png b/contrib/kserve/assets/kserve.png new file mode 100644 index 0000000000000000000000000000000000000000..8639fcfb2c46c901a227736a3c2cbca7cbd24431 GIT binary patch literal 472792 zcmdqJc{tVU_dm>TXNY7-=4=@=OQx{xA}V7^AybBwF_a(e+`+zs zjErpO@ndSI$jE4y$jB(ds3_n!3*^=w?i@E@KwhQ}{xYm*7XGZh({ zoSket@)7uhCFj_9RwoxC+qV9D6d762B{K9spV5Jz$m0p*uZ^GElF9%1H2f|Z_50Jb zOUc`QKU0Ju|1Q(>Z!!2mefgM?8yVSwYUB^OkhO6i85xf3xZ2^ne$|e;2_V z|Mqi7W9m_h>-5dHLz_A3AG738$y1ZNBr~0q4n9onJDsr9^>S_cdybQVufdN5w{HYD zzm8{1gt-hi;_8(C)wLn)xOvCHy=W?W3@(6-9QFU}hvACqkiD2CdG%e*m#O|#)R^Gv z(vU)ZY3fZ4vBu!~j>|hvJ6o7MRsB<~F)>FhOTQ2Aa@bthcSqs9m;xv6$<7}=I`#Yh z_yGE-vNQ=sFP!46x}&z9Sr9t>L2v<~s3|IvQpwJ@^!b55KF|rx;fyZ{Hj~j}lg}!{ zw+K~DwcTC2!pLW!c#ik4cD~Kc|GTBIhTtAm>qixM-D%o0?xv`}_1`)0=f)%#%+}r| zIs4B%&vPYSpS<9I&u3p_(BAPD$BG=)9O*3^*ec+ES@YU%d6&;MU2?Y5t6z6jd@5Bj z;B=QVN{=7{6vkn z_{`X1fBG-4B#GO_h8$7|GcYof5qn`IT3FDz=WByH77&~_c}L{qE>@!f!+ z&bu`~g^E?`yDy)5y&l=?>G@b;tLisx_`kTjq#j;najmkgVoue+e|c4K&B5#qQ~LKA zrn|mN67kDz9R37biPNRaqluzPVx6`5CVuBs}H$h|)CsBw{%yIVChiT-S>e)n3u=ifhu+^d+H z8>*5x%zQhTo0I%ks}B0l+>~w>T$`9{ekq~SVKO)DJ#P0O2K(DDLk5-;}TIK#RQ)Ovo=vu1-@yl!J`yR6jB724FeUvPHv1cOPUhdy& zGf_J@BPXQStVRysz1A2hs1u(kxTJQ!Rnz?M`LP%N3nTY^qwX7THRrAW`2R3jRTjf2 zg4=Ana^mHVXx|mshX3HKfAcr)g;tx_x(}Od4?6q#o8~D+Mcy^xZfbNb4f_wYprdwp zI59V@;oo#PrImT1vSM+%YEmT5`RCIhO`?L@rCVF|`)@8}$7mQ!a9f(q@g9DYWg4n)LQyq8>KUUi-O9m;oSqj;y@FRBZpj!XOc7`6x~hEHYm9rHI-nz%Pq zap1jR2_H#o@~`*Ce~1#HCoR14TVGavgVjbejq+O)3S^^?W6SA}5qpj{+izN-*0JPB zwWPoA6Qmy(sOxV9hksG3MYt?Ce*Rrle1-9qdG_dV$v4PS_(*zjv%Kekw! zmRfSruNCeUsBaC=o6`QDOG#SdpEO{jhrGczMgWo=7n`s=dID2fj7G)UrCFjmy+Nb@ zv4(|FiteI@>O);bVLnw41gB^EB}1$er+vSToS8jFG&*jz{a^iX%eS50m#fq>j+HZ8 z%&nIYAUS+UnXRnouQWLm^`A(lZd4*XPOu=YdF#0xMdiDU1*>baM?zWwS4@B7MH<}>{1y0nIffid5$nmr%Q zN2>Al7{Ab3vF2p-Eb6&PbmXW_&Wq3u(a7)&Gzdz83w_iH!G03xv8}Pao3_Q=|4#$h z{Efvv6bB#4`nrxzSA%F@8k|DcRQ;hX+Ey26^Geb6JWgcmF-ld~a*qEN4`Pz5_cUPR zCPX#I_QQU)iMAYDzY>#sJf*dvM`Ede`b(xaR<4)hxZ)70z20%)N(1)X126JF){_=4 zzqR_1+SN^$3)QlCpq9ks$hUMO&N}H{f^zI1rcrq69mj}|EYj^aBLF@TeNB5lMD{rG zYo;yNAA|iNrU=4Ew&z@%kQ!5nn-0M~7VEM7FdkpG`TKu!Qk=zZ)O}y|_hIaZHxSc8 z59NJ)o|?P?8+d5f=|A3(JADM9U|VeTmLtnOW#JrxJ;~dE6(QB`*m5|Vn%wf~-}aKB zhRfIG=Xw&mX$Qje-S#QEKaUYJheb~w{nIZp6v6b^irtOe{2nR?q1*+vq>Oayq@CVP z7qc<61$&ChOp;=esq?|?57u@Dv5 z{GS%Q_*Z;OYL5IQhjv@pKdnsggkEfv(elM8CN1|O0J*oVsN|HYX z)_qS+c8dfSA=Sf-zA51lN#`FP{Zl3BMFv!6aT8> zO@#zhOQHEloZDJ8H@`?r&muPj`<~^#uYjkz-KOts2>)Ln)CJ)Dt+}3V0hB|#S+At% z7M{!34SMO^^{1k>-2u_eVz_Q>;34h@Do}Tx`g{YnBgvM1%jP#e@n0VB4RC0WmiLow zxLQE8b@Fzg3k?RIXaQ@N2iNG#tU0bmNhAl5&y)o$ki(|A&YAJrM*qha-wxHYtp^ zWAaU5;Uk59Gihi2Ll4nH9E7jjG<8!1QRa+8?*)zddTcLM{dt+dObz&zQE)nP<3w>m zs1CuU8<0iPwbGYw0fm1R4Q~eiG5?x?*)(4YG0EF%N%T4`b5(LX#hoW(XcG!9J9 zrdd}9Z&wE^@&(CiY@hyLgm-Yv5AS1-Z|oZ&Bm*GC7lDxc|1S_yC?E+LPsBaK$KJ*B z8k-XTyNtPlAer}d55vtf_TJ5E11ZJ{V$X=tXxpEDQQK|s{4=amn<~P|pi&`R?~Nen zH+yBI{OK3v9sw)b!Fp%Yh(h%&+QC1}A^duF+A;nQj{4hc1Q1NKjVBh6(ETASv#tYb@7p?2gl|^IyH$#UUY_=>A=5!4>>9lz9{pr z)YA_(thzcJ^#Jk*?gp%4BEQ*|N^Ij3|Mek|0U#$PTaRJ$%%0O|K}4J9BNh75_3&)$ z^nZAm7sd3X+g=XZ4AyNAs=qM$zBb6$)wPX&^IMhwZbG;KoGn1nq0}O)%?)`o#aO54 zUeqM^^eK#2Zydq@@X&T2j3^2-wV6s)Umj-rl1Y$54}Xyq(Ycp6tBu>wa>MeRI(_3=tFh^Ea)NP^x)S)uVhENe6r}W$CQ} z<04+1g%E1;bKupUO>*(RsXe()Ngu z=4_5H#xI;KwPH0bBv6wS1+ZyN8?J|B`1jPJceX`|ahSf53C7u=nk=u|Gzr^BeFL38 zs?KLU-;>`M`=ku5E|@E-ZdmMaWoH*=Q%bb@{#dPik_z z*1pu=0`iPdi;_I5eAY&nOrqxM6`!7kk6FCL`Hg)!b7!tpDP7}v>lCn?@`=^?^2z`C zv5jL+K8HW&RQhCbK3!$N#P>&sBDc^QU9T6V*|C6Xe6^{^K!?)QC0+Z3ok3YmWF&LmLu1x&W}x1^WVEfGHX9QFB@vA534 zdOnO3tG=@x4LQn`>PyKb7E-Y;3LQmLqLbHOdkTf_WeP?oDNa|oRlfNd_co9Wf1ax1 z3%|r8L4tL@F54XqpNKi5mKdJ&_qSc+;w8GKdrviB%NxD8HoyhH0?uYMBHm-WQ)l#9 z{|$XF%BQOn=>7=lGVu-!%7CUs{>;^d%;mS}TRw*!tlOcc1t|Y~i|bQGD2@^y==7%U zli`K8&!$xii{yMjtMla&UUt{*EaTnxVK)kGyvK8SgnLM7T%q-nSB|?zK(#Dt+IQMJ zj-~2nZL_BN(g&~nmV%@eLSVE8C;iOfx@|@+mz-iIttw51tIGii;LL|8TdYa5+*Iuj{wO;FdY^P2e;Zoi3KyZBW z^NNZ1-J7M_m0ebqqTIb-qonWq7NZLkHr1|7eQdsm%q+i^;uy2@XMySx^fzYw%h%-H6nvl)MeIJ@tHa2 zV&d`_!B+p{d{M`V)Z2HVNDRSJw|^QW9V2=zHkl8`D|;80E{?^GM~3(>%(2mYep%sE z8Or3^H+yw1;rmY&h~lrk*fyov3&`aV3?zeU#tvB#%9kl+PJ_>rKc04(M@e-XAVO90 z9*iKv2htD@fBGE5bRDqHt`t-3zh4HNof|d!^Loj7Zsp+^G#yPa2c35eK<+ZiMwIcn zX}tMvdApU*L}0w+6LDTvPTw>uo%@ zGPJfr$?i4cC@SP!6SnATnk^AM?(ODM-dz_6vEd2M&+K7Sii3&e$r>g6%8rLtyQ`L) zs+87jl5CYm*eDyYGtPc>G>g;zS|e=7Rhl}F-f>;D^y=z_r1n3s{E7tTy{)DdR9@G2 z`nUy}Zkxt*#Kq$jx<}Oq8?IJSFm;y)+_CbWMloY@PyHj9&9*E!pDWbj}uL zHGOBR@Ing8!0I&AcmM9wjqd0r2BCT(v&F`F0%3uc8}YiObD? z&*A2LM23HZ`h4@v-Z3hI>Ob;u%Z48hsLqA+dGl>o(WA70lJl`E*&XOK0s5q?tzIo| zX`K#J{F1Erh02AO&3DX~KaV|;@cp`+Hejnl>Y==PC+>1noKr#k$9_rYPUNhh^QH~i zJ3VS2h2j0<^69Jdp_dc zP|phwe>TkNr&G7E#UD^-o!y?7z%g+XO?8?F@{$le2fL8&X!9J&&<~Wx*^??cox#)VD{P^j) z7>TAJcRM6Q<)A8AJHL%Dj(*}~GH0r1v%Q)0n#Zbl<+%5l6t0fq-ro<_R_hO12E||C zyk{V86=XBo@6?xRo#a^Suvwc!l%6x+);1-jUcR73EM0mkGUmAaJBv6ym%YpHLZM@J z(fLvCH_v(_0!{OL}R+znl(j z(^XN}L5|V}UG1Uot^!+F^G&8eQx)>+gVt8(U8qsAp8`Ql5)LWW9H@aE52ap5NCaPfW-$$ZtBUK--F3B| z@3ImEl9}a-SV$puu*R`osLJR#h)7)A=M=YArrRGA*IHpD=lmgT^kjIISd_AU-f~~+ zFFmJ;Weea$!s6KLE+drB_gr(FAjSx9n4~-06O`o6TL@g7TL@ie%TQ!5C>A zn52VQWG@u);9Jm*tmogd)EwHD3ndv*7~|9}QWeP5Z47eBJYoSKz~BvBg7QMhuik&E zWtJQ&?Um9Y*5Q0w9nr-+iX|`@)_SQhYN#*$2NWoon0c7}6+#*|ExZ1m19q31_ zAV-+9(wieQb2I%Bfhq3@n=0g1bvvZO7W@|9?Rl6)ZKKfTtQbiscpfvgS;-dy+@|yE zH(n5n^Gy7G^b@+ssVtOrAwt+(*EKQ=2O-C-y>)^)Y9ZkJWBL#%-uaz;b_vpyw2mQTO$%C-mojg9Q!ihgVVWfyWStN5>YkbXcsh30 zZ}cpkQ*X2RLc`b3+T}A?bDs+$jjaK{L}0DLaZLM4z4_V7B$lO#2(h-*C0Didtm+!Q zoLW46YcR*Y$F@>V!8S9%y_`*YCbpTBI3h`jh{%BA0q2aH5!}EeXda zN4wa2%bfUiI{xyODV`@#FPut!l8;aU=eo5ywhd5}8&6P`W7<-1Vu7Y&vOU>U^cgr@ zh2CMo%+C|sYp7DEEqC%svV*r?EIXwt3`yJh9;sESut7@WKJQ{PY8A8?1}OeE#5l<>&UpVyV{>s{%k-)E_`IfF&i}j@Qb}LVHT6852b469}z+VkCl`4s3d25NY zPYN^@dFm`hj^bsemk2Gil6fYKzbbXajH)S<_3_he10z%_6TMt$wx&$R5poyRn+a)+ zXaQlp!DNr!c-9dio=NI?K}5a2Q}%IZtCl*NkupKG>bripwwl7=wAY9eOipxGENclh zl@3Dj=tA>wnv`GR_^g(;?{-fj?gh%G|Lkb0d({=EZt^}6{nQ{<%x0R_f8uEg1>|Bg<>^%5N7=@i?R_|E;(P*tM;qvjIH8_fIDZgB z&#dn)UsC)D;@2Eq&X7%(pc2gbO8+)sp(q9~FN|V5j0XQ6rHo@E97@*1NK)Yq0!{C* zyd^4k%TS3%Ld7jdK6Avmolec-N%d1!9*G;Hr$ck^w?X6W8Y8{jJbFqJ-ANV9(K&2* zGyqqGvJAB=*QwPILJq-uU^2GPxoSo4x^C#nhaBCS!elRM)7!%7l>Ncfx)V zsu*_{_8ZZF^_o^y7+5F@qa0kA9sBA(_qds9uXhK&Wz_uI53##GjdOk%i-+e4UOhK2 zJ)HBhJJVv@pTpY9RC};-CR9U*rD-m5bu-Dc5Qa49+Qg*>tTJZ7lPb_u*-~*gEE%=a zJ(8uak;YnTIFhB_l|AV4J%?=<;{fd<13b@*h;uMas96|=>X}h7@m_iDlny}-15tsz zS(B!V04a70~It3R4^R=?%!Jwa@kxm|MR)1kUm zlIBjTc1)XkR>ah9>A!C5hx+=VOQ3a9Aa*~KKiwYT4Hk}`wH)jz@tPsfiEYYUbrxrJ z+vrp+RPn|X<+2Xp%~0s4BI$LF$3+wuRWQRLT#+WE(SY#?f29tI8|zUyJ2W|p29<3i z8W6*utARhz3C+{`@XHsW;@=U>7L{*!%)%Kojp-Rr2G``&6WUl_>nJWo_pUOyrUrpI z$d#!DVUU4q{#1z-xb|{mJaWh!z;R9Gx zuj`zuZ9wqZGGBLf_Oi}Oeyg<(%}z**0nRMSjvS?Wx4p6CaDMBn<2*g%0Y~t^ZPQ{0 za$?^hpH&X@@R1KR<=WP#j2GK($42PQH4Lq2* z5XM;oL2j7quWM)l0X;u2Bcs8n!=ZVI(_H}~tMl!b#Fz^TjJ|xND_y&YS^?FruoqVr zO=^Osg;77k8_*~Wc=Z2WO)?u)T5-k}dcC&FIh0(steI0edQaDDa98u5_(bI`Srv(8 zge^o#AbC*Nt%evjcNerod`H*;c)#3TJHm;(*#Qu3(TQV3BcLOH1Z`q?l0_P z3xM{#>wh;3d!`2KAJ@nffc2?i{m=PQc%AJv>w=X9(wf{vabNUXmmJ_UXw+a zRP4kPC^3XEW*NC3PkUWKS>8a3LI&37aB_vF&(1SLuowO&YQQh)igz1tDe62TrEdSw zU2V72C1*(LMKBjGc6}VA;yjxig&41kckkq8wieG4F(Dlw4ZkNl^te`- zm0-v4F`KFo1A?EW(JrDvp@kXgB~G^+Jw0ShF7^6i`I$FVp*oP|085s<12oU<9xDut z=U)M=Bggh}&`)UNvfgtPZDYXX20{)-2{r?~gct%Hbh@a`u3k(iC>(#K$Qu4q)9jG! z?qK|Dfd1lf#Brly?d3q>`#|B)N^xrkg`f1usbgS`1c^@%WJ*Qu0EJJ|V-ibqjsmmdz{+A_0Zp8MXz}ii3mGxKN zb=))@@n8cNP&{G~6V6%mJcP2Ns0LW}Yw~QI*EbNN5Di3R$C9|EN2F;Pse9C=>d-~?C9e+0o_0xRw3 zyuBgtK}6u*ND#PJO7RT1QTSyu^<-WoEF7|{9ALyq>XFa9#wn^73GidoV@`Y6i{hVx zJsEf;HQohJmb@R{PK)p@!BTWCF+90vVO_IDu6Qy$FDP1r%t$-g7H|BS0x&m;m2M+? z!rs-A$UPog!(T0Q2GZR{$Pmti9%5H?)C8#V$ae&@AT9NS3SiG)%1i>OPm2J1P&|3s zM-BAMa5XKB9&;IksgsAaBG&^Ew;Z>fir$bHbHOmsiW#r`j|;zP_!P0B=Z+o6=Gi>E zU}npc($Ppc(DdB(o_Jh60$f+$A@&E2nhK;*lW=@TFoQtP6uWlv2{5O~fwT|2NM@L& z3bS+g(g4;sAvgyZqT z;9t>zhJ9E}vy!co?(DG=Vk5AtO4z-LLDpq|P+APSDh%-abdmQQ{e&?tw5=$21(@w9 zFlDjhB%a)Izzz?^96p>y37GOHVpy!UE-p*zCAP~FB|{y|X7^3(YQptjNVPvctaoGH zIrkY@l<6pO9%eVZuTM|pf&pJII)_q3Fr&z7t|F8Se*%0r(mmep?g_w*r{7_kA{FYB z&@ykCY(_ZbU*lU2{Fu7#+f7jK0#;pVv>!)Paq8pVUDm=$2)5<_S~*H_5R$ZihBVZ9 zp^|=`{g9x4KK*%S{;O;m`7;dNfk;sBPIfs4RX@a}Zr(~&rVEsgbnPS$LM&39yti`_ zLbGbd30diG0|=^P)`*^CwSq1Rk)zzmXRb5hfy%C-B28~Ym~3c1zPX@NyszyEY(UeL z1juX-3;Q-GisLmQ21mylLQ~-~cFO0&qRUCimId-IPF#PXnv@(gVMPK4a{9Og0RM1(du}z*(%J>h=(aDD9wpCBd3R z?Wud!+2BCyJw`kh*7Oxpq`)_CUpFd;!Sv#djxlQ$oNXfsa@SF=5N7rS7Vq$>u^RHByf*s^} z>dXUw-A4;R(2a5Evj2(uwJ7a8`jps)B@aR&Gp{qaO3qIzbS`UEW+(KfS6VTZoJQ8w zw08og$7&B$k)<9*&-ai^9T8K0l86QM&z%7&#S}PDuUwG^s(eSVjC*@B$_*KHOu8J)diDvXUwDg9fbFpsH{W zlo4Uzwj5%8j1%hMK4H&ZGGaC=yIdsKIVaV}gwYFxO!=1CsrpQaKxrR7_8w2xA(v83 zSV`*~VP0QVdeBX;X~T$RApjLT(q}$*oS2ysCz}m9Wmu-ev1Aq`5?p(AnI0k#FGL`% zvl(x1fI%^R_t6#vzNh4IKArx+Nr?37JS-e~NPAW7|s*}l7BpIFv z%T2}g^5Pxg0jcN7@a*UsR+;(xhjfmD-$o{O>Y%QI+kPX+746OWg%vZ2fyNv2B)Lf9 zZWs5o3+7MCNaC3lU`a^0K8vWCc>BvRnrdDgV>Xe{Pfl&J52IdkqXq?oz|>tF zYTrvu5XN+NueXjSRB`Xxg7U5CyG?${JmzZ$snRc_#+Sju?F0TC9ni&8*XnSv&V3e} zed>J(vaZa%?`>KDv9NIb4#Zv6|8dtiC=z7d@|p4CaKxtHdgaJbBu08Gg65zLwFxX- z(q6*|Llux@ueQCsJV}vl~I$+iQ`Pr^sf zra|TgfO-v!a-_b(3k7{$hZ#7nITZAjnaYgaXMp`)XQML?<3dlWN@R|lhV(-J>m`^! zNe_s5+~TJ{IkRKE1Y?_4$guf+q?rH~kA~S`pvWY_>3;_q_4hz#{(dkTqzwPxk`j{C zM|Q2Pz0j~WNpSvOl5;o6S!*WI3&m|U>*4nnT~vooGO6<;rFBM|%q>XhA$!tb>7koJ>=wC`^g(PWZx%=_?5FjFA#KQk z#KNqUE42C)z{IIN(57ZhhIki{kaFSyrd7JC_YL=r8yR^|8Rta8QT)X<9O+<4NOM6oH8Y3NJ4P)1Qu87Jr;8M_KWczj zpxCb`u)Y3fo+k`hTA$6_jXw#>Q}0M%m*xR$NSGU}oKYX4WjZt^bCnE&Jo%OD5Nrdh zW0-ue>jSH(BOJsB)4y4Hs5(p3Hl|=cm8wckzSa17DwlX2<3Pk231?u!Ue>din76Oyg2&7h{Gg=E3zL7-49x+Ah({ z+mlW-Gw?^fVWH=xt-9MDQGEbLBwcRVjNi0DmqC4YMa*FheM=B7WxyDgZQMEMmsdTR z9UiMg^KYFLq7IfZzFx?I5~HbEp&L!rA}(_Hk2t@3;5)cVd_l5FVmuC`7A?PW&ntey z^1shJ0M`UcG^XJC_`NQcpik$%c!6W6L@{k4tGFG3y|boI?KAG47G%GylHziH22kR^psBhJ zHYuAHJ9f+JIAWFKt>!Fm(-yIv-##Igt&GWG8Q!)qoY#5L2iN&Y$LPL~ITV~lH9?Br zWGc!psRp{VPU1<7{&r9dHdnZG&OTl2auTWEc2#U;X7bGp;^c6Xko2(a8VX^nuAO(M zM``R39h{DkcdZDE9ka~VUqR=FP@S`wIb%&+lfO_zy8fvMPYDz3{yu|kk;m0jf zAgmx`OJ||kAm6WDdHPFkkOGPXzD`gbkfJ7N3^&1K(Kw~w`NH)IY?xF-Z`PPsp{n75_SG)Z5@>{Wrb$QfUTEHGa zMcHq+{eaoq%#u$nUgqq!8N`QYW`JPWi4Y7--Flept7=&ct;dKVah^lO;upt>J#DRU zd5hB=m*wK4>WyiO#D!~EXGP52^?GL&D{b3yaQa$Tc@3@Ur#?uYHGkQw=oA*h+&@GE z)Ku?naS2lMPupV&1@B}iU$}mYbL_uSKv2pH#U-u#KGNS_qVMM4|5KHFDZ)Ald#GND ziarKHK|B?bwmKOOvH11azPww6l%aC#WhhZFqD$KH+MAtn?;iL8pOd4)`KWp~&;j~{ ztB!l~aRMj}E@_>&OLac|+gw(DbhV~W`z@67lla1+_xkb|&GvQl3Q{BflX`Oj5D=*3 zI-oy8>-%Ywlv!C-Lj1 zx1m<&g~*0|oPkDt;cNNkg!cP{f^XLi=Z(#%M7$;84Hgf4Y271_z~J#b($qQ2y(j!| zvIM?1=5YntnL5f+r4e)kR*u+l6y8Bn4SqO$5F<$oxb}VpnvVZ)iv8=H;)FS-p3jxt zT%8g6eRTp$DjZz*0;G0~li_`-M8Wa64#*nHa?c#W&X(0pFSkq|qu1FDGg;RdGHgPR z;y=5D@y5>Lb`8GFT8j zbEI8ztafJ|8_~P?(9&rzA^j<@sl9P92+!Nc>Y{G)v1HxiAUPel@5@*ZfujX!^f4)t z;fqiVyfwV_JdH7rO|U}~uh%Sn_A%bzCp{GYb@uBvbGP6XfY(2kAI=Da)ej?na8S2L z5SVs09L}y)j|?9t?%)pObaK1e&hPP!zbrG;zwpAT*bi<>4Fza23d>0f596 z8!KT>7h25nHRo@wPtQzcLjRa}!R&CdBT&G7DMXEA6?|=XDra1<>td+!Xc27#cIC%C zUIt9tLCc-CxOjK2yt{*UB1a z$eHxkMygrr_Cm$DvR}`*e8O-MGRXz32|{ZdGYgH}3f|sm&pwLZGZLhs{Ou%6Jpy|z zj37?XFT}yNP}FZAjv+soe`M&WA~mf-k03;yvTVG zvWw-ujNL)FI$AawQ8U)2QJaC;lo)HcRyFGNSS#5cXwt6NMBU+wh|j9$!F87Ac!#6O znxOjVGNN{}H{R7DMRc6?s7|VYf;!y1A^EwW*QszBgbJTHg{kLpWv>@*dN$VNm>(|{ zNa8LdNFhA-qhA}hd1<>b_YDLfqwkVlVz<<-ctSxpvw|mc(+JA&T{O#US5mDFMR|Wk z-1x2i_)3Je_|{iDLsiIwM5L}M>5*IAX`xJ?iyrM3?a`>n{mz*mj_U*KFFrbTxB41B zl*P5o$=>D7d9DWRdXNYLPv-sxNsJucAWvOk4}-V(cx$4v_vKv9)XO8^$wL6|m67ZU z=T3#XiDQ#cD~)e$hIb_>bkf+gm#<4_ zJbIAbJnC$7bf0yPMf9s|ok1n{6BgSL&C6cAtxZL1hFKf9dwUEfc$%eq0%~p81dkCJ zB)%wEo=DyWy60{TKWtG1do61I47}%^ePh(~5K$+F`WdJ>HIhT68&_&(IUl^eREll9 z?;ENun#cs7;K6iGsP;&uApup$bkB>1#o9|1>hCZYgj%_5V6<+%n*KVMby;)+;OQeK zMwBMBEHWCfJ;R(8w-<$?=bjZej4sAjgmk_56nWr35ndY~O6kf@5{F}rc6{J+-I|-F zzE??O>Q41ZPvUVNC^{OI-~CLhV%6r)jZrnnV{}H4+At2 zd1?a08lR{UJsX8xTyo!G05{D=j2A|W>47cGdJk-&mMLcBdi*U7BQrU3r)VTP@TaXN zepp@kRde+WDSUqWJCWIsP%)M{3*BQpFo1^XICQJl(bdm|og~=}w8TKEH5U+ti1mD^ zuB5)QKVt3sxYV9;E3Z<~CWWvczqDVoI1Diiv~T_)Ty;1F2cz(!aBaXOYSN8;vKCs< zpOyZ`w7mc--Pxs{H}@s3jz+=sMbNR?hN(SFe(OUvI&IK4=-mUu0%CUlXmRGZ{vf|N#R^yTc?lhfg z9-ob`Ti^by(gFUqblASGWBoq3qr#?Q?b>Q-smpoE#c1_5v;p0hUYP+Qs0HQZqX*By z$zV#&MuGU!3EMS#uwJl+)^Yx}FVfif<-(5FI*K=gN0Do2P9pd`ev;aVTZBkD z;<)7(hqjrLW>c8C==-+IT%!bmc&b zB6)5ls(CT6oOAs%R1Sg>c}I0dI&8c;d`h+9r8%r|-QNiXGI)2$(x&8LzS;n_IPH^V zZeV8eLOv;{=~B4vF(UQ;UC_?i{i~rrZuALeOV`5{{t{w07pkV8bf{_(j|X#R-CoT1 zY4>r8(+@Nij~G?3*;-`OGraX5a$_e6H)%AF7b`T&ABKqgNq+oE7s8Z=t}~?sfrzz1 zIFwUScVk-}-GpIcqM+~5gaJBS5UQobq_dEJU`B4r!(EKUEL9*}#_jn)hILp;0;V2Y z#ASaQHCna!tnt&SY`FDxRiSx?x&f=Nlv;=c^k1Fa1tpg&zw6F!q?mshMA=#Sn4k28 z%s}$FumtiCyGGkBqG_yM!aeB$=#ktw*F_6e4>mb&rDC&~vDh!0{!9Iw3-R;U5WbsX zo$nr@`BFv7OaDg?$O()jg%NQU-Vh7c1F!^~P$!qOOI*Bpd>!^cCjjT6lW^Pb;yG~K z;*1prdC`cqvHA}NqcFb1W&Faf&*x>#s~@3nY#%A0R;UXZS5~kQCm*t#en-cxA6qvdrpsMyyM&6%SsTY z{CRfg<;W&M>gVqtFbK8&Fc_^C>Jn=iFN+^LD%F4$57!9L)|=E8N> zdKP+n&Y`xwa2o(oVVupV;TbcUcfQYiWjpVHYrmbVK_Y`=%}$$yXy4A-C0DP~l{A2@ zxD!1amoqImfV+ZjRj~}79Z8{|fA?#^K6A|C$=!tn2jcmW7_>Ws5T*OsNRKckJ`xPu zH7R_RLAx_w&S?yC!5p(bQv7WY zLUabBN1F7yz^!9|YF$1*hx;c#4WsTKWjnPS?2YsprMo>MhO| zW^$q@%frGoprV;IF+YRVi62fgm75}Zi7W2G%Ua%;6$r3N3VCcIo~~nIhZ$-!h$zVS8r+Sg=qKo+L(o0?1<=fX}u+<0LPUW!VThUjXfqieSIVl{eFXK18yO_tr~ zhr!u{Rf~6q6mJ#VzX?ENS01&>wEC@b#Fbz8=&3YZ3B37gO^_^d_0~JnhW5g!RUYRY zP}&JO;g=Sb+{UyXw3bg-dYiR;wKpgAj_q{zRCQ~X={hLk`HCji7CZOIEBL+k&{F3M zSzW)`2jf#^qfzH#$Kj%8s(mU2L&ou8AkZB?zhu2zwen)kea>{~hiP-BetPW3bY1S) zx_r+>C9l~wX^MhI+hS$PQrFlfZR$`{3n|&R#Jbs$I_kWfah0{jX1IbGTh29gxDm#nQKDT~*b_C>Sg$ znanPyBUX8?se0{FtD!*tBKP7}i?R}AOzx41>V*81S-tGl%nHLrXN zw5Lsn17LQoeYROPNZ9dKb-=o?%`kR2+;Ub1#mh9Yq#i3PaXT#3%uN82%!}y-O)eDX z!XLsjU(#=MG3R;PYybn(ldxCd>R}7b6)yXllcD7eU4)a;cx&% zTI@`S?m@()A?H+(4C-ES>ydZ={t{-e%E1I z`j`h^jh*B9@h9f@Uwx>Eyufj;rXHIMZ}QCkw%pxB2bTjzB@zsO7dW;L+LytU}W2QkAFg9EY=?mGn&->&l)BJw`Tg?}es+ZFSd0 zzgb)V)z<-CUl*&-C=6dcKvAyKQrR)q-axa>L?P^s#duZE1tPBs%ieJsM_4mao0`^i zxWwg19R-85wZh1ai*Wz>aT57A4GSgIXxPCaVqv~l0pJgHYs2(4|mUTx9)nAU8p-S{Kz>QtolVFp+&Y_FaF75yuY^fikbqWzw0$8;+@O_TiW{x zigF}xk+gyvNka7pJ6C3^ywA-Ea{JrP`+waoc-#H}wSPj9_kk(R0@WMx$(fF1<@1hf`E-k!nJ=0p?eSzooP0^&D zsfuy219op0?QWiquNFtKSYG$Mbc>Sm=FZPIjIRG(>eYYwQapWmJdD;C0u6oZIwc;+ z9`iNt>NiQ3Ew@KMMoA!hvV6p_geY$@4rUn_5ec27)_9vD@ULYEyq& zsGP=Db#7wh)7|o>HqQ;N&7*dee!C5~YCW&bIja0@#23n}dY1n!_x`3OEn_Q_x8>jR zXPN~-!EREHI%bBu{dE&!BU|6C#l)|9$&kFIW&_6LnwvXUs|u`>##cthTTe7!eBhhn z2+8KaGMf#Q3%7VAb(KP&*2s4fs(udNzFV+J+2e5F+yPB&%=1UP9GV#!E^yS1_b)O_ zg^2-@mHbSLF?u&7FV(Y8CwRev?v;2A^}XH8*I6no!hN8x9L`Qki*vFwTb+%TLol== zVKgi-)u{yLursP{reenUoDQ~sWJN6|3lVWM@8AS-{TSjDiR_cLkUU_ptLh6ii)I4Nw;)&Inp5@ zjl^IO0+J#fQbVUo=ghVu0!;e9^oZ?UC3HLW(%J9{_ z+1;3c(^Ef&CmtdSOfgm8nMSl-qB!jr-u{TdRzzZNpZC0f`=keUnZDRuPg><2y^Kje z8*vUWNvD_;+lYZwlvaAaKFDsrPy1yIGsJ?cn3|!7Gic0%sV8^2c((mdB=*f%{@Ag0 zb*>LYsJ34tz(%ta6X4rpeXT;z6AYyLHrykn9`uDJCr=1%vG`7LI)vt{K1M>xz-3KRCM-qcrIN>Mpa&vl%K3vZq+dRpo<(ZycG2HjGy)-)ukK;ZAc%zpGY?jva$>Qh;7Q5%!MV!Oo zI4L=IzYrS9NQVyk!hNFWG3ADN-X=_-f@b}c*mAwY5GQlz3f)$~j8A6FB~g_s=v(gD zNReg%_mnoG<>ZIrY6-%vg!4hh?qx5p0-LtuWHgloi`KyUC7?e|I{ww4GVsN8)u3A& z41fng8reptfawGv_b@Z0PjAr|15AoT=G!Ofbx;GR<7UqXQOd2_ZP;}N3|lQ*GR#0=+(3wsYnF3l(=&iusnSi)SkH(!8d(JtuN$iFpq+CvGimhwAxbr~~H z{_4AQ{JfkvYmbr0P-KO+AIm-(WdkGAR6+^nxq)~SGg~T~@^q2=?W9urbi5CIWBc1A zjrlrZ#^5!L^di*{fY%mINX>tG8sm??0ltq!q<7gQid|(?6)9!yN65(kptqc5*q7~2 zL##+k+3rOrdB5dACYn4QFdO5t{pBR(qG&^yxP=rtDus>KrnTbj7lZDqRh~v^*`>pf z@4xtW+Tdr8G0nKSWy*HG?~I>rqWJDN{fYAKC%WTc$c_#gbxCR?-;|l)A|RY1n>>Ui zOZ4Lq#fIK9EqAw^Vgjo;y3999JoUM@eY629($G5|;GMMcx8PxFWhHQ(AG#yX9(`2d z`C}%PTdI?Uu8gFk@iVFa_mF$t6b5L?s64Sd*$~7Lmk?=HnclfEJyDwzLcqay=CdYz zUmkvYMxcRFrL3RF2GMeTgo{@n~yQmLl$U(PSFsPI$=WD;HEGgxfIDACT-z_zoh_ove zf%U%-2(zt~DnFPH$PeO1|M{6r}_h>>9gCi>Ic zRF~jR!dlb)iNj$u^NhuYzJ)Ivs;0Iu7{mR}6A7&w`wM$V3cm%ChYLLgF#lp%Du#D* zBoSQJaXC~gkD83M;C<2eU(0zAO3fxpEVtjzl-kkwAu-_^YT8d6eQUri9hd~7$L<-Z zylzq;T#tJrW*^pH8+D_Mg&sBkt{Zb-TSY>;>MfZPJ^ae^)`41%mv#jeTGZ&1jk&h2z7EW$6L? zZ9qi%Fblc^wTsRr{IJUT)Ij~+u|y&Rb+#pm333gMdNRH19i!|?W?*Yb+NXo8j2mEn ze&s&9kO?6AcgHmFn`#+66)XRuM5J4{P>7)J?}yAA@p8(9yA9!o3bG(SAbIbMc32s* z*n4|EMERF3m}L?IxJ>_NT?h#9VKi)2FQ5ENg7}{d50WWq80q&=Bdr$2&fWQz%k|Eu z?r1#PP~`4Rkhu$PN%H|(qXUTKV9 zA$FD&E*a3Pp{4&z7BoJ3*yDb`EtlT3nbV~u5C3J4_rMWXfZec!Psr{dC~et}2SUYX z_LXOT`nE{;%DWuzuTAt$1NV&t1b2i=6UN2~TQw}|HkdCu(P^D-ZJ*m?zNq@;V zB9=gtbyxe0xp9}dm%d>qcpz)tC&#yyqB%{iX^dhmI?e5srWTc1G)X^+z1`0F7 zT%{#yT@<77G|@>=)dzVQBoU@wFwsulWz!m4ooa*Bf0u~SEFt4fin{mtkH8EJNo~l4 zgtfx!CTj#sQ`fy>hSms6o)fc={Y{_+b0hl70i{9|p@}6nDL#MF2yA+Mu}hKz)=!5H z7F7weGxf8lr|BNqqd2>FD__Vud!5%OJ_qEy9`GXTePejGY8h}~ zx!ftCp8NPa_Up{?*RT19T)>A&THN@b&?D2;b;JFS^mlNxkkh~=;KLJ6F2Z4vIP4M! zrPpK3npR_t*HC=sH`g@e`6|*LAD_@aGUb1=**k-k39wvskG#?dQj&_Xz`-$&j}EiS z1SYV4E!6VPEG_y$ScjE;@+G(k zGBLXBe+MNQ{-DgFxnqnY#D*IDtKr8NMa9FG%&YOTK>uS^mR`=kzQ}no{>)S=mQpzb7TqX_ z3Ctusie6Mx+qN%%F>)f67kUSHC;zEvU5DC2GS+-!%lP;Ls#m}RIuP>Fk7~t$9UUq8 zENLR@4oHq@pakxlgo`EuKZ+?;vE%~>u!~>?nOf-d3|LYY!hbv94jd$qAe1ZloUgY` ztG#&Pbjjg-sZ4{k8-~O7OH@ueKgHy0)mt|R_}BBqSC%qB<|wJ_2R~caKkN~gQ~d@W(vB-ML~yD-f`b0F{BkhG(J6sm^g^_TWWkFRM0!b!roRgA`$ zvy=C?xw9(w=>rp0SyO!#(+g6W-Pe3I1(9}J|IH(Xy5gs`wmJS3D6pT;M#4|$-!1ON zG@+-X(1bd7a^FN;%Tr*7m3I*o-CS0##V@s6q;-2@!a3cr!+eCAIzC&-hnpgCQ5^4o zx$F8-o+>3puKf}|Q{^sAKghH)4Zex00U%UFldL(4nWz0rHSzarz`JIUVD8kS86?gl zmt_e=_WoIlN3$vTYHweLul6t7MPxd-+rTD zDUuVru->q>{+`lzmI#9#b)wSc@OzY)wbi)8mqcPxd5>j*J2`__NYD%Wq5A2u>M3V`8Op;K<wH&L_JAmNO z0k-}}p#fE1Q|ksJr^5lqs%dHVHDAI3Sd_!#bf9&>ujYBzVN~c z_X)Rhzemt(kk24z=aTGh4YhWgFVtN^NXf?0pB5K8NaB_aw7~oWn^^H<(LmQqI1pI1s zm-jwxGdz8Wp~TI>(_;eQbC*<8aL)!!;#75Ja_??h^-cgMAXb>>EEl(rd>^nMbFN

RbXVE652EO;Z`0;ts|z6q%Tk1MF^s_1Kl>OIaFZ5+Nakp>axgaJbL}P?(4d*pKa4Ng-iqCQSSQdu z(aMC+ZLGxSCeU?wask6zO$vyBdR*8o66u_7GRE*wNXGr*=4*fpKs8@7*Xb!~?29(c z3V*PEbR*-jtkl|WQe|B>wv`tqf)lMyb7;WE^}@k6y939F!Nm;O8sA`|K#X6U9Uc7x zmZSdjF}RI=-EKQ}bUXiZ@=@D+htqb4^u|-1<+ki>HeVm^?jhluM4nMvpW;&XH*(jN zU)&xXy<;L#`XGp*wDt6bz@>=1(nq#WqNW<}GVvQl)>r1;)V_7?ZLl+LnbB9+rT=cN zkNe?yzsr{zKp49pY6?fSxk=@HjYn-5^>}MvqEm{?)VzJ zSJC~XzK>>YcP<-Kge}p~<;YW1zS3%k$;HwTP*eT$L0EG_1CE2Nt>2Av6574Kz^Z!? z+HbbL|IwR#KHG&6{{fhBhlrqxomQhR*yu0l0cytL#LUK)qoW`oKWRzY!tb5Gn%v0-D~Dh`9h9sRnZsps_Y@Dt=L zPejo7{7-QJ)^A)fZCJ7!^?D8@I>D6bvTq?SkjTpB4&05!so)V6;O?9*)E!X!1%6mk6 zhoYG!`uxtZ%jY0rr!~xC7fYxjyZfLLNNC5jK0GSvE82{_uChK~(8ue=+YP6CPd%Cl zNIlWqnS){|@ux6oK>e0I1tJ!`B#f|4R z=_b}N;qCp~x?~aiP9qUD1c9hLD*qu1lDn;`EXV34ln&E3O%@)=5&!oyE=a(5{B7cS zZbYRU;qM<0?<#9rYU#pl@{wdeDG=XS^>t28$*6lBokC4Kh+D`0>sev^$; zDbW1`J1-&Uz&P>zwl4{aitbq4sJ%H%g1(E6?zlCyzX7UJMi$mYNSMPgE7<@;A>sQQxfkNMi~MS zzSSRaUM^gjjy#<9>1Q6@fvt^K*q{Z@s=Mlz-rG!CLGgOWRCvw8H9{2nU0an*dXc4q7?Ae zRISvP1uv-cC1X7^;^fbwCx)I8-jkYK<3aCG8@pt zQ%t|a)58v~n4=QoLGJQ7pBkO!px5}}5c{tcznvZGc0+uQ=0ejLk7I)m=Y#1DRlXHL`lX>& z!H#9TMmBTu0j9P>mBV{oG1=Jn)we)flDi*bY}2wU`AU%e)Qz)f<%Wca|5XeE>Q~Q+ z%~pnUR6_Zl+YuKAM!KgK_7!zynx_#6&8QFcaV8g&_i>dk7J|u(h8BL=;-nZIt#fRD zz_`72b@C!zAz-cwSsJ=noUCgvRk`_nq6Xg+ z`&aLLuB&dI_CK*}j1oWRMf%QTic8y>?17fS~drxCg)rbR!7^O3mr-b z*H*idA0+m<8SZ(G zi21$IU^E$+&dD)UGmbC+dB<$ydG%97DmIjyG4A*Rh=wlz~qz-zcSo@>+Ig#th`3xdbKZgmBk7E^NA9LUw*HD17=!L zdD!@2mOj<&^c-7rD$BI$qW?&2U+k8skpRKWXZYFvb6kTAD1Kr$;-H1D%o?S`OwRcK4)uipQzSH;_O?$b# zrikV3A8mi^;*}c?bdBI|pFlNbPGsVWSzLK1pDeY#BE_AT!=41_d%n)!LJ^ri~{l|g_X3>m2 zm~cR=`{O_waJ;Vjm^nzi4o;%uZP{NPK0`^7hdNh3q}TtsJGfifc=mODtlTo*OeZ5* z%h2x^KFDti?6OzS{Hp@zs38Q^;&FO(=G=+8_9>MvRhj)!DAR@X?f#wMGnFz#7bK1 zeP*@AWbxA%E=qy#`^`=@LK=7QMN3xJFy-#dXNhm^jK4%|5?`;}_>8XRHI`C=fyCoL0g**UnxSL0|F* zQP$E8ECj{J^x#QW&mn!gw&?Db5TQxN6= zc|4AaBn@f5zgu^x^mz#yRmvX{40|YoGwZIf%3SrIj}3n8FxqxA@9EJ=ws! z^X_gdjejB}%0YWS)R!VRVlGk%9|0+Hu{ ze$08oT6Xi(6U2=z?d3!_v*43mPC+5IB0sRS_Q+D~ zInUCGvJ}dMv(#!h2kRhLxYgo8R{i^ik#{g7rUW9fS9<%2|N3u(NA!p_4kK?uK~WuP z`R+`^C?Dv)7eEJ7ps1oXb?qv6XiE;+w~ff{;#m}6viwf`U%x$j7Wc-O|Iy5u(@zeh z>BD>EG0@CK-Sb2a?fq!&jO&hw~dZbUX49!R)?%MASb(&Af#c;Y;{2#dUrg`Tn=3+&fh1R*7b0uBg&QZC5v?ud z)50$-VeZ%8-z`>S{8_D5D?&Ce&je|3bp0t}Bv7|xhqbc!GGPJ;N>qkhT5^|LkW? zPuWjz(J!&e_SM6{ZQzL5UM^jtqi`YSwLOo{zqJoxD>ZdVcC?`a6r3 zo>MTr2)B-LFs(pUI7CG*flQIY0wkX_@unF;f&G38%Kx#@hTvbczK>r^KEy$!lGmx@#hl9hU8~PA$m$ z4?AXasW{pqK~wh6M^1)AZANA7i*g}xV&TR5o6lJBFDa*TTn^krP@0qdc%(2fJ;Qz6>U>^W8DgBsUS7Kk+K*z}SO9`D> zNsaoIDzQ>yRv%AVrm=Jg_DM}hgZa0Za=#uCR28VkzYllI_%6gd&o!JM+W>fQf=yi_ zC1;ogW1}HF+7FCX z(4!CA4zXo6zq41y-Gd+(9#67gxu@ zF9_uCR0MHB{OARPldyN+qh2Z}w+T3B$aoy^S2mreT4q|&-{c?L0_s)yrw!9sph9W zyQlQ}03Q!uM-MAy%8ubE!7q|oakPvAWo!8b$8Tw^(KwmZFNf$DxQf2N>|BihK3C;@ z1b=&=%a-L2s4}Boty0Q89{?n*0+g2vUr^nHv;x=FA}=xGN?>Y|p7RqRQgmYx-SG3> znEHFZvDsNi;6yqJzq=#VsK-SA^agRmJH{QUxlK=Q z7zYo3-+Dan+^#7&U@SxwCgIykJEfsJ5sFu@+Rqw^PnVWmX^sUca!S|$pU(!%i zW(ay?s`kjoDbf0{$_agn5+ivmLZmDbP3eHwk8!WWo#r1@{?gRNs+0l#>#!jO?DJ*+ z*%#xYsUKDV5ZMVd%~4KU@;=x|6}RbgJt)1oc>xL&5;eWH%2?9I_edwR>Wt-}9MZ0V>H&U6&K-0nSr6i~ zB?M->1xf=>CT8e}7v3>Ug0O&-D*Q^D9^k%pi^!7Uftc0M=g+So?H6b*ex3m`ZG+Ty zL9wH&*fPT{$&i3PFp4`A(MdqcGRr__*DepNb$apP+;Mx0S4@9R-KKHYX4HWSki?AQ2Bh8Od+7XmN}$zuD5ohmyFR6O#|+IqKzZHfv0i)lggnN zET-Di6;+_i6;@7qVYT7{f&15~`gCxF-d-{`67$0xPP)WEWObuIPzE{{*KSFVR5}-r|7LyletBzg_i7;SUfQ{t}_Em#1>!et$3bVc7)h9JcD+bH^0MU=SIp( zKtmxm>^np;inXhc z{H2S)L+(kG#W)u5$NR`0jGEd5L#5CfLlnG8WR*8QDPgTo5>1XWYuKm0d%W`L;h&KN zZ>2>WE#jUq-eiclf&!f5D*hz;w-F*K-q;d`I zaBCwvTIMuh7O-0*BgIb^C}o)KzNtTR{81vnu*4S_7y!Wdc_W;JZ~u}}RI8$#63;ac z+{p}%g~kUeFG9g}lcDTKEGwU13jk@@EvS4lbJN`V`Zrpwwc{HQq zm2Mj4Gwq8}c7Q&>^-C?MqqR;`p~m<7e)+A;7&U1y(KCq+(l;xr0GRT1eY~PTLiQs? zz4xCzJH(|CV!vxATeZcFYym)1ye*|fXMXz@bWufW``mdir!X@Pu>A@500kcbm3pc# z-wrcRPru2(4V`weV%hGzdpKFH^Q;-_Y970DkzQ{W?E%`)9+EWC*K}y}NuD&@`2meG zX8@0C!AtBvt#t;^-Ts+C`v}8v7RnF6O!MA2)%w)fjfCeaP7>3epCGYyfR2@r%5;C3 zB&Qcpa#p4Km8^Ux>1%d04`IbaJjS*wa}DV-BqC*XjSUFJsHB7OSL9@Z|JBh@g_3IP z<_9$UygP<*xWQ9W<#nNkBa<0Qgt~31LIp#0i3uD3qPps7l5=4~cSOi33Jye*NYQ=c zd9A1qP9^-P!T$0wi!`q-akh`?dkK~LG*HvbXH4oU)6b%FW&gJe*a-z6%Z0!M$#g@n zAtV7O#W@M8dD|@wcX*`ELdskSqmvW)!Yj(6xJ`?aOVO#G5pH_8vy;QaK<`2p48DR? z0`CZ&uGt#mj@1>5tbV?N!g*5mO;FqXrFPE_XBzVoL&|P)+4&`^5I@K|y9S+lO_!3M zoyl&BJn*s0TjCsGB90?zYbEV$J=Fb_DV_6|dZ7i>%Mdf2-qk{i?ls|Rmi9XgzfX@x z8V>?ZC}6-2&i<33jE@R;@)$)70q?0&7Z`=ouA`cmSOU#bsgd{YFc6g)N z?I8VhwVOG|*qq%WY_Y0PuIF`Xz}dQ?zoS)(P(msz4s@WdC>EC}iJ(j9uEcKhj@>JX z_ui|*&wduC;2kI@h<4Dc?qS1PjH!MW8^Rk!#ZJh-KP;|rd6@F2*Z0pat#duc25l^9 zH2M9ATF`KI^s_`c^*(zlxJW8#+(hevf&|n_2ube`$k%_kN+Lxbr1)Mth|x==?^e4= z;P&7n$mUyL=m1n_6CR=>5%XoBn&zDg*DstxfoT>5zfv znYLGtTqw0;X|&F85`Cm4(<%;(}QKrHbs%b-u33^Hz6yLnVN-ctL9R`1C0 z5NJ46_;eosojt%TEv9gIblynr(P6;RVrSmsc2N)+lAvk#2|MMXi6)&W@wg~o0TB{; z@YI^f6(FbZXl4eT@!tm+5rG_ghH+>|ijJEUX<i^q* zT>{wWL^-KXt-65VJHA=omYViDm_pzhtyr+w-@VpVg(WQyxK4#Ful4Cg|8ms%lA`fP z`)yJ~%rh2T{~&>?^eQ(h2qL(e2d7DfogbmMc;VRaT2N;%ADo#oDC^@VInt2=pC_d; z5J;#!2jJ=d3v2#<;RJ}_aGJpevTuZ-q|XoVpwmp*5f&|COsl5?7Vk`#^hlPurAS^6 zAnpL?J*58ZVB&<)nPKPs!aSriZb+M*{oWzTv&=+)2$7MH% zS++|+OZdzE`3b|Xp3J)wjYPu>sGCWQ%csnr&5LQW4nzL zTAE&wSen`f$!jS-AJH@a7_&2-jMw`R-xZr&FRodFUU%OzQsY_5J@?;*I@1F|9=tRU zc8Xf7h|rO~3NZK2%Hm_K%pZ(40*$G*kvjn&7+s*X_8h1tmNcUvMvIC34>1*7;UC(v z|A;u|u#lWUKb2Jf+w=P;YeYg5_!b7d7*<-PnjXLZ@dzLQ2UGF$md5>|r|160YU)V9 z(!OQnMBt7Yjt3lCAF%5%9^+Hp&Y?d)s6ifA+E1O%nvA!&84E><77AeTFE;i8sP^-C zZg6%ihMDfFX5!OFuW5;~#fH)7DNnFPk2r5qf{2Yinf_95eGb3u0NlAf0A#ANvS%c9 z!vkL~*H2u#a+9jVT5X>T>cucKfY-+?q@W=6Xp`_0%lM0EQ)lX9%M}Nsq3fDg%rqWX z|K@1IRysV>47`7mq|yKyC%{i;HmNItMJ=_opZMvKP5=>q&$xA^Rdg3$=?V?Q>7@7i zSAUbIJUvZRym}%rovI>b=GnSDt!8hoYOX((>C}3rkLQ!H{^vW5cBeX-3Br+3*GoL) zrm}=HH#||p5NiL>IY|b3(}kAH2ubol?LQJ%EDH!!Q$=q?&c6uxm-_n;0hmY~`$07^ zL+wuP*|ic1AwX72*DAu1Iz61I3(vmaw+D*GPI)ablf{Ove3zwx-%j35?AwbMgZ!~6UeHVvLFOHgAfa-~5+(ZVP zV=ai(ToUhnD2xg;z6?2nJ~NjS2-LH?fjB~7k3#L^+k?0Lo*o&*xNgH9TD?hcy*3=fxI3o4BKGzI~1`y}`LP7eMY(`}naBQhHH=iU#q#kVK;14~<#6O?Ite)O6`x%Q$#@Lyw9q==D)+O6j5a zP9Fv@Ao*HkY+pRMy;yHb6>;Q>qcC}DP-)FHNNhR;1tD1rxAEScu zZ#~BU-0!J?93%ISAU#a%(dOY9Gj=(U{H6K*tC}-&0k;D~M8bM2x>yn?i~_H+kW>k7 zu523_iA4Ly;2V~1tiN`6v7S7n3sn-TK{U9Xq8H?!0f_9oGav98Cp+PtCjgBzIpEQ_ z-eskx@X|hD#8{z}!-?alBb}5A5eR|p0G=s13k?WQvDr{O-e!TfH_D9AM{)=&+-o~c zR>`OIJ1tBJRaYM+jZF|=hmJQLUK{VJ&Cu{3O?e&Yu3ib)vmrmg%$yJCHSTkj3^pbO zo0^-l%=jCn?N8l^MCXzJACd)Mu@0U9WWI^1`|?{uu}Qk>RVL8$_%_WfMItB9Pqw#J zfa2YH8Oji(^Ndka8d!1QO+l%8w!dpVb4+9Ie$OMgw_v$rQ*^J2TvYk}kA{i~Ytke{E?!~d)$D7e*pnJ%d1pCEnNBqdsX?>fSR0d(eGXN2N&qDY~W+O4vUBAxKbh6 z!{DwgTZ<9X?>ZLwsH22?G7FJ17A5=^R4yXeRN5Fyqi;YP*mA<3`Z&)DKpVD4c2?sC zDHn`$?rC1H0k#$a9U6!@!?BTMBENDx zIliB!!UJR1i+EtX1-vy|@rQGvkmJWZb4`ye+oKr$W7|63ak*G_QG?sX3r$c#RC7jG z$zMaoKTskVcdlHW@Ax$mi!S-f#sXHfD8t75{ksU<&nn|VK1vI+1)^uCMo~Q%*vOHC zm!SJ|0X1KLqVk`#Rs9Ggtrc!O9irSYCP53Zj9jFcy4bP;cw8ZeQvAivhE5zx2@e^K zz5de7?DT+`36uDz|E%t?gaC6-=t;N&^kqHx|JNBb2bfIXQhL>99a?BK@|%SylF_yM zkZd{}%d&0jdf|8@^+mS!T}}h>5$VF;h5>#vS}jJ_o4k#F>jD-XZX6O#*u<@8T+O6OdlwVjF%mjou2U7pS(|E7Ei1`^t1xL#hL z=8kp2*QIlC_qlnQVrE6JuZ)5avQv){^J5`nzp)NP#QE=u@-T^^?mUGzKjF<-(884N zR5_q-!`YDE9118!2?Top9l8A3?DGG$*#PAtPaSW57^Eq-sMN=cgIDq5;O;U%=ridI zeVtGn64jGk@2IalmGW2}YV$aTGP7hDVD}dI_;01B?yo#nbQYJlku9p2=$+*znNxEh z!HBx3mG+T)&xgRsua_}eN8XC3jO!UtMX_W=3(lp~I~?uIZLNHYIS@O}0F~H&=<^eQ zDF;|ojuRjdmn0Rr0O#9)=gPn0xpJ^zCTiIj!s@{s;_GsZo5p@qX(GEf*vz=x8PQol{&O zv%*9nRTYZO=ST-T@T)`kZ?UPk57y|o4FDpimJsx1-7$K!nuS~2E)G7!=US~e1rAcb z>o{|)p*4R?>3zx&7{dj->cu2`pg2$GacwF#RY#A|HKWO&exdQZY~dP-h?XKZawH-l zFUk4|8-c}tf_98_iOg8sRM8)$yfj?&Cgr1Po#W>iIg#VN20KIyVyoA|2-LY-TDh}@k*!StcHyp3YZu5e^Py|qcull~Ih1Hk4 zWTQ_AbYUoNo?sr)IbC=Gs;q{B|HKby+WsG}ko$Tf_crSXf^JxyoVL`QgOL+wTPMpA zC0W^#^YVUJ8b6<$WjExcNGH8*S2zyD;}M0n%$J)uh}qsll+(f2**(Z*OteNp!QYvXHpdCu2R0GT6_V0UJcymPIBH(Ysai zL^}ykv%v8dL+oksUW{?(`~9;kIbyR~wbQQ$d+}7ZlO1s8+5_xjcbn{zR-#Czl`lyX zREn%GN-;L|!W)fa$GUi6=+YXg_whi|V_y6==Ums45q+sjfp0euxaGUY%tX zw@slOR$V0qLeQM}gsm9dhPk}RVv!+Aw=3$04r`;DRP}goPpikIQ)mlAc=2Insho3*i z_6ILrz5tgXuXM3@b2 zq)DjtT?YXX{-;lBnFZeB-*B9Dcn-wP!zcbgZKF4D@)}fFx0r@ zc|@RC!TFvc6sAKQsKm(7brP%L2zB-Xo#1H*g0x+uP_7(+1#d1&u_M83Hl2lAiN>C` z(vevFf_s009H-`}WUN6wEm}mp$l81M8-a_J4kmEg`7x?Q_OE2176zPZpT+RU z_KfJ|48%Md8`Fz(=9yljQU2&O7fjDX_oktlFZ47S;2W9@T8uJZ=>R#Q-5p3&fLBb8 z69X}5WZeuXvslT;dz3^p9@drlS1$d3W<+YzrIsW#g-&DF;X8#YLiXo_42Lx`tu-~N+T2dLd2 z^b-{}T8&Kd)#eKYpXR|Hv<}4=sL_QT9bQx9S}mRSA|+naO`4R{y_)wkb>}I}QGjcN zuYeIM@Ax5gwX;jkMl26D7er%{y*R@v>scbfy_Bg9p6(v6W+DD?cyS9fBmme}e3mfM z?$YcKnWbrA){OfxCQwm0tDAqal;+_3`yrjqXB}#W@{&^T{?>4sdTMeaRV@7N9HrQ= z^4%Hl$ttI}1wZfb=UpUJG-uGX19LjjUt`gY66MQ#kn!}4D+eN%`P$n0gEMHZ2xs@` zd1{}9$yaRCAsF3QML)Z4bi^>z5lHJT2KQ5`)9dL ze2I`F0JhlJo`25D>yiWy6_7q#)o&GKfNT1zF4&tiPmRiA@l4lYU^$cU**ob$_ zq|2v3{G9|&6EvmAz&+CJt-~2`#817qDO$Z+g7<^GN09aJfr(?{XneL3sgjEN$OVt%pNE5TlsI zi=)SO1xKIVUHtZbI84}8x)nCJbjgkw2Gr{UPo;}yrj8Gm>R`+giABf)hSxgI{nK0V zy+Ey$`lM7M#+`2f3yD9W+1e?M89NaeF?6f#x7BE{n{SZLe& zNR1`1-BBlD?#d7_8_4z2K&LKH;Z1q3%#q(+!bOG~uSS`RPd%H&%Yc#$OP25xom&sh z-dh5v!R{hnKDnrsk55SPeYtIW0d=<&q z3cBe>5C#K6%f^cLI_|u=cbmi*_yZLMcp^owUD3?Kul-iC6#siAc!^f@Ae;baO#g{i zGylnYN?x~SxC~(Zrhs30&mubjsj;wv&P9@CWGCPju@ujgm{WYCXhWccY~r@s4JK)A ztia?HEskGQLfsBhzPz*gcKlcG$dnNNrz@ZWU4b0FE4cTW_5Zhs2&i{}0shmKd&J;M z)%Dqr`S>+tmm!%Z<<^yO%dWtLwn(|i-So71qk>^{XV7-G3E@w5nM7u;iN-?EV&_^p zHUJO-{z+#*C>;N@GWbcS7w-4i+Lvj|f0RI8LS#*{YOF!HTbaLLiPQ z5#{zbgN?bGP=5O;Q%e*To$`pc|^{k{f?7!hQf4TGzs$mfB>E%M6oo3s5s< znG@MSH{ist{%rCrcS8%*uIVw(@$oDnI~4XJbzi#*fhDXYgh4Z5t*eF zQ|G`=YSR$*?K+G~^mT0DjL-I6haN>fe*S=HY$?NcQKN*nKk^EnodCywl{|%1Yw=QC zPL!_|150e)Ji4qwCBT@QFzvG5QtGxcx&$$18lznwnlx_De zARs+XDvHK8ds(%T(C$Z}4T!--wSHYnHTt3NjC_?T5(`?Ku(w~U1YZx3^w{D!&Un+*T6QG`zv%^hn#5sF*r?Q( zXMOnkRRBe$nlB}s1ndL^B^}LaZ)+nB>}+S6ErxNw7C_XOTcr;XUw8)ai+Dgr;&z%X zfh^FV!qCF$s8B&=3#bMOBzcIJp$7-Y zhGiB+I^VA95dyDqpg(i^X{7%T=j180>QOc11o9yY~AV-BN0ht3dtH40Z$in=|D+NeIb0Iq>(6dmZzNYnh7Kl1J2{{gBkL0r~In>LbjR-BWlNtHR9 zh?du^XAKVT(!u$HU@mE+g^_E#xT=9(CcC2bQ}naFzmov*(q!bU0A|fa{wBS>`%+53 zp%ohL2vIqb37nQaYp~M&fSv+c0U;@1P*i`!4>qU+D0&u5rTJKAF_WgH-LudRCFW?1l562z%^NWF^hoc1IiKdn*W7{?gBHDTqS6U>2uZNS#en5`Hhab%b)avv&z$0H z=sn)f!#GOeU**DoVT?n zA*T?*G8P@u%m7RvPJj{}#E@Nc04H+z;{)57-gOGay3Wea-Ty&k*<({KqLehPz@Fj+ zEnH8sGbaa4knew7hS>G3eAN#qH>GWI^GX6geys2QRyblswEa*PDsaVVY3fo~xfB-! z03bRp&9^=WadZwrmHiBdvHux8JQg&(xs!2~HX*iyn>`MP^7RUr!;R}fx}ULa@@Unt zLoW|VcZ)t3R882AbyJ`e8?!nu16oT&2dh7OEEBrJ;2Y7WY}PYp*5-XN=D@XnagG~8 zg}1|`1@`5sIp4R1%iCe@GPLjECvWNuzpSxY_TR2$sona3KT{3Bc*o;W(EK3qvIge> zjV|&Sh&n;p8I+){6NLBl+V}Vx)Bf*PByDd6W?OHTSt9K{0*VE;<6)#s#l_+>k3j27oTp$1C6}Lbm)K0 zaC{$Xw`v*v?6&~$h`V(l7#}#fqs^w+Uip<}Q=p?+r|tQLs%4$a;X(Hg(hf=_qaP1+ z4~~|vf0R=}!-aE8E+_SVN+I~K zNJJRKfBrQmFyaS9(!n6)4+-sm{uoA}uZ+FVmwyDL`2l@tjopB~-mHr^C>YUllc9pm z6Fn|UB)nU2r;YAh`#Q$+9j`Tj@Kgx5{pXzwML`ml+(DlZs(s>h{Ms4q#LLV|z>A&j z;JH$`i55B_;sv*O{S1Sh80IP^MO|3>D(>D3Av-C0L3k}M$ZDyAaup)o0A{N_n@W@- zq(jCZAg0?dfXUt5XNm0zA8Zhc8%pL@2ee}I@*zbVXfj%aE)TD{qr|H9tCK&abpUs^ zUbzyEcc|dS5q-PzzCB=F!`1-gZ3zX<1WqHl2+oRK&^$Yx)xq&;7JD%DwK%$v+*M7- z5@fbg@!s3mxvSQ0VA3Ps9Avejcii<6NfY-c03l|610;M9%MqgNLNvOrLmMc!ea&kR z`UtbQ*{m}<``U`y@2*dOa{>IH31T(VX(jRd=AaghBbSEiLih3%kPbWxj_nb=bS-T7 zvAPYhE3T@JYkeCT(W)I(RzC<~D#Us}!m_{|6Ch*90E{70w`7^@$k!Ivt@Gg_&clYk z-mwfHEt5f34Vt(Ov&mBZU(hCGD1M%bdpS5tQIFA>UjXC@BlNdqg)~dkkx+}a*jX8# zE;XgMvMI`DkxsK~toxq~1pGOQ51KjI#ZWUxbtLOt9b54&MumCBh(0vKx>x#B&C%ot zEa$TYT(=}a+xR<|%G>_m`$2CR&Ie+_1mN%u92Hl}o`X8k9PR^xg6Q8k#RKa405%op zW;AJ&{PO72!-mUsyl1~r9Dpr7Q(V?r1so4EbB9;`6#6`wtQlUEk^;EwCjp>VcR$Hr1RX-b!|w+pnjXe52E#83*fOfq_02W-%tzwU`=*b@?sOf2NMwA3M`csw+Q&jhS@3`peqQP zsvBUaXn)=gG#(D)s2qQLxeG3X67$v1bQ^eNG;44GNKCJLNEM+GR`+jBH`nzMuBScG zsIj*rg$V#AYL6ms6HTDW=Vz2Bct`~vy`v9%pt(SUMn(ksmhV7!0ohv_94r(2Z}Qkn zkrsgB{@eiXVNArKx-x+O$OQVI2ro9@C)B6M_!6I2+)m&a)|)|Fz|8VyFjw z_iqpSq9782s_|dyZyB0Y1IkvnR03BwbM;c{24Ew;R)_-ADxDJ^m*?)k0iSJZ%^tX$ z567gI5CDB*3!2y4htI!DieGU@o+5qIf!-Od8LXatTB--}Bo)j8tnuRT!f1AdDA`Oq?`0P1UiXAa0RRDzAy*wKH z3&FcXrc0E4Im zh(7n4JXrexa49UlH3!0uDO>oU`6I1+0e2Eu*PsOx+yvmJ0*|fV->*i?mgKESDmDSs z5GuMjVepEHaxq~Dv#KZiMs*jMaTsS}!59Z7nq_ebSOLTLVL|Nix3jNG<2DHAyA9kS zkCeLp{kgv*M?z+xv4(mR^f0p5O)x-@%PdfrX42riF|H zj>bHMxAI}|0l^)b1Ce#dMGX-^L-m3}_MnmMKzg(NPmg5|ngGg?G)Fi$gWYZO!zI>5 z+CwB2AR8Pjw(iP;yRWeJYd^TF7^(uu-*2f4Kvw8p&KvxKb)(U833OF#1Y8bmfk&>@ zn)bb;+RuxlRbmhL>lwjd96QVE&Z@eZs@;&ngcSG0-0wqBE>wjHUJOH1J9yWq_plXr zu$9m{6r@S(0V$WKqCJA))aDHM4@cn)z$r&i9L_P~dsC=6@iCPuJ3(767?K=QDWIH- z2zecOLyrYadbmS7F4VK66Rn98Uy<=(EBQd4@4vBi8BZgvtRoe!(hcCZ2*7x5_UHC~ zve8~FIfegWJ69=*st;iNsiK$S(V|5$fFT9Sc0g-YNU90F(s3Y{buR#A4*ne%DD%(N zcBdjc3QSp1hgdC6W=j|+vKn2A_6-7^$@yi5@TW(ibCWKK`uLQ~7U#(FA}inhZc?jknQ#6_c)@5ue3G*>ux^w4$i} zjtq)BKqU0G$#&<2Dg#zYoIWev4?M;5e!!);{OG6N8<9t?3U?uUZxaOsp#Iok3u(qv zQmiXZ5L9-Lfk_e158w=pPvd1*|E6Mp5;Dkz{DShXUp?PO)rKH&P$V8KHuwsgH~#WB zrlivYG8P%26+ubu%GNi z=|G0PUq}eJnGcfDlLRQAAO1@kWr;y|{NWD>V$ENB`)m1){$F=z$N|1< z@(ZYo$dM&_=l@2?vsuC9sXS>>AchWmYAL{YmVjZ}Z z1Xg^!Z1Y6S$f;Y4AVO^vFizd(fESv822AZIoeW48EwHU)KO)IYe`#Pbsr~PP(aX_45vtMwqV+7rWcR!Q4hQxcjuc7-f{xaZB6b`*o6Z zO|$RMVyFIA6QCQO$=K@(Mo|WrekSYx^EB5XP_Pf0K?2jvXbe(Ubv9H=F+wPwFtmc@ zjmuLFsq>qHdy#ESBN$}tEgH@%P5~dN zwvSNc6~ObHONRnyj%QB+uEm@nTr0VLRr9$p5Wr%jq9=PN5norpT+Y=Knt{dv$zaCA{uLSuVxXH9uWudg z{2|!w>sG2!vs9DpN2$MQ2s;EE+k!)u_bV5NHWokyjOu-`fW_=D2cz6kA*cJ#Lk@`n zynR$3;O)lz1I7`5&E)TcLPaVdorQf0XF&s>3FtWS(DH^RqI~*4J~#k8pCmU;E|g2L zA3T~)e;D-l9m*h4%L;&}DC>*JF#h*)KIkzN{yxU~R;p~&UlXPQt_ka998=;w)W{G2 zw`=?Q0U|TcaDFAE1#Kfc%TG-})#n#7{=p~N51`aQ|L;_Zgi^%l<0~o1u0w~BNH1ZL zeNb9(@b57?2|j1zUgpyYqM7cj*f1i9Ft+E7L? zLjVrs8MJS}_&ZUu@V~dFfIN%>=O4PK+0k6C@xOq0AEbwE`hWsKd+%}8zk?Q%h8ip& zOhUZfxtE2Q|BPP=(vg11_?5C`qyCEVzm+s%&jC^D5zV8InDW;k44WBJee#~X(SO!4 z584r)pZ~hL<3+It|FlmH5K__hL7pnC#>4m3|DV7-z=QPO`pY-FC?o`X#Qw;EM%($t zLkWZ4@_T6IuW4!zO(Hy1|Hp!ld|-ud^9>Z&Z+W4kf%OZXsWgAT1pzAf4v>=Cru;jf zeP}b3z@i-UUw`IRA@&Ej9i358O8n=z9MSs80u3@LX@LM8pA`8%si$sv4LZz!vkyq4 zDsWWo72jof{*=*B7f%*+IplXZ`tVb$G7FLl0N_>23nBtfkEcgKVO4Q6h7J8 z)M)qY?^|WFL2%ytwYRz?k@1Xwbfz3#Roq|+Y;GB1mv4TVtctnCFE-nsDe*SCfAFr? zr!X1n(cTnu_1$P>ot1fmIUgrJg6sW{A7l(QybiLZa*I{ii1jHq)6%WSIHWvQEo``U z8_FiC!rnCtwfWVT@b$_}LF@jm8|3QEUlsi~7rK`{-dt+FHPiZs4BeIh-|XkDx8SBv zG&JU+k*B7^MURs+=mUhz2!2-)Z1x6jA~CSaGxD1e%mm^Gy6$`D6;jI{SjV)cZ&f9&fft3 zfUq|x{l00(eYABriiaWvZ8wR5_0f%r`ufT41a8E1mYwKbr*s)-kcIG_3jNBGftQV3 z4benl`W(8~KTekdyNP~+uL~826reb4HV~?U6l}EBF8N=H2q0Rpec%@uATw%v6!ITS z1AnU({tL3S)993so&8^MGybE4(Dc8tp>;HGGc+A7Gc5s(O)*9_FRrh@58+t%?oZg_D^efsI)N^hVX5U6#ZF@Y|8fI~I)PNv%7w8`}2`7LIRQ>1Q`zdU3|Koz?KMQ3* z&Ov@>Eywhqci;j4ip;PbEOc1m#7Ld*$qBuWR)tx6d2tFe9xXEp5fR|OW=h8%X*Ol> zn83hjE=Z^keP!ir3ixW}EC(%0}<)_Q?P2Q%Mel(x*V_%y?Spo7x)0 z=vO?N&wCh#S%!nUaoMXP8snQF6E9oA|5}Hb0fKvZF)iUr{STE}U_(}k*>{E{gf>rB z1S*Z=Fy%jZ?)iz!D#X$Dx?_r27z!?mKfU91ApY0bSEEv#k>se$l;!pfYt^rFfi<8jNPq31sw1@ zbV)c~f2?Z)5*MT0&-$7l*Rj}h7A|-qnFQn>5V^*EYn2ZCCNCCL_YCkftx?mt{ zMdhm(ZEq4*`p|>^OcMmt*wXRpzg+V*knp=#@brqHVE7(UR#OgB_Vc=l_B3`^#zTH6bQ3Py{fCJ!ra$pHA&3tx)$T8 zX7N3=%O;=4MP>b0zA%alWljliGXevJ=CQUGfAL01ws5z?r{9IRah8Vk0SnF-ZQRh^ z&H1QbVN|!9LKh_D@&E+veQqAtg2+?`?c2c|x^Uower&Fa0{vbmC_1eTr!Fkc2=fOR z-^*k!%q^U@YLDm6!e;7x#(Jmp+MAaz+-swvVON`ZK;7~R90>+EP)@SfPtI_LV)OY<60bpY^6|;(O7PSGE*PWPbk@H?v_78@1l%EAdAm74)NB3&=#5K_}uD0jEC<+J}0O; zI<61>m!+bCe#*LlfDQIQ*6kJ$BcFJEd(v2MCW|#IJQDE0SLKT<fF`cCs zv1*oJ4zi?Ar2$&aGG+c^VV9<5ikAB(!T%j4>24y8xc z&fH9&IXL!mHf24sqe7_bSYW{$0ZYx!R2Z+W%>62HQh>4w1y}1KPQr&#C?4whMD251 z2qq7o0n$_DBv+W#L6#cFSfq1Hqzt+>QPC+vu84Zl!TwSuD`q{xVmZRKqs)>KisVB3 zM8E41FJv%Z`?kP*bhkLfI2Qc^?gxQr>jB!H4NVMQ?h|@-fab#+vVzA7;6i7iDqi8? zRwMTM_M$Sk)0Pg$n=OL9EFXd`5{fHfL}SpR0NGg22?u*b9HP#kMPR{S$KGN_EvYE4 zNmTJBVVjh;rf{>uzE_IOp5pND;Z}Wf>x*9#Nu7y|8eJB5&unwDYg44;kX75bJ^7rM zxf&6qSKOdK2{Rc~gN|S+*u11+L_13<4}B1^F7u@IH^PEk7oL71inJHxcy|?v5T-@T5b)eAt zt>2T)(`s5i6E5QpRDAZP%^Wk-Ir; zseM1jY-zx1y647AC07PU?w!T%IOJAL=)PUnbsfErH>8eSw>Ju!d+he@61X@AnThhr zz%^>oryZ{cKX)5yjMPG` zDUo(qK+`0AalAn=ey0&!ELq$-uKY{VUR3hzT`2}q$3Huf@#VTkMZx!d<7|_o$Eqnt z;@-KZ*##-n%a`>h8;LR0^~-CLc-b%hW!dP!9Xvvf2g^?L34Y_}+p)$`UbN5STf%hV ztoiLn^v!(->j=(yBmD%`s;0r7==<7-i4!&pHk&Go(Z@Qm6A4Gr3{1HX#*%d*8)io1 z$L{DO`mD;~yl2R5yCi%09LLQwBup19_6gN??{8)6D0hy7+cH5G&qNcxXTCX6<4}tK zJ`+FIqWb%X&%~r?zB=?{R;E|>1KMkl1*kITyQ3YzxZ%X0hPwbxB~VC>p;r!UlU0b7 zY4ARIIC?Uaa#F5@mT3|z!7oO20q%y5PB`+mYv`KzIb&cBpg2257 zbG|}Y{3)SVg#^tY?zc@#`^z}^`=w@O%pm;DiEoll(`=s)up)@O!cqJl($RO-aydW! zqCMTG_70x5>Etr!%a?bN=o_^}O}P++qrE|mY-pV$jL`S_{-C`TcJgx+D9tm0>J^9J zV2x^7u|W*?Y<|FYSmFuV)2k9ZOL3nIpQ5}&wU6xcLYAeSu%{(1)gIqG z-pc+gkykmoNXH=Ap#O_|Be>Il@2DhCm$CG3;u|RhJlX@Hx5R{?NPf8XtLnXV+AV6Y z-(jqYaz{p#PG)olC6qz{v=k@`atocq`Kt;fj@J3&{#?% zA%Kbp#;@#34G;&sAC8x>D}1Tjd!Mh-k?j|SSm$Y4#koO=+jaCNhw64KfqV5b)#_s( zK0g2w4-k5b#?QTWZVG_rq^CdkSi)tTy`hNAEKE~tAQifbwe8kFKdPGfix>Jhpphzc z8fl6>6{9Mkh(~}TzSS=H$o+|1^Ntc9N4X68OBw;xBy3+>jG(X>V?<=S0UqK3SH0fW zM3e>D(E;u?YS9tJ`s3|cXjvN#H);+3Yn{V)*(8=zBl@${rqoj#3Z1%oKJyE(>UZGx zUVeTfv#aV^jlHe=ON05yo;RTh){7m~9B0L3*V2%`$aTIt*-#W<9!h+oyO!SbWd5K5M(_(4%d&{{S-OL;#-c=OAzDo)LaEaA z$M3zK3Enl1v+X#(5USpF!R1{pDW|S9c>ZLLZdPuZzi2}yo72IHI*XE$p!N1E3U{lu zA4aEN8Wa!=JL!s%e}(#98VEIxPQi;-)(!ng*d$Ss-rvLe_}UkHR=ne;?u(cH-u9n% z?Hr#Eue^0D8=@u5#_>85=zOzw!7;^Ky%oV*)8xYatevP z_6?&wAJ)2dD{5<>H+NyxFTTC;x5R#}cHYDav4VH8hU@hChbvvcqOP-}8>~U4d#_=7 zs^6kmptx0mwIx|}Skiv9;8<~cMGJEvf%5QC7;8r}z8%J#tU=L;+b0N#rwDfs)@N)YC2abmB2EK7uM z&&G4tn#(OIQ8DsM?d7Ig#Z2FkdRMSptkLP3bKO(x{@{UJCShxGZKADZ) zQ~ZU0!GJ(GP4_4(zp3$`;IaGUTm8h^MZWUhM=}cXi!s?nSn%k!f`)K&|EC7ivNkE# z;O&*Z^PNU3qAYwqi`=_NhG-(}vuMw_n(vr)xhdLu#xF-e9CY`QTPiOT zd1lbXr@fCNastHp#$~5f=hahp|AUcuiQfun@L_af0$W$XjptZf{#;rHBp!auut~|C znXTD`^N+u}xU7spwQq_w>?W3DPi=j9Z+2irF9Ag6dOM$ybK~P~L`CLfDIivXTfd#O zojoD3x^LaX7KCH(D)Tm((lxXnd}5lSAL|EFSnCk2RK+V`61%cv1oj?gAaV!9NV&dv^W-~4HHBDT%_gn*5U`uMD&DYUD zp{KWg$3^-UeEQLnN4O6^;K*03V}nFoFcIjy^F>vG8WO8rTZg zX!COt+_rAh8rs6a5ECRABi88LHTb4pEUyxcs zx2{3WmEAkj{(o>LuP^8eLm>|P1%15?CE6n!*;sHE7YL)VS!f402DBR3ho!m`ig0(? zC<#KvG;1DdT$C&EO7&J<-+a9tzt*04wbNv6b!Q9S(naCJCnZ&Jn|@P=I$?N0EEQVm ziPS`7O?k%CZ^)=p?|wHCk&Nw|9>16KdWj=jq+6d==buRBhcdA98ozB zyZ%?cbv5qO!f77zgDsF6*>1o%`)^BsbcP`qFs((mVKabTZ4vT*QsZ1gY0?S1-!4!cvyd??tfvhTh z9G!~B8a@xCHctr!3?gRu^C2npuW%GZruZuP!CC3$%aye3i&b%EQzx`>gJ(5UT`@g< zJBu$wZ+jU(Xta3%?-8nTTKGYA?0D#pcrbu<#PU-8n^mx78b6=8dMLHTDR6bzn3jk* zj*$)F-E~dLev)s3&5oeFSSLOD(f(0L6>VT*jl$(y=xi!uYas@a28@aqX?LU-dAU}m zr(FGNbzyyVWu;~qmOJUHbvO}Kp%vI5TbYz4TIXa%2RD40;3NvKQ3wl)=%74}xRWV5 zP4d!D6v-?%W$9uo<8!>4b}k_*c`}n@bIN=yBIn)|t(<<5*QRYym${9rC1TM@)w7DU zksH`Lb|En@AFTOgyR+plSX1qu;=2*1T<}8DR|1ABw$LcCYi^y`?&`08L z0gHU*8?_oOrW3p6*Hd;ga&Hu#ncbh@+_{k1unKY@qi(NZ5qn!1U_)h2=059h5;~#l zYeDQIaqAEE3e_DcGJ4;>f`#a+XlEbGr5Pf&gHNJdyV^uK#@>72$){qv)sQ>>8P`%-sYwl97&^g7NdGve65U zU_!B6+S3Ks;PA`wxW%~1aj@5V{rxbr@}9Trpb6b3<7wavrU-*?GoqQrp&YW}Q42J> zF5{XV=j8w(SPebhWboIqqDgLyr)}sTB&zHV8b}gW+Ak?7jhefg)@p7n&tSmT{HLDe zvHTz*J^yjYtPTYeFyT%ePFu_HsS1B2yt{~DPYQ3qcYYrB_1(*4RSZY)>hqNq-#W$A_Yumw7Tz_ zj$yF`xJ51LTf^^wUB1C4Hz;2y7xpypu1k{wD9o~dHVCOIzGbfKL24Rm4!&);<60SxQ7u0T^ zdi(-jl1KU8<}bvl4f8s3d!0QI)Hd#2VNv~JDeE{%N6!yd@&z-UzV~-QAdVV2u3M_o zPt{iGFBS90YWuFVW@OFOr|))`RwijAsq?FCUVYQbQ%A~rsLB^^T|2L>vLW~T(qI?% z(WtZ9(toHSsDI<>yP4q4R2MUkPLdGxVb^0lzctGBDSe#~cQ>&6dfah*iQ~dyccF`d z(_T9)hGO70L5o?0Z*;) zo@<$M#76PsRa(0h+@8fjnkDN{WDp?$H|@GMUo=vQ&4_HuXWC_+yozRX^o{4lykq#A zq7hYEvlLdu`peLI0KoX|nfQ7-OUKaT%FWKKGSsoMw1O8rH|Pgq!XWiKr|mSQ4iakV z^Yki0sn~~M{4>Qyt1pqKTsoh#yAlG~cCdE1x=!skvQM5+9R`?Z^$_2kFc%fIj^Gtx z+-AD7e|N*ss8$PUDaOLQ%z;AuW1e|1uf9dK@@x4Awf6h7 z-uacK66q(d{XVC^zTY{CG-|!sDRUEh_5ldxUDUQjiv;$nR`{d!cE-N$&m58cKixVQ znD)*?A#R;xp0MTzAolUSjSGd&%yqkmt=0`DNujqRO z4csG@-Fv9O=QG=Y>+FGqZP6X2Un9j@#dBUJ=L1}yPK<2Db;y^kQF+4 zYWZY~sJ^~|a)n=YwE%vN%}Q|$zQ%zEadhY9elwhzxK85$ukdJzdc7QgF&l?fJGXH* zNjWG3HDB2*^zfBx*HdD(n3v8)eu~i7qG0<;k4VY5h=lOBli*mX9k%tx>pN{%7dFqaX_nwWIP3{evQ0mcOTzw<&hL6=W1GB zyUADkBF?(az^U0f;_sefY|I~<5@VGvY=9_CrMnZv{Dxt?H7Kz>RiVPWX8sQi=|Tx3L}krv;RIVuPIcx&=R zKacVHT5cU}?+&{4GLFu(@)@W1Q}>uc&soQ3UR$``T_7TMIG&j?DrZ3}7x6r0iYfip z3p8wynu%%SEf;9vgkSd>nc`L-s4C@Se%$GS8CKBpfOxgA>pkTALyrysCw^s) zIM?1IsK;6va8FR{&C+#s!;{Gl0p8|)9I4Y9(z(`o1;!CfM$nJB8PrdB*yG3dg&phE z0%R6D^qY_aW;3(^1-u)si$_8*HE$BPl_>c#uGM2uI(86XZoZD#Ze||DmQ=z#XN7f< zbm**O{n zo?!f4U+cC|%PS62f2QTSd9!M9QXRsZ&*kRWuGQ3Wzv~ZnNwdc-KeNL%7rL*dcUn+y9wowai+p8# zXxjbJ&YmC7tjnMsImNu$MM|=hSFYdl-Gw0m;tdi;#23EV@+7KiL`aXx4R~db9W_*O z72K`esr(t8u?K7s`U#H)o#Fn^a=gH4)uJC=Gfh;YAA`Tc&O*6hRm+Ob&=tg~bnI8t z+{Fs2akbhm14pb%*XS1AsiM9_H`d~2Wc>tQ@-gCSwU;Y!dc&uqb4R6glR4708Q&R_ z@ZT@^dmDs55*%+j87^+V!fU#*h6O}}C%ge@TU>16t@k%T@1{Mv>iPovUMq5_1a%n} zf}C=CT3-iv+N}V<sLN7fRrK+m^mdP@0 zvcq1)L}SW_3T4yL_^V}0#JUrn(EEeH_*ls#3fk|Ei@xUMH5q2jMG)4KW zEO6D{X^ElL8frj#&|OOlOY^|!obU8lYv!na)w*GBl*+xI_Xy6vmAW1?qua}2-7h&> zR58D~P|Zx$zBvX}r&pe}EglH3g#PQ!%Va;$S{&xhm?_aIw(K7fp`>oI)QOGKtCvZp z29lM;@<~*^-R0g7e$i}6Y*B)Lc5nRs6#;^Pp|P}ia+!YCKXg$twk3%hT&RTsqHTJZ zMWoTZ&pd;#FW4)Ytcdkv^VPHAbN{Y7qf@SD^n1--9MMlU)Z$XYn66sfuhAX-hF!)$ z#C~moX#~YZI)Vlg9(En#Cv_?FJ-&bqKr73OnxxYIRD3b(3vDkLCa%N`dyq&6ElPfw zoPn9%N0A+r!7;UB!0Uhf2a$6@8~1p&D?HM)C51OT%YJH2D~snfQkpq6S!Gg4rf+&n zBhjv}?VHYA=c{Dz;}yzq2yxwp8W-5B;pAV%4$>R#BZ z7R7nWxY`gA*xH~&JcBT`(BGvh^1(m=kNp&{UwRx&qD%LD?K%{+P;mIb^a4`{GXTAk zte4Nje<}C{=Ep#1RJ($QJu`;37%y+%yKj@Y{k5^nqvDhSUH$p(zBdN)v3+DOtvX-a zvU~sLcJFfygHiB#qCg)LVkDPtvjU0ulth$Z1 zu3$|X6jV%386kw=vI*vKM=ri|z4+?!ZuE{*{u`MfPIQrIp>y5-fs1F7`3)6f`5gl5 zcB1xvdl;ygl6TOY@m_1;FI7|2*>5?QgseDH7l&WcfE&pfeuoLz@l$&IU=Z@wX`wWRN1it>=(i4KgZU|2QTFZnL(*X;I`}9@)Ki z{CX-WnrrLY!aDbb_Njs!U-2S$PETurMdqPRdlPn8@t&X5Q_#gKuIku$&>%w>kq!5q$ZlpXNlELrKmDVBVV5F%lb=-?ArSIlapYK zo4P5nbV8>a@2n`*4=L^iGsvqDEC9TV|RO>>zTQDPz=0hUx#=0NC$)RH62nivmE*!?(JYa9$B6fL8 zI(A((xp7cp-(li>7CJeSNN}zfypV5M^@}8cfoIXgIx@lNM!0!MOYA!4vuSS9?8fJz z_qXaeha|DA!U}ohUK{~6GrYC6Nadjso;iU$+8N;8a2YY|`BZ-o#p^EGvaTGDw^TDB z8r`d8x$XiBMqjrV@NlYzy^7F*f@gLu9Vcx1Wz;A7r}XPvoDKbnS}~daGiq@EJ>wVy znFDcry1t=_{U2oqMz8TlyrO$aJ~(L>TqrKNManL7Y&xkZ$vKgl*H;8>{k5qkYpbcq9vbQujTO-x(5uhMjdWP}Z|8?|_0B_3RAIrIGujE@4Kn^`cRMJ zI9iGn7YIhg`?1>#6tqu5=l;qagEv${CSPV9=WLq2^FO*Yjkz6pDE zcv`aZRu3H$7?SXVkXL`L2MxU-tY>e zql)po%bcCC)?AxE3VKVtXHwRgMg8f;`22Ca?n!*pY7T$5(&*UWm1{v^`e?Kd#^%WF@?0#F^_h`E~yU7PAnpk*{5noKf>bJ4_N2e32r`C=!$BZV+O^>2VYzFvGf1NTYAq2-q@mPi# zR}+o!RiYD64Bo$}8dqenZg)^YY-67qKeS*vyqoDfSzcKg7Cg+rm+F8#&H8$8Dl+MP zI{ATv^UsT?{&8<_%HWsYh!;jd^JZYpGAv0h5_gf0KAW8*z<5QYw{T%3b+BbAXHjnyBl~JQg~QLjW|T!(1as#r7^L+`WTX1Q(hR)BSnX%?YtinfLCt65JJ4Y z7)_ZxKow(abgF{LXTD9B;0l z4tyc)BG+kHZpG<%t+}p|a(;NwkEBB-v)=f7egD+V$J~a?;@0T;gBfXw(@%mK*R=M| zbeZZVS8;~om6xjoVtO6$ot}C;+><+*b70}qYsoz^e~twVT^h5i*eU(ZfNJt3)1GtE zT08l~r2!&IgCdzl>rN=_WJy)Pq5mW)X4I==pn3-mZaq24JMTA2#HHZcdo0r_|J$gt z?lC^hO1=N3yT{?mbn1q4DG(fUL0NWDeZUTu2uccmCy<9B7OF?Y8nwQYsyBCsiTvc} zkL;M}nKWK|+rO4}D5AjM4My`r7IIFwwRo$J*l^B8Ehwxk^QsyD)POQjW=r%l zw&i^O#8LgTlY^udNY128s2)9iQ%558hgs}H+eow|#j3@seXe~YL@W4xH{n)mI`Y8Q zIAMEr%!M2q6;mkr4*Hpscp*0VG3-WEPH2PsR#}GtBEK?6#sx+U-jEX2!_=8kCaZ$1 zp}sB)1XG}PFB;(vgB2GR?y6jo^+wl#4l$wLjiBp{n2f()iG6>F54jed(2`E@QI8L^Q2mSwkE3ZE0}apnhV608iToz>l_ zm|sS>yr&FC20nAe&|ftBHk1^tc2{ryD#;WPTH<)R!J&lZWhLA=^(>3p+9^qfo%yY% zTNSby9Auhsazm@Shh7>7g)_(|GSN^4Dvzc-4k^HOf*^{yjyv$(iM0wLFnoaO!CyTz zypi?mysUOoDINqLA?;`Ad+M_uyAv{SkJ`<$uGQQww@OWFAPvYC`KuKQ|HsRdhtT)V z<_d|%W#FZ*Frzr6QrxL|-IZ`u&@R5&=1xw?-*&H1kTmO;h@T;S%7!E&* z(JSOziQ}}$c1KohbuRn+el0IFvd;AH4`LQDO_6zokSSaJD#eUwLYQFLbRvojQ}FlwYHwpD!@aV_4Q0LIeY3QxcP9s9x<@$$+I14@U(EREl^;^%#eI@q`5;s-Iv$5?KFeGQHP{ESYRBp&lz3CcFLcVXO za-p|;XtdNcNH=SJw-Jm5aw5RKS(MB_?H+>c(@>J;ver$mLS~7m zRi8h;0(xilP6M?RmgWkEeabD z(CF{}*9)Wmyl}hV3z@L?I|4Ck|M+d~0ixN*aSwo_j>9_Ijc%|P8`xMqna{Et2i%6P z02A*DGqJ#KpTdCqxITb`@GiYNurmahEC9 zk4~`>5#@)G4$N@w)dNn8VRvF~eufwDHK`z^snhn36UQc*@svs%jI^ZJWYelV*G6wt zD_Uuj!%pUNRHAizb?8*h&K#M;gE()i{L21UQrvANF8Ld<6q)Grj0}sSST#ypW!JF^ zCABo7&xe$Wi7pNWcWp&EJsW>KU~SE;Z%kGD$b@l69X)lxLGE6dD+`6ZzkCw#?y#DD z>}Oyecp^U$6D&hlA;H9@LFX-4`tegRhS&(pQ<3-rS072z*L8$ncQG7#xy&vMyvtVt zG0odDQ4$Nh_aJWrPT(Qt(JIOm<*d;iDA?dhf)~wUriT@a)NwtA@*rlXE4MDu2)7`w z6ETcj+<#gSgYSS>22!m9LNRLHQ|m*gkPeFZbrUa;0t#uHVjbB;Hkfaf=?^_Dd~-ak ziJB&?ZGB6O+9af)=wA{A9s8fp2R`Z6(FxC@{1cU$^&k~Y>OFUfdzYm_O17>oKiCTo z`A7KY=8pNBFo7?f8mb(6?jO zR99Q@TaK2^=g>UtZ1z=LoG_}>KbQDrHuRC7#k9h`T=o2Al{_y)jz`l>IhBRFdq=PZ zy^~Z;hFms@-o#EjlHWjLfJ&ASjVK5#Q{MmF5p78`IRY$Gs&A+BjXeYJpGk#i;5u5~fjy0wK=j&d5^UIwH z?w){vMV`d6yf=TM2Ayc~g;ngqxR#14KJ}HWCfZtr@0EKk9xEHg?W}ax-GxFf58Amv z&j}+%6lvxT@n^1lLBT**Ldj+_6XP`~7If=x%t< zfPFlkgoWEqGCzyk;7egC|M^|K2D9bS(6P1dB)JvymPnN6ueczOabqDYPcGA8 z0y84C@mC&Xv#g z(0UTnpuyPL)R{@;{G*bkR>AWD%Mkt!_$LXh4;x^yXq z-a_vr^b%SE=fQQ>IeYJK@AqA6fBzyz6Ygj3nQLaQxrQV#shIed#3dx}6~5a`K*&bmb))+FKN8?`omNIetsGsC1Wjy6UWUFJ;;bBDK83gI&T$yRjDZI zcg-&cxnAGEJ{04k92MaQ97?Tr%A1$7HeIj6o!wQn_Z*rgSgoK}JASurN-F&&7bIBW6Z4ATb z*rhx5mW4>7jJ2&h_n#79AFXueHLxz4dYgqb6sJ+SPo#_D!#@T*`rNAPkt%2w;dBT8 zWLfaX_1pbtHK{+{VU9Z3D>`3I`L9lq6MAy4@ahj#Xo zgVirD6>Ad|RGzcunD`!3fPy`ojnhtf;H(clk2`O}f3?*w9)Ots?jIvEV@(qgA(JWKxS`1 zRbt;2gK`R-OP2K+Syc!Xp&9C0CiVxXH^mtI854h_fWVo8DURhawMxU7{^h~+I_Q`~rX z6Q%A(jVjV|KuBgH6#V>DN!YY`(gzeDm=wyT$hsh6&r)w??bZYLLTy`kKK=2^-yGr1JDmkn0P@Sk5QC zMH13uS1{Zo!Ez8(Rmo}DYH1T=m05SJ_5dwq{42NZFo##g_Gs)HaT;pG6~b>vb<=F- zFc$felRxCK=v)?B287DWU4Sfs zF~b8OZGZxaIO~im_mO(|nPP}x3)RyXyYG8AWy2}|x`qAI0s6s6=I?lCBW4L9u_#2* zmFX|?W6;~x5<^a1na ztZ=bAej~6!z?hlz%2aO8H^B-IY~XcYeRhBNCR-S*-{HGen9)76`0>Tbo6(q^@0RV-f)-b&*#Z~?Qhnxh@pSL0bDo>S*Hjt~sJ_OvzJieliH_7)` z=jHySs(*2J|8!{o{;d53I17#YBOF^V8iwp-xok{qcRKJIm;@_OS9fU-e7nQQo~^c9 znu~Fv>qTqdv%3r@*132{X7BwRPwD61;CcFera_tlvUx?1-C6oBf?<1=OYgzu&k>eU zhpGvcOTE^2kAKB*qAGc;gl*kdvhCWmI}a0;mR)KXRs_++LiOhF(kJeqd`-!5BIRMe zK4%b%5hocg*3M^8y+E6hyL(FvvTRA;pa1x_vGYoyazCZN^~u}r89!@4-EUii(!0=! zZeGf$3y9f~bUHNyv#|3{D42Zv+lDOaWx3tCIk4?7h0su53Q@;2)R)NKe+bWi?^1_04@`D|@*bMo%4KhH+&f)dB#a(xmwy*!` zJO}`&LqLw;OHDY_C`pBDz^;$v+826!ZppkLg~(J_zxGeS?5{Z6e|)Mv)I@QkT*t}N z>HXfomh0RbdJo7i`JE#^VrT9}0fTBFd^7@^U(I(Un?BctajI#bHNWmq_{az-;4rgr z|07!Yd&hBRXu48He&NMwu&;pTr(hDWNW!n*8}svHV8a3PG!hTof046I?=yfdw2JCs zIng%_^LQB`^?{{{AQa({KKOh{x`0e_yZ5JJk236nZwsvl{9gLb7%mx$e&- zQRh(Tp<~>=%0zXvit@kxCo=fQ|Kk4#6#vUlC3#45OMh6iFa=*^+k6a2{^mzU(dGX;6M9Z0GGZw@!x{+eeNLYNw63?WW?LzOaTTf)c@T_8xesjyB71qPXv5` z?YfIJOhJAD4Qy=8MJQlJD%~$Y2yqv4UB~1}f?p43hTmD3F!CoEAonij&DncpsKwI& znE3zl%>L~g;<k$V-uX_-s!lN2~SE*Uf)9trceUJmv^tEdTm1W`=3k)~f8t>u}l^@hfNqLqQ+{jpG z`~DlO29%+$A7)rKL4aClye=``3^AWgS2?vv0X%WwJ6%$hoQ>jIznf51Dfd&ekUDfN z8qtM`Q;@i&=+AQ;no|5OaR-F^e~cHG7~?$TlsNY^mJ98VPSx$e^aF4t=>*oR*@JANiprfcO1vujiWXFqnV|^Ds;)yWN|SXWHEXDznUPCZLPpi_*dACNz32X|MKZ z$5lk{zoPnY4oD-Ufx&%TAR|966gVC)l5s%i=&CyNuGNQt-??QiX=PS3>QitdO%8Pn zCv|2#iEJ8UhIx8BGKc4g?<5#`6fZCP?t0Fng#d0LKe#_wHjMMmO?p!A=aJFm-_q2w zr}M=$tN8;Cz;YMc!C87!}EOlO$-%6ED5DS3_l(A#90d&oPo5v^T2 z=~V5NPg7zGrf*NED2Kcf`frX96!TX2m=*Uq%N_11ZDdId2nB3!0>Z3c!Vy7j7kQjQd;2C@AA}%7#Fq+$XSru$Ziu!GAavQj>;5-E zhlAz39j<=83X2gTs5UDa{{m_Nv#P7I?5-4RK+_7_I?`T1v7BUT1973xUu}Zq;;T*{n{GvZROkYj zS^3mQ%`QJ)rZLf-m;Dj*h|Z^$e*$u`9-$G(r%mzi(c=I3(*_x4z<~o==cu1x(9CNA zIg%^y->PhQZFo%Tbd6&gjA?C@5&d09^dLLj*077 zXs@)jIxPM?c0IR*MZX$>Y3`87V>@g1{M#7tKmIgKglOd__-xggMT{m`!pe^;Qi6gTUHtDMn9G31!FF9sjq70iU+$k%Z|^HO1xg!XsdfP%2~?< z>-dD&Om~a?ej{Z>sW?w=g^QX?d5F2^oCxV;sI#Ivy^dlc~I^+Of7L&zqo>yJ~MPVLA`TzZAB58!b_GqgaG#7YklmDILOySz;-PF-gMH<)i*C-XT zI0LVhgT#k|03f@>#_WeW+astro&J<>d$iO_qX|rP^srfq1Gq3cr1IxJrF>x(_(1NQ z=GfL3drdXEcjbNx5@gB-4lbvP^gwexFA~4Fkt0t`pDS1MJlZ>%3t!}~Ql!q%2zC<+ zY~?WLQFvj>J`-*7dcWx+#2j?Ed}7A2eV2}iIoPLJXJ5|~!&AGj{zx;f4f;RY*?&ad zrcaE3U8ggEtSY6*gp0<@S})h6cPjf%KTtXr$+Tz4s3`uHDd1|~vwdk>2h_d?AKhL`!W!B zIeD4YDa7R7REJG5<6!bE3&LwgIb6R(y(=tgJ;-03qa{RKu{fZCbCNUI$E6XTJIJF$ zpL_ti2%$djsk_FTU3+-~;lh^!KXa)60$=|Ew9jJ!tP{|)6#I%imVfv~;|bgC9#RN3 z;jC`(qTd7n>|dS{iT;p-Ymn|@n(&7^>G1{Ndi7hWs;u1eK;bVcP*S|NCBHR5SV3F4 zIh`s%Jm8DmEJKF=fJR9Nf3pN1-YHde%z}II8(mnIK21ja;K8JQcBs#+GS^9tMds=) zWSWXnBH(t$S#1ty`HbNzxLzx8l{WRh4E7yUOlL(F_)STXeQ(_|BhbSCkI(BrJDJvt z=SgAU?MQfY6x6howP^VW?agix&PPIPR`xy=CMP9Nw$62g|Sq2ZPVD7Fz6JKlF?!2BJ&q<4q-ylMK z8q^Ns#K#+PjY$!Iy%Rm;5#B8Klg9DC0hMRTb`L2tHR;*aG#<=;(Q7S9hhHA}I9g)i z+=0rPyeJwZX-Y)Bzf6pHirmi%V5}BR#sV?fcKiwCI}p$Oq^|+jQ-HKmo;Ac;sWA16 zhHG@Jq>KQWcl1y&V6=@X&Dx&1dZmiT&wa}TqO-^iGFQ3CxO4l2wmt+u6K@9jekxru z-RER3XB>CW(TIBWHQgJj0h_gg1WY4MOj3#ux6GJ!($(54ADp`?j611Nlj?>8saP0CZyFiGkuD${MdXPyT&ts(bX%{{;Ax`@Y>66FN41YNf2HU6{TsrXw`>fQgs->?Fe;ohK!s5wRPiv9DUm zs^NLbN@H<*Q)DTw~kB@+ab-`fgP5 zw~`$hD!KBzO2OY1_+=AIv_J=~ztJkdh8vWN!4%>)1CwDN^z{#&A$l` z;>U<>>3h9z0UAiY_J^mIy}smC#zGJDNmISvZN5BVmYAen?+M$mhgL_}gZ=W)ENpX#a{^ut^9yFj=A)onzS zKg%co%KL1Y?9@eB{iYv7ugJWyT&PmrGPr3<>eDQ`I10^ISdNm(BM$TH6O%BG2{V^mD2V;e!w|!6TfPhVYx{vB;Gz8Eb)SFx4oh!Aq&|a zXOxak%f%@6u+ksLmQkbwYa8qvt18=asvgOtr99FuAya?!{D9lpIJlyTB3ZJ=cWC^g z=+;R{*+jpGZx_m?V69Hh3CQoM4_`(zXPGS&b;*ErDYNIWlIB&0+}dh&@8GncGiK-C zi2zEZL<_k-2EKIG$DzN<-T-0wiM6>-${ya@ou|!=mn7`G-_tY%p!*#Fta%ZUKNlUi zTgtRhy(xDB1o@U=2+A}WBiN@aQV zJl%_S1!fSC15+ExM8a*a@o=mLbK>Nu(?tV%&_np}WBo_*IIi%5t#lBU(`AL-}E0!T0|QLB`Z{D=x*D}BtIJB5(nJs z+WCa3ngcO7V;z34&0cx?cNi)Sdm9RSI1Ow(V_-X2!Im-&I?cfG4p6L~`T;9K!&k=d zzB*}Te4CwM8l!#=Vr-6cKdfbsb@wJY=8RhOP`TkEjRbWP)y3<*aR-fQDt7A0T+0H6 zL{~_CUKP%mFb#$hG12RoTc>ADn>Ncty4CaZLUFg!0#PjfkM{=YSoGm6-4+)>X$nCknv)!i5gv$LTSAIgQ z={s|wUZ=AMg=v5shwz`1zidaBiC+vjR+%aCtz2P7*Qo_vi*uE@BxY! zTDD|-7OKP8&(ocBAs~ z!Q63`oFRU>5q+4Z<7b!cqT^z#`PGAlU5iwrS7@AL4p^Tm#*z7{u4y95%RL(5!&~5@ zJXR`MY3iksk5%w0#8wKoojO**<|&eYkQgGX%Xx0aVDUQpVh9nljUjpP26VW?@!vU_ z|BNjCo;_*6(bpn}1LkLr%y%p%tATDJ(`f5g?V*nCO}a(a-EZfA0Qp-h`T5|RG-m90 z^-YlPIG6&*6zf0#0BW}~`hL(pNW)6#YK3p?Wt`~_tFrymcy?#FH; zQa>(yvG(CgeS&s2LR%Eoc(uGFmt(i6R+?YO3%v-boE>0=eHv&x1M&CyNWXHPSiYk^ zId}%i(aH;P9wLKqI2L8g#c0q9kURG!V)!QabYLKyVSI<2xzhDQCR`Ug+8-QY$>kOfzLb#*l|h4@wn z&)7F!+~ejPg#da?V*q_|h|o+#Gt+g`DynytJ)DA(s)-oAy8L@&(p{N^7UI*gh_^!l z;hEJR^C=Hg;?NQyRwd?o4%CO0j*2#YEqd7+&waHRhXanvghM7L?XY|wBmbsRMRI(! zSlHiP#bZ`Ram*853s!)ne(2{EO@FZ=+qFi_xIa^HtD zy8}!a><2fO=a~kbe*}`h9nV$*?jKx%m6$ryX z5$H>!--a@q(X!1(ZkRBTdf~)=v~6>@{FJbtTamEVmI)RR_n1ntZ_SjtI;gGtqeWby zdV>YQb;6~xwN-3MJ`*(N4cQ~)g!SkW)$xs6?{b~%ONdfy>#M@*>Q%MrYE&U$eX8O! za{K5GQ{MFw48TVJJ4WR9Q+m2)!%kwr?IJQ6jV9N>B8K=!V#Q-}B z0LA<#1C6ZiUXzZi$91P8T`MTj<*Vh&D<0_a-B(!b_wqYyJ-jF;!PE0-iG4|}?)BQ) zftxwJ6D4;XNG_CH-$o>;C=@g3T8zBTGgantEpp>A4)^^i$?tb=0I+)vkaf}BUO?lA}783 z%JR;g03TUWpRQmnhb-Apvw^!=@;-5qh$>4oed z?*me>`bgAJS$T(Z?}tUrsZ+J3$DhZp9_lZUJlPalZcN!_9HnomELSLRb>Y|FG_9|^ z7Oky!xoRVJsgYS(d9T0jVMO2GtjZeAQaze)*hH4^V3`p`b{EFDwt|u7c0A}MyW^fS zh9v_&7iUF%d64*t72!3ZB}Yt!r^0+`G~NO|l)h4=Uv=?r=OQ=C?R$V4h4Ig^h-zDS ze^4w!bVsZ^BGoJJ7U!>(;!Xuc)%syX6XgbaL#r04r`V7vi!McM2264E z>xDUKBO)q!)ze-V6tJDDkdGwtd-`0nTAt90!G1K))j#%qyWiel zY+wjZ74eJS54=i`tESxZv?5GOT)oFW6VVvVnQ|j=7+|Q& zG+d-j0Jd(;^1KEqX_7q&2z7ro&FTclxG4^>K7q@Qa%~p*9IB6Nys{8&HR7L;y}{Sh zlSoYJV-juIWRmDFas7ozhj$jvKY&4;k6q% z7U+aLe9wgl(#z#G?-P$g^pexd8g)A!ko=AeJyJyF!%Gsift}fgSrFsbhm`q8GoSkT zy#_FhdO3PzO9_yNsqkRq*cx0Kc5U=D8B;LwNef%W-`096fu6$If$+JLFS<`Q`;m-8 zz1kD;Q`t@-&wPvqTY)VmWm86UE^q306v#{NcM5OZlbHX4zeiUvvCa9rM{czRhS*dj zd)N9)9CwiMliNvDALC+15L-*DitGlVqin2mQbvs+NA*DTE)BE(E5b9$6nia_Xrebo z!RXRl2!s}2xuLa&A7DPTf~C9YYA=LKL7BoaUp>2D!Tm)TG1y^bt$hMNMA_Rg-Tat( z+ftlvKWu0O^v%#83|g@l&?ZrGB;vFESos8YZ_HJ8CSqZb7)-5Blg3z~K4R)gePN}k z$YT~hb{$Fzhu`t#dg83{G3I4cUZ{_YZs<1qy4vSvaEL*^xWgQw{pn0lw}!d@mTJRr zq`%n;gGSvuz2NH7*JYQow?np$4aDY^e`i?Kkk2hQ%BxV;OSFv|`VpSr>Ct6HzA&gbyBy%t;ESvAPY}~NYACJMt#WwhDEQy-;%SMNhE**u5I}1HZ#u!gv^%?cDf70;6!>f1JVErxfznrAh9vL=yf>V0a( z2z%17ZgPIbMo!=Y}XdKdc>c;1CFK&B;+ZpXQEM~DWiOMf<| z`4?^sVbtdTU)%?sq%OhS?1$x>ptT-G|U4G8}59Uu@mPnSVVM{ z*dmeUYZgED#rCpdZ2P`X19O8C#ILw!hrTC4aii-)wuWiUFVu8&^J@U4&`EWR%JD}; z$aANNsmnSAQL!S+A-Tp>mZkk8JL9ni_*UQee&MyAW1(NGIzj#pzL>S98=o?%EK?eU z43DiU7qJy>mzL`H%xCb<29rLf))9}-2Q#p}`}ks)8Isa!s+AT5bkb$O>Z_(O@lm-U zlU#?r*>6DdqpF5cHwOpqLtf_K7=be< z?Il8EtOD-0cIS&X-9{d%MOAgRbX;40e*Dm_9k9V6*G3r%>{fjKmsmKFr4XKJEdjxJZei7C9H7G z7ZsFB+pDu6ib!y@uHph&wtBIO*Q@sf?>mo?&Wu>pi`PtVY6q}V;@2EU&ZDlPQee9; zmEZzETj>(9usZgp?0JE1o=dXh!ncwWv7h95x7ylX6_?K?mQP{AQ)0_xj}m+IJ^PCf1-&Dd<;lr? zSMpRDX(%2~@5K7p=-MhV=7H;WDu9vk+-F9|6pF+4Xghj5#pbPv34OU?@{F1;yPVO3 z%8|RWz#P${C-X2=x^j|OV2>@|_IV~@iwJ5V*KF$FP?7bCCsrC(8yK{7_ zl^L1?16q5tV!zV(yVVbc<&*4p(?v>82PT(t7#9?yuc>ZC_Q;WuT$PrqtgqhD~62g>WNv@heJ33bgDG6e-= zAO1?;TpPYKi=Q34JJeycBnACTVU6mBCz1DBa|+UJ(uQ++oSt#{<;|4w!_Y$GVSVES zJM#RI@}m$Htmo_bHUYM@Rp)bBwXSGq}Ca|PJfL3nh-#5i#S8Y z*I##8LUy}{7I_F|I}bpIBX@<5Wx%mhIuk`ZFFFlGa+AJWm^=r28y-Rr zMu`VA`m|zOYR8)tsw)(+2oyhK>Cl-~A~ZWI0-gu<8G^p(7vvW9*cijON`R}o!oT@g zaoCn%gRb1)H?Tb}j=0C<{6R(Gh!aJB7p)-7Dr9j4)F&>fGSgOkJ(>1Sy9me}yv5N2 zj6tBRLvo&!QCyy8hO=mSfKgSEDz#s4mXxpM=e@G1S0O$z-webj+H7fF(r_MDj!2n) z-!P>ZRPeuJr4q(5z6J7T8*q$-tL#1N-zLz+aUI+xrdRI~7zi#c)OQ_DPuPC5Y%W?0o%(8ssQFsNX1hp##x zLOJC*-86HO2O)`h73B9vTKh$Z$TPMUsXZZn+;K+M%s23K4YnIxFF+ec7;N`EzbjUe zuZwu*t&51dKBki4+Wo<&ru)SXrJ+q?B6!J42QBETkPr*N*@s$>c?dCUz5T+qH*8n) zP?}9l`elw!>sgoz_`O?dnofTRQ@{kf$#qVK&x)BJ4Ln&tTCyizi|5n-eJBlVtPR27 zsMWwXkEw2u6Hz~^jAsd9;?1MFc=h!hDVX}PJYJ22fz4k{pOiUGGEE+t#=M|sOrz26 z?)0<^&KlO`TLdAMCcE>2m_@XfQ#TmOhPi87^Gk{??M>O<_e1>C*IMa4p&nzsvoUg~ z?EakgWb9%;M0hMxvB3_3tKUPVJaP0=Lno{1H#{8mDFV_9Nb5Pvj=y?at1nd5>xPmU zOj%^Q!zFTtoD)i58|D*m=;))EH1g!}bkCKo=^c$;wfvIrI_l(qjY5%dXEQN^c4i$} zcbyRp^B$?h4yTHtji(6K_3vdtT}tz6W&C-x?@6Pp6zH2A%BQGLs^?-Imq3POC6tH0 zjiImWgu9Xn7Bg?RM>at5?Ma`-fKt>UDL_H*{8@fsg?%N)O}o*e--Y$}tUIs%uv1h_ zt*N1>+t@5EyA;*r!jeVg;Xed=$nN4rpC*K!L&h*O&6uGxzlZZxc~ZP$Te>F z8rEnL-+M0Zu7MKCgM~H~r1{*{Qs_V%>64uuKnG;u{>xVgnicdK6ge^!&Tv_8XCR8=$9OOWFN3FKrpv z0M)Z6MSREZZt~arcpq%d4F_JWwx>*vVMsN(Jh7~q^b?nnufoz7EJJ-FK5^(+>Coxx z?{K;(J!1+vBy8p#pSq7s2rWwtbsJ?;oOxuRSnI~TC)(YHyD;H8h;LfA#Q;R99V;N8 zjE)&Y5@cl;IM%2{P zGKgm$8sFJSNKucT_muG`GqYeRNdy9IVg5BuBhxJyr#@wjO3^nA`za$#^&Y+To;1+|Ia>ZmRt zo#4RTW!M=~6UC{nCNJ!6c^bQx^d03)i10*xk+TZ+vEJ|KbL#%73k~pqbjRVJLJxw) zCJ_bLm*0a=`;NBzvled+Zsl|>jmr#c{xzm6KvO+f0g3nzVhc#nIPi6x3&d_}v^Bgn zmBk4~L)x;T5mO&p3Kx5Gnp8!`sZOSs-Ghe3H_}sUeWq#d{4hV`@7;)R@OD58 zH@TgwEh|6e68;GhbL>pHbv8pY_{o)lax|iJu2xx#EcANr%dN;5ays1cFjAMy9e2cj z$}4sRyk%J8Xk>qKXV3Xp?`OLUfeQuTS*M)c*%NM{%xAjU;lfz%jv4d2@pTUvl@hA1 z%cGgp?nE`&Sf7wQ&NC5|>d&D6ZKd&M#9p-&@n*xV3xG>aSCW(pcqlJ3lg60b)vup4 z!b-2YyRy3axTvke4LIr%lMU$3FMr_C9 z)ps?S4o#L%wob|HR8NBl4^V<`UZ4Cqp_C@Kn5$LY_(dy%wlzfj*AXXHS>Qbe5Q!bO zy7$rD;QjVR>WyT?tSJjZcn3W;Cgttz4ZnwXE9r`21SK&#yLR)R^fthh@8Z9Nm{Snwv&XkleLHYfIKORpSG1ZY$FFnd!+K7!ro@(aZ zrC^sdH8~T+>_Ccri9QELJ*<&Qkw;bCwFb5-jbPOI2#I|%{8bG?x!|Rfdtc?WbKjm~ zf)d8933D^xlJL@R=c#U5XE2$-`}1TTjMkQjnRz3wj1qk58u=kq+;A8>ZqSFnd-(R< z{7LwF46*ov)aINNQ?NJNL2w!qsc)`$W_PxIrttMaxKHxDCbr}yU5fo8#zbEa#kU=~ zH=^W?`Pb(FNULn39*k4CMjxRlFvnH{zUjgSC_5-bT3O^)=kfM~ij=ALpPWV1{2<;86xDX?ftv#hZCg;1??*)hkJx3dU?-2J&JUTL17tR~b%J1mM zAGsMA7`7d|q76OAkjGYpr=}kDzq!$W^mY8UlqCzW_#nZyeWkXk)s&IL(9KZ<0kxT7 zSaVOj3=2Nq>ie}N@^kAx>+yr?1oy;q*4_u}M~Y2TxhV`o;%{Co=ZXt5zHYny8)vfn z?RZ^H38F91ePpUupYRIvtIkrjWK39-Tqh-2PjPp~=V+iwbek9d0$Q~8%**wg=1K3T zGBnNUzHCm#iGAg2@tuu}_AQU-3YH)7##6Nww1A=LlY^)!!gpkliNi||JR`bqZ^{bY z)MzZ1u`+X%XCyfOxbKf?WDb76@}J&TuWkZ*V-JXa(oONr1|#>D=NU=g0!)?Mdeh#Z zkGO8P4fp%^5;vJIbIUNkw;deA;AV6edVQ}BwmDo`!2Bv4R$07hzl`}M9XFAhyW`hW zx09eY>ZrlhEpWc~+Kx0AwvEzDM!ku_qIpa)K3(UhZnQ^R3mD+VnS2=^G8i>!X%^QF zdXb}7QqCcmr?{ZFJ7-h9JS_4w%Xc5xUr{z_^(6AsApD8vbrU^Q=;QyB3ScVxrGDSt z>lCSG*f!-Y+_8_{EKiAL;3}xAFU>m!WSR^Oy#Usnbk9%e4;8Y1gX zk4iC=nfitV?>e*#EPT7q^Xr0Dbsc74SQWcBSoc{p{3s8F&7TGCoNU>Y?#;5)dB0sQHDY$%hd^f9hfCG1P&Lz4a|-i&Ut@dlu%24x-eO%uCv;6 zqKNf4o1XuZlxT#f?xC~>pB&81!~(G%n7LK;IP5fJ{Pk!q>^`st?qDux&VA8TtVFyZ z5V;S2EfoU~Kr_~gnl0FS``#~iPLNNhuPfx7x^54%bgCo-^9K$~oH{h^Snyuy@3^e; zwbLm7?6U%ujkXf_m!c&r|94k?V4SNukO)UXbJ_=5FcgTK5Xvks*h6|uHrFp z*X+0M?qx)d$DYB9N-$c5L)Y#VhTo=e1=M#b1DEX&#`f3D9Hn=^uG~qN_yf%u06JbA z8?_4^%=ah5n;kFZiFvSnboe!9*S#ywIIfwznEMZp+T1NN!vyYq=! z2@OkzQhHX3%j?CU=vC7Tpy(KuY- zdG6e$i_ix=#^HH)A>nPRxZY|6DdS>LUHRv5zNANk)ZiC|=GUknt2GJk&r2r|Ld8 z&vIt4u8w_0^S;!-K|aqf5`$!?OTO|zeJS}B5#R44_#;gLQnPAzhswnSo5stKgCERO zO=leE{94@D=AuabXh|WdpM|JMfT7)qTjhdZJ%x7%y%avUYyB&cy$12Ft6K(-Kj%($ z)3F8xIx}bCl*fWi_KW5w?P;pu4Z1nrArmZ?BzEB*#ijhPFa@lsOeTRCj z=xZHRT;*Z=+*#*7i01cPlbx!VQ1Z1Hg(kg>Vz8!fHL!6tupt|!qPXkMr!!piOBe?& zD5=`7f};?%cUOv2#S-S`7dC5-2)3=;^MRn7KvKlL_ru~wvTlE`nPAQ5-dn%TokP$M zDu&?PdGW>$NJg`$~h;QT7jl^UhaTlG?^j+jD$r;?$ISjav-3*7hk zYNqO7xbxjbTC{LNdbk9ml))%N6;qAyJVZ=Hlc`2jbKmw#wYv*FHj?)6pbV4k+6ZrL zcgMSD;X5WpCJA5=0UxA&(_7Eo!6#gP9w5!y*`?-MN+E=0chG2b)5FkWy8t_Fn7S6X z%Eb`Q3!e*MHHP||l7JSLHzF?Aq^h+w<(A-|xAo7KfgcC(&@b0MOBd%qlUe%zZu1{6 z1Er^{rwI0y^Pd#Gf_(<27P}Lh^d`4s9f7@Vl*r>}qqyER$W;*n2JhJae&dQ*wTS;O zeYejNdLWL4z4F;KZjMjcx;4iu*d~h&Fa657U|$L`QG|6%PuO|D_JF2-&BigjyEGi^ zaI^c_2w$3eP$wU~2jzx&+=~Kn&(^(aoLk-fg2lKI*jHEFlHHej$9~(O2_jG(exh{y z{Ha|U;tVzRp8hzO{z&DUE+MbiOb1(?01xSDTi38zf3ha^CkN!t?r9Lc)Y-3>z|JfH z9}I82w3A-h)(0C??Go{OFWk`1q_hc07M4eDc-mhUe5$LRcD;r0uDjOw1V$^z(?tAS zUo{A`h?ZJNwUO3auoAQ4JUQvHygE{7NDA9E5SThKir3P)UL`V4qu_kP68(A%&bv%^ zC-7FYJBiedJfw$V$ZTCLFZ)?{w=}!p*&i184;BAbR=)$-Aji4H8a!FlUz-uJQg-p=UbeKI_>{zrjj$`L<(^n5{GFeEQ>> zHOqvOgI#jN5`1xI9lGn$nSO~%PQ|M&f{ieP#625Gzneg^EurQCsxh=wF??%mnQ53E&p6m)aW*4!!VR5|b*D!nX? z!%_xd?$pz7PkCu@p}by@WDK2n_9pb#hS;d?-`4^7m%TD#)HqA1d;@DDkE#@7CmdjT z>*%sD$p*tT4M3+aq5Pq1p-z25bZvcO>b$MOCHyqbn|sv-=P3X6qP5cd9UQ(@R@gWm zS6y1(xJ)0DvA6lJ4jN$S-zfyd@is?H;d`Sp8`2{7<0BS_n%o}qD@;L5`KN7;8;cHO zl#*lcNUhAi!3vyii`G_(ogq2gu3jR^!~_wAaQ1_qg1b3pr^YJWRKkD`mZZ@DiP@;9 z)fDd9)@wyb^y1Z_3aHGO(r$67{$rlgfQ&@yqpxdV0f(VWiiXaZ`kEpH)cHTErC_`?X&rd#N2!kaxV?{e)3ZuzM!`Xb{FE_m4rHTqhNOp+-Ko{pCP=oc z^}~^vCrUUMToSkD`jMw4dMi}Ta~B~kyi}tmIy(?~>$M|cME8SD%aEd79*vFMewpS6 zA5G55r8kesU=Kh5OJk422~I4*uBdHG@DdI2EltUbXoh4PGR?)uI$Y%Nc<@AB;P}Xu zp{?&WpkDjWH}C!;F81}GhTIZO_y6(MMq=vTRgO??MyC(!r-7gWlXzo!|CTI#H3xZs?sOzd#U$)*<3dA z{qsAh@{vya>7Q~yFm7+2nYTXBcE$t8Wv^9tX>^i%!0Jc3Ahi@Qx2YFWm)?r%o5yMC zrB4qGP3`q})630CVYx6G{D^4iETdvh#E=%vVf+h;!#&Q^gQ_BxS+9YxzAORjJD)Y~ zQU24YGw7pa-O|d(4UY%@`iau^0;^Eb=&BUb!xTH5=|x;!rZ=2$ARSjLS+O68i^|sV z)NLO_&?;OO7xTYBadoi#z4Rl;r(6sVJ69udC&uNqj~ozh+2XflI6uNJO>f+ERo>eW z!S;g)Ri7dM?52VGyed%;qnBkopo3Mp)k;6--M7vl5#sP+9RbzE$}qM&{T0MZZvD+1+ohtxqv8h=^olgFCyXl*-_>N zCA%N}!L>(4G9`2J?WJaRZ7RoM6LmL25VcHz(n^$^fm4Ti6z)Ug>(K#0_N#xGxFZ0B zlZek$wP^f~l=;AMjz+>$ZXVGo6+>J4nYve~+SAc8~Yn{+bTzAf)l=<`=`v_D2cj#%|dhsxlRFO zh?E)k>d8ibwMo0SJ@u}CU2wW5H9i^mV%Ek47|%fO6rgf~?Q$R1p-OO{YxjE-+s0wj z%p%v++?JhE-yCfC_X+Tmj|%Wp>Y$fTJR}jI45JRv=KiNGg6R|1x}c?y!n=pil_%b#eXi*BBGd+aFSgtc%h0Ks zytR?S7-1)nIHMF({@Zf`BlFQ5E3QsDz-%fx$!bMW3%F%VTxV_XITskc@{H{i=^Dd; zUS^}U$%*oId81I>VhIdjfV*rRW0GVUELB2~B65ldU_P-B}(LpWOq22Z0A}*_c zt6B+4J&uq~tvSgqteDew8}MSpC0MpXZqv(XcfVM3?d=w_Dvw>{{Q(RVTP&|v3Pv*? zpnF`Gyrt?0beBrKHS?dvfi~i<=3jler|!Hje&|%Y0;YT0zn7)qLjz^7PHrhfx>^<~ z+Z4Twa?;nW$`$(dV4;)$=;I@08;zY%Q|nC=rSJbl!V8llI-F#<<2&u0y8RyRkI#gV z#n2ltC`{?!E;jVJ>jJ^`_ly?(m@IJ#s^!=oK8~%O80@iQNlsxhUiP$`oN`@ZFG^Fn zG`Ny6sfs+*M~O3336C>0)*4b~FrB=}@|hXDb6Qamgn{Ri9kv>7dsRUSqs#o?PU?Bd zPg!{VW6u8n0{;8d#3}nVO99w|dT`BFxWnq;#PQVWiANv24wYnW+@F6+F+91Iy_u6& zF_M9HZ29yjJu!XCQ3Sc`V}ts73Nz>I)Rv!ECIkB8f` z2T>6N3$Gv!LlmSzeJ8dxQ#!@3u{94-C%@`@aJLA4a%i93@=~Asu(AY#obJ?-&x+^p z{A9p9Z}p1_j4IfsNzR@ZfjCO#`7k(Xsbg$T-O8184%?nk0~N)38?o ztxa%4m=sx=Q2oZWttF62wF*P<+@UyaxtXG8_ z*ITt)_D$%nlPb;mXY;054U;dGPs=#U%6*`;Cq@O4NB;;tZoD9R0h)LC4$(ZtM%_7W z6_eiMu?X;4F#mtpdJCv1x9@#i5G7Pnq!}ayL==!_K)PFyZUO0*7`kidZltB9Te>@k z?(Up{;Xius{eG_Z_h0K>?_#Z4yfg1P&)NIg&)#RBOz1L};8vX2>fVFCtF|e|x*+ z&_Y&y07?M+cCE-vciS&G8-J==v1(_!@)+p=HgvDNPQ*pHMlU3ELpAat8ME0M$}4Ry zt4;8DqaG~GS19LepYv+ zmXzFBXL6q!tFvpe>PiGXBp^|fdxTst^ZPit=1ndQs2OWQg-Qj{Kx6)23{5FOprYMn zSCdT@1L2ZMkqDR#FAKulV5L*e(i}7P8_Bv^uex`ya23Tzs3LtkUuC^AXDB>YQlic} z238145-`h7w&fTo&O>C)$Qo<+>VKJvI2Q%ur2V7HFEb`^mj= zc+(YNxklkg6?1u!h|xcPHSX#Ls)nHMzSl9U!M^(nDjuKfRf1`u6a9N?P2PDGHqkEH zTjiHDuqd}U%I3SRX=S=xsS0j&!GxStRe4Rjf3UC7ieFP@Dr^lEzihdW8@Ws03fOJA z3u-EbD)u;8kaL_FQsPB>F5XXeHdMH|bt0We{0m5Th^%j}ffq>mHtRDs+k0TF_HsZd?ePRARulZM7ve;1ss-{kz z1C~B}^jJk7wK;}@u77GA9)Y~02rdoc7pKZwgO|pNB+21*sxF?s2XZO1IGtVB#(@Q zzehMaZs}beYQ3yf0?i#ZjL2T!Sfe!n${&qWUGJ!I4PwQ+M=*KGrD3>84~#EZxG|~B ztEVA432lg3Xg#N1GSK9|*wL44zWkxxuioO9K!@Q*eOO*aGHqs)CFjxy-i1M};1~sn zJyib}26;u&L>#$|q44Qo#(H>&yuy)&sw=QAzG1OYHO~U(#CjsV*y1;Ql^QEkcHfAWxz>F3bf-(@Fd!zPQ-js_l%_4N#{k7>vyAXj_FE0soA1R7stwhNS_TwP?F0NpP3viy+uVL2uv;y3*`xFG9 zkZ$xuN_j>2MriM!a|S8x*FvIRIwTt!l1o?H6SS=!0| z(7;*Z(MB4t>SoC^+|Je$(2*ThP5NO0>+UZ9;sURnwp0o;_Gxe^!zB3ReQK{8C}JE_ z7XAHD%i4HN4VEu6sj}X7SKg7C&Mq|NJ{Ix?4p$@~3p#vQb74jBDe`XiU@)%EuG_Wd z$#>Nl883LE2r{(*GWFYjbop)8eyj(W=_s_)0s!F<9Q@ApC8aZ9hRVxu%OY{Xc+q2u zJ(bpR=1m0!aIo9=WwDy#Ryw-;GUS(42Ea#;_2{;rzaoBDfiLvv6I{i{T?F3DE+=RC?jNl zT7Zam8cMuf`%xpDZ@W($JQ{F1J((%nZHv&6kRy7j2F zgMAbi?pjP^qKy||z%)N-dNN(?L8b08C0D|_pZe<`f+>z~s$8)mA?@*Bi~8JZ`R}Le zLLiOKIqJjqS8x?euKrnDir$o3@Kf`h6w2GK1}3;42zWoJ3UoU*w}M;mrF&%9896vC zs3+1nhSr4h64XyMXcf5s7(Pm4Ju0>3Hya`FnUCk^pWk*}1{^|KdiGQ^FBk#4yj-N0 z3$(8>PvZI)V8gf5B;mvz;~FJoiR+iBZ&?69+r>~qYB@!-$ z*9lG;R^-QUJ>hq!Pv$UQlH$J;H^e6~rK55fsDG0qy_eYYs-i@yG7azCBoSY9J;ddQ z9FwYo{~MW#{(Th*IB`EsMKael=a_~^pzarfRhvXjy0`v)S(2-cQ-PdEfjxASi2_+U zB#D86uJ*6F^KajoYRk&4p%@93tgj|V2U!n=C(nlDoPz z?v{T(NLb@2mEv3cF;Cl2EY;#Rk*56C;oJdd4oo{P+V>;vGE?d-l0}Op@~?sT>n@;% zP7Pf?)MjKRy#^T0)fiIgV%~mdGMkQNw?w%g)ka~zLr=7Ddf2Uld7tF;plw&O;U_%z z9nz7*l6d>_#k{!vCsE{Bs#cGX#unu|MDF3=Pgh24k;fy59Imn6nqoFew^OaKyZp$4 zyn`~5;{3D)a*WxySG%O|yjCRnIobag@-ik+G?hUDpHF%qL8wvl%$43ZyIl zdKhznv>0xuDD&!iW^3BfjV`v;s@ch1DX;i`7k2n0g%k)ECx8$41ECqA^f1Q_%}0qP z7i&i;lWbqsX%d%a7!Kqr9R2o;OEg{OY0p;NyB)HKP@kQ0@5n6iySCA4oZp&74*^P_{lMa)1#>;pR5RV0aLjlWBcrV&)UP_ojmnqe4LS~|!zpON)_PVd_OnIa*N_s^?$PR7iK`aAH_GN~_}-?? zaw5jIPfhIsjFkN|27{H#is~g&i2hp>^cv*`uyV`oYTEGt=v#T+IhVcUBt@~a#)JKO zi$0p)>+&B^#&~-shyGk}L!CGFctTeJps!OISwd{R%VD$qqK?8ZcTc(#e~-Ks%DAH8 zUjLL21_QCbT_)@oYIO}$O(Qpn{l|R$&yGM>>gW(fPBInbBQ6}7VI_hOtAF!g-|y1*5}~7;F?v3lgn+4v7=2D!dq!?9l3V> zM!no#VzaM`tbwLfq)VRJJ2t1nyl;xktt6ICq~`F;tliGDcrA8AT$LQCLQ6A9cKnV~ z*CpWE#pjy)ZNRKeoYcwHot~S9uXKYUs3m4NzVzAM3IQQ6ac?B`(kt-67t<4r%!)^k z;Pr_E>4w17Jw6c@htaD?J8Msp^3FQkEagRjMfQ+f$%=B2t;FAML^8tzlhx*zNo*BH z+r~0IQ^4^l+3LVUQY#Fk%g|2~c+fUar#tQQAvzDD-aXM@wL@^%Q!S$%={q={gR?2V zBpRAYR1fs}b{RUD5?21H|3|5it6qxcVd^D$KZUkzBpAbaJ^C=5s=5lVJRVX> z35e#GMbjTc?*-JE5<4^a4<);fHn7vK(gZbU-#lzEOd)%2nTv;&oh28=6_|h2@Z^cc zJ=xiuhqt^w0ZX$w&h1l#8DRQ)6}yQ0119IkcNyJROs7P@O-GY1%o1dHm<>@^tvRT- zB!Rf_25OPy(CMTY)WE=MTyT4>GmA8Mav5Z|!6JK4`Y%`d_g$U^Igxsdc>($Aei3PF z^oU}i5=#Q7dEiAPI6fQ0eQd#XdGW&8a7yc8;B`H zhQeR@J#?|EsM=DSuivTUBwTnyYczy39z!`YI~xSJ+ZMYa@x;K z0%$sWmm4!~?~fuWzFdjr08dRx3_nkbv70VEi7kz}NZy7R57x=iQd?YHGFk~X-x|~$ z7L+?*rF*zDL}ses0h*p-(A1J!2fCZSnZq0S{;+3$;8jW_}W$f+DUPiehgYa^Gkm)0Otgzw}wrcR`gXq)9WMzX#xKm_RD>92fhw7xA_NhptOh#fW*zHBz zRHdr$4QR85sNx`Z`SL)(We>c3qy?51?4UGoFbo`BWnqb=#vSBi@fybSbKq5Q!*Iy6 zUQhlRRu^a)C=rv+St$2i@Z#jRP}E%RX4af8=hB%7i8mrepsr5RkeciyM@mp9a<(v9q=y1 z=4RKX$O)N43xKCTahV z=@UTfShH!|V6tla)$}$HaXJAoIF-j~^{VBbudvX6pqo_LDc1sJ!zhXMJzwRO%Y4&a z5#?!+5LMgTL2P7b{=Ch}SQ});^7i=~wF{wvVr?#=#~gP7nUP~9ji-|Hju4COy*<{4 z7y<3IJGsfnIn1Em6h!0nS6m3bndph2Zfp22`%L>C6o(wBY8WI6q(ArFDlX>VT_Bms z8dw;ZgqibOp27F#J1r{U)x$vREeBj?l_(+x4O`6iZ-T`W_MyUL@q zrez5$wag323jJu9 zKjJAmf_PZUa9+#MyM|Dh50tXbJLb$j-9r6)<$fkW!T^1qhHsikWUQkMtiMR*qFH?` zBU(lUDG7XqTrnWtj5z#7kR1P}r`vqXS3pHr4?-ezDrNx*dY_bc<*qz4p8jK4v*pei zPqSQApq?#V;h>+eK|5l4cpjzZzzPk;EwHPfH}lPwQZBQXp~mxqOYs*&Upx57Q?fJd zZUu!qI6z=g91n#@{Cd7%+%`Fo?6H9_SGF3FtFvOs`n=&|yCf?yw`uqD=2J#nEbFgb zE(2e|WDS<#IrHxf&g^&a6u>y=J@umd3MXo!BEY&e6|gFPF+GFpcNd7O*teTSHWMDz z&)}U8MvJ1FbpMCBUnKY)t~I2F;_P^O<;aZ)J&cyyf9b|x|I3`p^s6FSTjpDi7ObHi z)t@!cC{vyn+}i5M?OMqjTM!HF@z^;2;(v3!-;P8ag-w6BYFe8|c-;V@sGnJLL%AZwbvuLcO};P?nmkB`9Q_Pq29es-BuBdCwqufI zgI$Id0f|W?U(|EDlb7B#-F*4}S6Ty+^g7J2wTx($rlJ@%YJP1nCf7M$Gn@u{wxi6SoqLqV z;pC%Szkh~hUlM~ZXQtU=S1WCzP9HsQKTF+zXWMLXSto1P6+o71xm!A&+LU3e-0qBz z2z?!43;l5-Mkh2kZa2YI2YE2krAMd18$ufaLzKPA%m%v=rQl+gNV6ihSo6W!W|<|v zJk#WuFvh#LU} zOy<$uT52)vg#$!mdLo`b$(U}@WKrBy-nD$of{rgVfrT$QViB%%?ULq`9Q-oYCQ=-e zS%7Ht(>uT2h+{=BxhxUNYy18SKh3rt&kdzeud#^}KM`yy9Cs*r*vr!tH23f)B%@%e z8%sel1_i~HD3*os5M>RN6J_E<+}W+qBUD!_3*bcuJ6=hpR{LJJz_1d@yju0eiT=e*zZ5LHm*HgIen6#`{EBK7%JWxc12lvnS5L`&#b`7%7UKd z+tMwz@9gq|A5 zzaV{p9s~9ijjO#{bQRmzU8r}cJs*=Yjvd*WEOo!gFq_0diY*(_W&}H0Xy&H{qla_v zzS4ABaNyjCQS$#f`C`_WL>u}Fm!)QEGN4|XHOjM&pH7K^-1H8(D;TicxREZ_N9D6V@3L3? z^&YmwZ%+0Cv67V2T5E=rE45rE<4)gYIM`R|(TaJSYm+6AHL(nJE7;xOfBa*Gvnx?Ov zM2GSw+VatoTyn62dP_!q?Hg&ste7EdB3H#Fdtz64H;699M}768m!ocB=h=}3<{&;x zndX?HPlGc9&Yh3`00bhOgl<5*#9E$EQ;PRE^j^EusE(}_jK*@yw2dSE? z9imszd9OYRTf74D9=AS}e+d|0$Cbw!DbZ@6okqWu{o~6kV}31Y`)<1#YI#XyhOcFK z`sbG+RFU%1hR=IzdZqn)gXooyvn53EM8{VWrIpUV5tZxZF6YZs8NDuiAw0!rEH#iWt@PH&*eg?$8AKh4`2| z`ZrIBOVO+it-xYaMqmZ97_Az-Drh|AvVsjbh%;7FB7&iXE0@&SGow3B?vX&Xn?3jU z4}ZKa4c+o3nZRad(aI9cSNQoyFPGki1pLQqwtNJZ&JPMS_`O>9TCh-lR_f1_u6Ll% z?Db|H=}0&BtC_WF7h$2c9zJ18?|~B*1FCeS$%;8NlT2Wd`*SSJK7x1neU%nn=ED-fQ3D7K_D<%j z;}0YOB=B-zh?+^t#rcP-RMZl2**^htES4DeDINVvEX^N}%12vDU`wtKrK<02U(cfP z@A^zlS~LY&f;Uc_TUGv8VsF`zcL*%K&(5ok>8Jwtq#h*D3R9%@w6<719COlov~+V% z&&+6&5W&ZuMuxHv3e*=XnvU3Lc6{vwFevAbtM6nXwQ3SvkGipMq5oum{q=fx7;vu6}{&!~8}ta|GJ}%%&4! z%HcnMrou={d zt-in2HWwQ?c+IH=Mn>+sU+$efdA2A*pru?En)t`)A`BRfK&G7Y%@{ZO05P&?)JqN| zww*!G4_FaKuC=J$?Hgc>A>hc6OoB}n)&bA7Jiuws#RlADk!@}<-79Ky(s@NO0wu_} zphcnKmU*2>p4^l&n?=ACzf?R-gbf^-vXYPtsFpc!G`KZl#kJ;EwXMi-I*^249BuABmSG$_%Ffa zN=eG|Ia%bz#wbAczF{=?B>(@2+BB5QqH`-iD5w^4BqEum%Mu&z+1>2I_m<^ms^3 z=YjY899CJW@!(dIE4s#w#f#C$Tygc;v&1Eh^Ptd9_@`Y=4)SFFq~enpf-i`gN~mtU z-|q9|Ja&x9s%kOy7hkpp&q`bmp7$}wY*`pghZN^sJeg#QF}48zcs)@fzbMY$rx17K z;{<5{sxSS6qhth*#4>p`HnlKSt!mw@G)n#!k$;IM$}i=0bgYEm-(OnY`ojAOy$mn=z%VIc!;QKJ}Gf(>K7h4Azo^5Vg@2OYIZ>ZdXZ`=IVG@Sn9L$s zu%+pTECu#kb~Z`5cM{pj+s3&$OsGd~=^S@ThbQHrK;CiD-jh&a3Z}WLhwx{(lRJ`) zpbKV0^^R6eq%cam6+eQcVR80P>^8{#@yr}QyU2JPpR%Z^sv391HGND0XE)TU>Vv`;~pAB5LW4%eZarsr~~sk~>Fb6TQwC`VIUWr)=HTJIo}XJLl~$ zP$N#JDW5L|?>2deeq4&SX3-MwE$%ci{1(C1PRPWrar=JMni99oSO+kcYEw(ez+%AY zfC2!^;etgU?qs|kM|uBKZsdcl6~=JUYR;BYz;|AG* z<=hNzr~6-qttG3!gg@f*@1VoKJP*jcBsJI-ytnyOk!BkBN0jT2Yps#~VKcL|ZO1}{ zTWb^0F4T~Y&(#|fava_eiTVDg$ELAyX98ExPn3a+jOY0EPHkqbKL-+|{_s(Vr4>tY zoPK|k&Ut&>e$s~JK4PC2J?wGa4p=>~@^DqFZ$a!j@DFq|7b7Dht3B;wEdP44>OBpv zUbL11!M|>22CN1%mb4<;I&o@N5v4CB&w%%IZap=9`{kYc&AN_`A|EG&A`RPX25c~u z{@jrQvMYX!iw$Z;9F_8!m3ei#1^!;!?L?#wE48b_sQ(x`-9nxYoyhB(U>y9PKl?p{ zp`xCG>7!`n2=OGt1lf@?G?g%VX(VoI3vA>XVJ+rIz;)tRRebe;3`~)20%6z}zsx#m zb;v((75G`(5t-jX&Al@vV-#T$iv~np$Bdhwd5;W8UmSg{qqs-p{7{yHRFF1J_zUlV zsGS^l`D&`N1~H$L2)1h*I7vxR{OTe&gC1#{b22f7(~K>evMG`wwr<=koaR7gCIQSH zuQC1cPw)1M(My^*5h3K7Ul-qg21}F;_uXQ?*-OYRJNZiKbKK8C`H_#nOSRDh!&P#+ zPeixYm8hEEb?HM*Rf!X1YUSVQsK2ze3^x?*n?BV`lG5U0MD)lAt&wU%j98qW%zLFJ`0^XyVWB3o=A#BwrdO;9b(xX zoI_=O(n+x9Q0hvS=CVsq9W8+;V!nvTT`Y*n02r9aL870g$0g>wMHpB zHddF-82Qn0VCrSU#K3haEh+OK_rneN{>3G{%CW5tQmp}ZNGuxnv{rJjrJfFz*Rq=J z7S7OJ&zDA8e!{rN@!&A)8uSWJ^}GUh%xF~p$*+Hh@L$oWaZhpEG{=nX3u1V!UMr26 zyx0(T;VWnkXkYm-T-!f7J@KPJPKS)Qe2cqr8|p+fXmwDBZ}9jLXw)M+u`dT z#zW5~f;U-@iV%&VbhKZ%&Y9-L&b>bPPb?N1jW9%ODBYhC3ou%$6^-dsR|_A>Ia_-C?Yo;^mJ zkr>taN-3qoiLCJbB}who!mCVoO<|E`WlS(>%YM4&rzvsZT0&{ULc7p92MyI0{^54L z=<$hdnR9NMoRN`Rv|aD=IQG9RrRU4#%R@2fqK8n%od`AkX~DHZWNpUl}Y;-C!Ti!QVF?29|~^MtAy5%A&shI3c@qu=rvMTYT!O`uXJ zp1xA{!<h6JS0g~6z*o*qwRAj*qU;X7DM=;}{MUVM)*uTyWOy=v5^m!)q=Y{1ht7gSD-&Xsk4203dq5wlmk^9{`pbQ+)7 zG=0`B{EQtiD^bm#=>1|TL~_GgkN^9;|whW#&3B>?o2)GpPs>BO&v z9X136g3g^+%yeMtZiqqajG~bmIBR#~e_{b!f8>pb&Zj9d^9Vn_;^aX znwy`^iZw^CpukebPz*&Mr7gmENcpY=Nf+%8V=iNd{)5E`fjV@iMnR^JpJO{eqb#U$$Z^$@YAxrwS|KfsQzsF|RU9aeke23>Bd)z;TNrqP{wR zdAW+zk=#(J{}TU3+AoGq8J*OHdei-|+oX0^eIf-WdM%8iOqCv$Ycr(EHmJO~&!=2Hc}fKs#^@v6uKVp+u+TS-AkG}~3t;J7 zl6_ZPv{1HQ$x?ia(-KIdB9mAppSp9wZ3fxDjKgoyFJTbn%au@vW(N?T$^X1+WvR$AOCHs+(%vt{Idg#=1Hm%0_6|?RYvI{JSvHT&{ zL0rBZQDS}2kQku`;XyNN;=?o zSaf`g!Q1Zne4GC!KM}2OQCKt%QOIwxzO6;-eRt^-A=&{fKy5+i7**{pnVqJ_ z9oZ9Zx~xps*CH~z8{NNLI_mj&t_}X8;(lXt`3Y!)d;`;6ebH}_Ink}}-1zO|A45&Z z?3+ATLlrCeGF3Kt_{jZ=htzRKZw=s^XOz>uw&S9x!n4+J^0l8CM~tWI z*s@#VBsNv{4H6%)nzWH%?@EimF1*a?k0&D%1__49&!N(%n7UU8jI2@VTDtX7lZI8V zMuVwVhK$(5adh*sv)3hJ$;Lz^DR1qUrUDQ-wut%Im|2~%15ris&`@4e=O@sW3Bh0^;1TuwA@!kqGzedzohe z+aj~*GiJgE`6CWlgJ)Bf4i;)$DX;SmY_ECnEM((B8Sb(KI>xIuKmU;J5P>n!`SHOO zEK}-EdY!`wez874&3>EDzTbeZ;RNp<(r$^)>B(-Vy;3 zBb3upy0aQ%mT-h)DR)0Q3iHg?$BH**8Bu#%9n)y%;5vQxHS<7@)A$DebUsaP*SO7c z3;REL%u}=&=f^JER`b6m*b5hXM1ylP8c&~44~)V4-9#vELpD4R#Fld@<(tj}LzqJ> zeda2v(Rm+fLE0T7vez{vs{%I-Wqh1o*guP8h1T+#19pqt{Ri~ADPECQP@5N1#u?1> zec@ksio_Tey6ur#feKrE)CFinf?YB=x@5l5sX^_mW-6@a$7(FOpqos^(HiQd2hSX; zCYdoR{M6bTul6_E91uT^UV?&1f^v$?r@sta$@YGP{@0QzLm891$7m*abz07wyURkw z%+bROO0DJSdXiYcO#yxX8p)N+B>o2fi8j@y>MHyH<9-lMsFebFM;e*A`i{sIPmY3V z^%*Vht6;ZAF$X1E=4<3n~4&wAEvAy zD}a8eGEOPzfuj-4!rXY?_2&ta6E(OLNm1dR1-ef7yZ@Nqvk=V^FOUxm`V~y&G9ck! znKv7=LNP_HS0Qo&Wel&j1dkHU3tePeeofzk*`@KwOA`Re;R1N>Ah zL9OJ-*}50a_{P5q!9bGOWz(^jbF3b&lAIEB{~^!69~6wuNeJ-@a0C%FK4TYg>|wJN z^3y|oIJ~yutfKRjj<_nGq05vTVR;S##ad|`lw}G>80Z)k`{v_% z_Na@!mLC^!lh_qlpY6NhyeZB>?P>2i3ed%T7R+sYuw5^qXbCH8Jg6@I`MaV;n%xUT za-|0mf@~CjHGQpKiG2o60q=_P1^iusC5?}qxJehG24lK$PJZ(|-?p$;f}a;<{u6WA z9l35V{VBUQgB-f5F%?o1=J{fBLfBKz&;RuX2&BLA7wD4FYi}lrKsyr2%}aQJ(7Jrk z^Jk0~4gvau-ZfbTUpkisE&m^!KBW`L9DcggMoNx8pp4A$qs;qRs$n)VCSI%v>TB;% z{b<>t9Rjli$Icq2YB2ibxR-?O8s=EBdk`sgo`u6GTF8%9NmX0?DqFv3yh2fv3!;Rp z99C>CrzglYx5!?1gW@@gevkOuDO8xk(F30s3T>@eeK5a3jl`U2lj+gYaXRNn-D_r3 za6A9nLx#t2ik?40$2=E3ba_`T;!cO}!fI^Yt~r>Hk>1-%zDSzL`#?noKP*Y6=3?T6Nc81Kfi6 zv;u@$=)45fwcY2)=Di8#;J&Q!@Q2w@>7PK|_&-P+BBBvPgp0if!)b`e(+UXq5pGhg zhQO0ExV!=|SlD(tlHn}TtYd&;9z|!retR^^%~3Sq&Yk-=9_keEe8(=q^(Uu^t)S~v z1EWD1do|FehJwSXNFYB5i_!^B-b}_!`DO(aMJ27TOt346nFSZE?bZxlU$GJ_bVN@P z7N)#Df5F%I0k7DQf??z&#HR9jIT&&50=+s(XLq2hEhPYNfsPJZ-W`UIW-3fkWyQa# ztI(bJ`_(aUW=?u!sUgwgw9(>uV_9g z>rH0iu%)d;jCj9dk0Kw;TOexC+9K8xk5z!{E`M9G23pU$SS_w;UVbV^ZPZ+qH>p?$ zkYTD^9}sq!?VYasHc*#h6@HefYg1@VfqNOPCg*GG2Jk$6Pl|YASgdRty$Uf(r zkc~%Adru&`{q!=rKVWE=e%MMb*!JQ7KjWE;=A}&QFP7xtZD=0MDa?_}gwS0Aq3S26 zZ4J2xgxj3|^>3j852&D_0mKjlHI^nq_7Nr{NAj0#EjQ|v>%vj%MT<1<<2G?ni6XI! zusoxx(vcmuZO0(?rB%({$dUYF%S)M5etv{fB!5@PA?cg`Wb~?Li4rt?|8il@+Y`-I z&^;(zX(4c+qEf+Ojvx69EXY7vYAe~3stvw2;dQ?R_uKJ44I0Q^BS4Dar~s4G5wD1K z3b5;Rn+XH;`{$0Ocw{ySquqW3?G*u1O&*>l!y_G`Xg9!io$8m*cM{KNQz?nVlfAwT+JnD5N2sU(%KnZ_&Ci9Kw_~Osk6C5Jkb?{#XMSa5aZUHK z+A$rsK|6Q$MiIqBmKotq{#(}-P(T^mVWW&hyF6O5($-W~RSl`L+rpoWi~Sq72Zt9>(noRNH>#{yKO(ROr$)!dL2^S`70R1RSYR%Xk55x{4_JH~j; z`xBdLx7Xt82~d9qfoupi=xozjf3*$5|p757Xl^Z`|R z{1y6r11D>IlGvmOd^Z>drn*JY2GgAwCbj7sKduW zypE*pOw;W5Xv9H&K`4?R1gwfLzd0@6RBM!dZqty`i(>!ZO#f}FekJIP`;I8N#gVC( zX)-u?2W8|F-|Abs7q$xW*BPEk^Wm78>{>+^DOqPa`Nxrkb@1O29v<)u9p5;J_nYY% zhD)kNxsYN6m*rW$j5-^7nAU>2b6E0S(ny!nXh$QAw(yJmdt<;@atr3Y9w0!;L3|ck z;SYLtCV!Vy)6REqF$)rQ$}n@ zKB7hTm;*>`<;s%|}(5lz+AD)v%xe4C2wH7O*QQcLd2y;5Rb(G%K=aA8HFo7#~R zr=FPxJNI)5ZB5JEZ|9GQcRlU1y~)G&HD~~2c3LAJn({%r>q<=SzBDd5P`o%>2dUCo z)H9Meo}`%%Y8>nyl} z)kUtd-v4T8!W`utq?@1Q>gH?r{Nm!9)wDdsailfbIXNOj#xB1aL(h21xvj2UcQU&N z`TIZiZC^QYY;*jd=aIU29^|c`)YAMJy(JJLX@8Us1!(*VQE`z#zNX{`yY139+utyFR&wvdGgF%se8Dbj zo$-=CO}SAH16sTWE{#`Ou3R`t$o-dOk|h{K5{RmTWz7|8+|E?nTA&tafO}bLCrcq{ z2`Wy!8=2VU$$oxr1wQmcsOFM_bT}3q%78*J)wVoyht=A$UTpoM30-zD zIPzI+#sm((^cYBW)zIdZ7$2s63+Ao}-F8nmDWl@%ItpLC1t2t;U7gk$`dHsplPFnV z1!7WRVP4m}4)~2D9IxwV{35v)SS&a}V`mdSXpO7p*O+`y(FnpjUVO)()WmzC0Ol1w zPPsw;h=gM1O>-Lj`L8wDB}s8H;ed8&E+|c#4q1vesA_{Ec2P<`fA~@Md174Nvc}DB z!5SeSJr|N|)7JZagkZC0+Z(vRM?YU*iFH*ae7=A)8{%?*KTWJYGxGgBJkUz3&gC>9aBXM-^l9k@2gnunqbdwkz*s{Sy1Xe9FuCfT z^Zt_}-PNO0o|-U>*AASfHyqe_FNfiuh?yNaWLlU>rFE^S!-i5u#2yJSm`h)^aEUy6 zhl>ysUK9!BipKCV92Vfm4)EgeG8JL1CUAZDo`m;P@kByIzKZg}SbcCVA%TdQZ=PRU zdi9mQlf3*USC3dIxYuX(=-dIVU9qx-dF5 zMQgNI=5q1nwRR(6RaKP%_pn^k=or=Cgo{wJ71&Rr&cbJV>TxA=g-AZ$m2akRXoZF; zCmT`AlOo|m%@5&>+*v#$%Aij+VGQz8kAO9cE{wm##C=H3@Oi!hN6Tq!>2e@dc)lm< z{(m^2ZZ2ZmgK_SmT6hS`=eI~r=!K)IP`Z}w@6Uz@z_-cY3+7*(jQBa2pk zn2YY_0y6aWSOa^g@j+$>pSCQw=W$Zym2@_Qez*`74#9bm`-i>pEZ>&Y_4Z^)%o?1k zGJtm@uMf=fg-j&)ZmSe^P$`_+CQ40o)JH^C*mSUdEMkzJss|mPDR8!(wxrG-cEeBl zfXeCTZ)YUWfSkz3 z!L?LnENbPr|(V=|d>~Xt>X0`dYd3>3K%J1a@ zPd@(@kHsW=x>_^3k+_ElQ@-Cc3$%ra!Vscf$s@K`rf1pDp`lnSp=LDvb<)q1zU4b< zA4*fu6J)y(6?6wTy%_}j*w!6ccd{`o_AyweA#L+~rOVr^?dnp2QDV6#yF5&3UMC|g z+CuG`ovX^LR<+wu=C%(!cj6y%oc9cCBg+AofdSJWr#a6)pEu$8(?LQLWJF5ze{ zhOG=qqXb6V2@ba(knko(c+>trs@gLQEl#;cE)^ef)c)0*Nz z%3W3n+KGGfRI+f%CJBG;JSnoCTKz)G-25d5@E7@`^D>k$v4%-S|hs86ZS%TRwN`jpe8h(8iPDxDVm8&MJ^K|8j3O zI<3_?XT*ol2~T^T%Kd<25RkzEN{@TuTW*cq5K1jzeHd}XubJ<4&Ajas<@5GGl{tis zUwerNnZM?jKSPK^h{AmSFhR?}Bs3-#dKX@at*?e#&OPffKZJ!N5^3A0HFk-@@j8awb9?=$D z|I|alvJlqQmhVuYJXB~o+ud1@`zDPcSV%BQRzp#D+X{mz6NNLeLl1xdUXTrG;c+DLGAFPxK&rDjbrHxyqSu2Wz&Zi?1ouyCM49 zQNRnR(>LV}yYg4dt4EvP%Be|N^kXA;Ar-#ol|m@MtD~URAkaIUacUcZtebOjwA62K zjWYZY%`c!PX^sL9ni{4Mpz}k^0AYdgd|oVxbi1NkTt2$M={H4f&QgUU$~lV3nFV5m z`(fWgd-7&r?}dt=Cr6Wc?hCG9bGVV?u;;zb|4GAWCi9It4E`4$HYnsje)P-DA zsgxh92{4;TuQCJp%TiAr5ryqny4~2a)*Z(v$#xcgEXv5rfI?l$J7JIfI9b4dMZPZB zf!%Ara$2Kva|}oQea*LhdpFk8PJSh*O$Ylf1-oiIz`Cs#_d6G}Md9s+qh{F1V zIq?Hrnc)@#vzRgUh-`N5+B_pNfK1Dg`XN)}8cD?cdKZuU;P+=SMXBaw$#k2M(%(cHQT8X@>q+fJaX&HD zP)9wvMf>RY1llC#_A!kCSV7nX+^Ew%JTpnF@o2EzbAcFNZMV8l){o)WcdFtO9e{I3 zvsQ~2QQq)nk<$&73JSf!h^*?SLEpytmKOk`lnmK^;$#oG9fT*3dGxz%dCa$RQD(HxJji(HF+l>w7ql@u0J@ z#~anZpkcjHAI{%j>6xx&w>jT}jrtpCAAe=&Ci#SZiRZzzx}AK`frf9xO$Y7LAPif$GBJDy{7*IzRwAT^(J%P8ymsU`bZT#`gcs);mR_rB=YEpViH zGkG&UAm$aW6)n(SJd?K{X*c6HEC2Y(SJ@zmV?Fk+HkAjlZ-&9oP4Wsa z>J{r5_31!i7e)2CAr;G<*@$4cS)z%e_1l$IPwDIQrBC@PD~ z=l(N3K&eldAeEYD<#G>Y+C;&F2(sN&o$euoRnlq~KEE78Ho%uz9bBLSXw20S%J>|n zts*OYUNq7wAeb%JgUPepX9Yo~Z=J=7a!Q5|0cA-KInOg9WSFIslT+GAU+c$N-PFzi zy7tdCveV=5>qTza6@U*(r zY2<%VaArl+c*o+Rt-U2ESxp1{xqIKPKs|I#93sB8X}nh0;64sqW9j_|ni-{pNQs7#Y_X)6TQd;lT=<1;TI({p}`XAA3;hio8t7RNRX zTa*J687%W3a19*iA3pDN-A!(|dC!tF8w_$y<4nRtWXK*5+49QnsP`%7L(;reg!h~L zHKv`=9*g5&|2`xxcfUi+=uc_F#+CJOA`H%w!A?+iJkjRTp>>>n`!&*6A&0!(AO6#w z1o2*_BI)%T`Mk0911A*K;qSbXPJ|rUW*$AiAtB;DIl`G+C{*F#Y@)1<4%O@M2L^fV z&1;vXj)!yCoEv@@HSNy`+}{~JIZBo5MRJk>9VW;;>PlSu6nK+`s}po%TX-_KX#AuD z0c~l-$@mYtIfBmYwG`%?d^`7U_4;P@w)YXHt|-A{e6!RsS(RI}eiKB?b6$CUq%>*7 zRxZxxv6StOG1`LqN>|TJn}~DfWYg>G;SFX>xn*TzI>{VOFvjUNWVCH(xCfg>9%e1l ztqY=Dl&dp#qhjP429sHoH^;}vJ&hLXHHKrq&$ha@pgnVEil4QnZ@AnZwhz**dNZ6B zvr9@w=Czxxk)^qx4bq)=LR9LE;J;I=ct=Je0AOieW256V?TlD>jSAc!J0LwC8sZ7s z7Kz~h2&j_DyeeAGD%#pnY<35d%fAcYj~skFWlo%`$=-pIJyu$39=|01$}sc6h_y|c zq(R?5UibQeeyuna?QRs!O99h-!{3gp88!U%+g$)Qco&;M4wBYw>JkA;jPW0|;FCP$ zU-vAH!Wh_eA;s4}r%=K`@sC6j;!xe@Y*nw*ph(()9s0{%PYWL9=tE;5E!~_dc-|!~&)O zsiasOS4TX|{e^7I!sa9V z|IU4~JJ_+v1$`XGEtd_6c-q`rz}-)$5Bk=&4Jo>rRz=unsBS=;ZBjT;=I*MUh-SS$oan(37SiF0zraz zrpIy6yeW)0E;+*{B`hhwh_ZMrE*U(EuMG3^orEJxq<0r?HPYJ&!UqT0=qc3u!LUM` zc~4MZ(*)hG&hMeF$9*7L4b=k~OvPR+Z(3N}2YX^yv!Ubp4?LsxDHL}|>_iB*16@#D+=VV%^m30(T*w-%wIn-6rE^Wzn~sN!0}6Ol}8%@Sd+ zyfbH@BS3C(7t7a2ZeFl`8|%`0;};E1>(E^>LgvZnYijlxi&d ziF32 z@QuX=i3a1i12os{3oCYr2K4r=-(~CaL0KR~h$9oTa|V--wrmCHnNLKUQx+4T zc}6T`x;N&-2FE5-sx_H@`j>1Z?bcTg`EHoCPSM}Y6s&md){p!ne3Hn*fML~;*Zlnj zmkFDEt}3lB8a6$&QiJ@lFEZ>>>6<$%4wvci-v$DXFnXl{!6))CCVSX8@NA~H&l=}h zFR~t#B1I7!8ojcA9aBVSxS`D0UstZcL@~>diJQ3h82bhcfz3#ARIB3Tz691(P3T*! zcmeX&bC4Fc+u7;K>LSKPg2^uq*H~eU%J1h5Rf%gBnvezA(vfp4)S|m+w`J4IvQeq2 zC%Uh}q9j>Ek3u#Rbs5X^F}#BP;=lLe?lr3F>^cv%D)gG_JdDSnPD*)JUi>`97l%`j zyy_bo(lo~wczNHl@a=2bH-lUnPzF@UiVrWrJ2toIfM}M#$x|8u(yFJ6AKMlRKfG#N zz<2AOHw%^$HSw>Q&3ImwZ4C|WoM2@xqW;GAmC6xYUED_$j@~#9-eXGe3YkvfA>~B1 zE2&L^zKca-zFv;tMMa~(G8RvZNgEZdDz6pgklTD_=rc>+Yd)oPDdN6yFfIwQ@~ z6G34#=nc2aj)U~_L&JBIl%=2`d{5{o&RT>pbh_`qreTDf`zikq1qblKi0~TMdmuDP zrbn&K@%-dbJnxD|yAvk}*HOi5(_VXJ=@F%Mhi1+L)pcrOdnss>~tF)yyGvtRX0o5^MrUyucr|m=%D}$r-zuuoNpOe&-9-m zin;upm9ZpZfVr6*@$Z~RxMk>*`A|pzjSWSc*%1bC%!?uRKyy>}au89utn!%<2kZ8K?GC8@DqMd7qlqIU)v zL~(+NR=)EQWI!NH>@qse1*ki_oN~vj=^GP$h;v+aHf^pJB&O7$J@~f#`#pYAK*XM2 z2WgrK2OQ6YM!Ss`?9kL#-M{JVs409~ zc$!D-Dg#iI1g*MdlF`S(VX|VE5(XZR$w>=7KFKyI=RR1ahA^Xr+BjEb7?X)(rD}8O z;RmCk!aFljgWEIicJH+34jYBh%g#a`kU{hQ$cabD+{gm^+snrU_nxuFRq9!I1T|QGCAMj#=X@SM1+Ciyd$3$dz z?V_?*7hr3;jp+3xAoiAr{C@~~G7QAor4C2pn?)LrW)jVY3{fg4>(h>9D?*^Bj0+eh zd596)K_R~@AP^27!uP^q*>om;xY#hur7-(89!A&cOxY}gZ$t}vc%!}fe!v!n&_<6` z$-YQoeQADxkU>oRkCF$AoV{JdpS|)AjTD7|1ZLk7vax?-sSYg4^w1WWuY`1SjsoSl zpHRj!AtLHf+!-U{tM@FY-c*|NFT6HGGh#bU9G3-4S1+s%qQPq}G?580UBwCnL-H!P z3_7iNs>tz4xf@_9meh+ae4^4jcZ*4ArE94X@UDkK_!>7~EDi%i6NH z|1>qgBz_aq)q|^R+l+ncx7Mn_UoLhBk^#axFgc(ANrL;2lj$Qy6m9B><1;B0JO&|F zsLD&QLXPY~(n^_kHZh!GQAHkxo38Ddv=FNE+FVG$Y)>-tU13J-;=&iX!+>UmvqStm z!DWR88TkuoY;h?pu`EGlUZ^WVzx>k{4VQB%O(22`Oi;^DmV+}T%S!x_x!HgoIIWfF zo-G=P-{TcR0-6=jUwq$}h6_vHepT#G?V`9GJZO3tVaB+DV6h3tC6;xy8j{ksS`HDE zktvNlB?dAa)HREL2#J2n#A=cG%dndm6H17-MQ`mMv)*_O$&!E#JAO;qYBu3Q0~!=$;+LqlW;+<*cx#Q z+@eAswG~c7Ow`ZSIPT}*OBaXuKJTlcHMKXCyo}uB)kVx95O$RPXe7$3{?fSugTiSSWM% zlzvY~bIb4p7^le^VBg*(X}tjPbX_`#*ZIT^xOX49&#`Ft>ypWBxJE2hG zuGnIwYG{V!1>b?Qxs-U?x__di3?$d1AkqebZ|y^rzby0>T9@()@jpz5$Y*?0 z6S}d1prpzbkIZoA7qZrcKy?wSG(9N!H@rf!x_@mr!1MCseJS7(W5iF%nPjAbZVusQ zHO+XL5(HBP({)iD3_;;LteQYM7OTDSTG;<;kZaq@isUqdCzjhu>ldxjrK ztk2!#gs2dS-V`*dJmY<%$>2vDZfB%)8Gi9l$5<&@xtiZW}5xfu+8R%U+t&SWTy zzWC-tOi47Fe27S9J@%l*D6yQDF9>nHTGMzg&qP%wXm9tRfnJr4FYM8W!_cyN$@1sB z`UJI9J^?cBo1qB)VxzE-VEpXZ5nq>3&_lw#R8`~QFz$Yy*(|F^WEjH%XxJaW;spw_Ht)0mN&?@w&#m# zI@O!Z#|2`Gx<3o0HylHFK-Do~@>#j#F#dgMg5ar!v`iBT{(nk@pCkVo=sn!-3o#u> zWMGrzcy1M$2x0Wi$LE-CMI@ChHAbg0rAueCN6WVqz&uYme2!JT5-27y6h@JU4v zdNDo4KG)-rdk|5z3DIoaTlgvO{*HCJ0Q2|ehQZntG?~hO+t@gMg4?%U+YdD4sUIDu zY_uI#EbbkEg(e`P`lj)p6v8JIS(JqbrpU=_;6-0V!P`67Jvzo3Uvds`YB7r6QqmX8 z(@c87MebJoQr*t%9hj|8v}l5Oz`isW(^5vj^K$2;tx-9_;#5#AO!j%YU*;e-mP(pF z4(^uQ+{ES^4~WXp%n{ba>I);&lN0M=@F_d&gb^bTFQfjrtMt?V5>Bv2Vv~MO-hqGPfm~kr#We`rWwEX z_fik3#?Q0g4^;=pBIKd!e`T0sg@oS_G1?XrEvks4LPY;`368JO?SwQJdz#}m{J~7a za=YLv>*{lMtj!xPgK!10lVP-hX0kQGp+_&FEFo;PA(q|7vy z;F0((M^@O~&H-GtCjnQW(WtW1yWx4$#-!w6jZ^c{ULPy%!tVT*m|it)MXR>)tkvnb zq3U$gag*LczsbU_$}6?#@C+~`wEwXG3f6RXP(bJI30E9-D$(khFgZ{Qn2c5fyy(e45hp_QFhI@Mv> zSGx9LXis3-Dzym!Et2)=wryoYv6*rBz;@?tpRP&o@nYkkO=#+o>UVkfY=H#e@!~$4 zE>qQd^7X$psgqBrnZX>P7L!rN84itXb?^*XAYXVGyzuS(Nq&9-HoXjA9KkdJ7!rdA)ML3gF4MsjFV+pOe=X=h zzcI7U(A-QvYU0;gDl9yNKdN=~@o4sIl?OB@Htz)09!;ABcrU!D!+_BCT#zKAZthF+ zIP6PB`aVo{$Z&ofy1ibgc48$b+@gcBF}2uiP@iMgQRhTfx(=nw$MOiBV{FL9(9EiH zs@;FCo|FQ-UHW?(NuC!oXZc)iHTp#Y4Sdwb{~7xNA^=8EmYJ_x zTF5WOshOq^NW=LpQ$^RC%u6}?cV6|(t{GT~W|w`~eq^OnS}Ds}9f1qlHfn!9PsAVg zzuCA<4SwA))gXz{zQaqecCZD@<{{gqz%1gvO zj;JT5KyzZ?TOr*$DdPx7$=a-M4AJ%y+oF!w;zp?_xisHcsA1`--VbF*Iy#IQLD7Cb z4HucN9?=p3UyK?P^-$1Q@&4v{?wDhnb{N5#zjX2NvJr|C&NCY%)sgGDx)|pln#jl> z^NwlpmQ>+WY9wov4!`p`ss_~~yDX{rxZ3D=n{=X_w>wmGquNdrvZw-vjC@tRwOVFK zLPchp`O&{*(NagqAx``Yo`hr5C;e>IzGz?IW)bdAf}$2{Uhj zQd0gVNt`C;v)Q%9Hmzb#9y+hJwain6pl)Eez5*a19l*9#c>OwcseLe*O%Y^vVZj1N zDMv;?Kwu?(5#|F55wAZGe(JB4*DJRD8W~!0`)$T$FGW#0bxfd^Vcm6HmPXhZomUd_ zcN~X#Iik|w;0VXJsn0jOGG%;nBD7A2)!y05W&C+xixZsnaiTbX-M#V?0P@9 z8bVWcU$my2l>e)S$aw`)+4bRidnq_o<=}Atw0_7P#L{^k5rD1u^YP>La!870<432( z&!LpaR{{K&pa0B6(9Z_|wE2%YfNI1QMyxjf^OT|cys1*)?{^r&b=sct`aos2SS5Ls znERKUc{LN|35WkYEE0-GOa*K?;uCq*_YC{j{SFGC3K}HMNPcpHdeoRIw|}wlpp#JC z&I_sS0?8vkMg(Zuo4<9=mm+LIx>8c zIu@DZqddECc2|CK)lL}i+p~dQoXc+B-m`-?w3kP)1^HI8N9>x2QPz>?qy_q&`Y6u3 zGwg)T-<1Q(|E4-JP?qm}MpFn+h-W_S@$U0&YGfxer_$MZ7W5lNTmQo|wZLM)tsl9m z;=VxY6@g3x_WhY3dYrhzdhpOW<^2npsA{%w?X#X zz$bZWq6e+5wO0@=o)52wPH@TET#eV$%;U`TxeIfIGupJ304Zud-!}qGIbP8FTy%(* zT;*|Px=>|O=N?|94gy$8(McO0&Dq*E^GO>=@xt~mydl+wdv?!)<# zs|9t3$&#y%d)2A5Zg2K!h*@~{nf@G(bPO3)4KV6mg&UyG}6NZm`e2C$c$MHP(1GtvD_}$cDVy}+$#Je-A*^67f7M_I@xD; z5?rH~*iB}jbHTW6^d`x16Dw_F&*YO+f9NX^7?V-^@=k&wso}sG*nr~nzEd~tay#&W zsClx3wEV!fA*qCqPO%8`Cpm}>egjR)&y8fTj{RFL!M#URNwO|GNHm-d|D3_)EiOMr z7ywTFL}0VH_=j_^17oq_k`TYkaH8mE}7@<4Q;=;lRKtm)} zZ#0+t&G}?OOi@r=EE+>xd?d4j7(()Uh)qK+_4==97=H+v5d%+O84TkgYopit)$M!zH4B{y=JxH_PcMKvUyu zQw8gtz(KMgqm;KKnD2h$0jMvfnziuL=j$!t{Z)Mgn$BpZA-^GmdK>ENhhvC?lwKE} z6$Twn7pZol5)8^O9}k{-pe}bYDU{??=q4s2Zf>(aH5T?=4l|b0@?W^l^rPMtmMcv# zLnChhT8&)?(F+c%HORTWz9_RL_Z_efD=~h)&FYdY7L1JZ|^ zPzRdF!*@cE9vTCpRV2I1Enwr&=mHA@4h+)gLl~rv1qY%yOG|M(9KrMHvTnCG=;KQR z{Y(0yb(o1lIo44=lQS3zK2s=GYR)(E>SujT3M%epiY0`zmSJJvNJkApc?3^xO_mq3 zNJ@AK=S{s3lkczFb!RhlMnHCWi@*9fTTIP~nxL^IYS%vS+VZ0s@z7d@dN95@9X8z$j=L;ATJ`d678 z{0H(Ow5y|MN_1wiCkc4H-%+-3QIB6})g-t*R_FJ!)pz-|ix}o6WlqN|A|g(=Y*j}; zR^;F)mBc4bcvfuc=O@G8sWOw4ce}W$lr5O1vFY*O;`;e*yBD#N$}7y1=%ew$`t+Gx z5z_TZDrmkOYb3j1wMN;^dDyD?4F7T&Cg%{C&8{z_dA1LPPe(56{82uD9fT2GErA2S zq^wlOoufpl1>D-YP0}FUj!=kn;UsNcv1hRR5=!|7WsrUyF9?mf!H|AuePg2!#I?vT zudjR{l7U|=(<+qEq=rbUf>b_U&)`NJ^Tln&&GoWEO+JLbfnhV3L&4}~)Lzj$o~g7P z<%a1lKrLo>LsXQPdncqDFIm%c|~#K9sBM!tJ$?X&rOA zs$X314vmFlGU%B8DU;^My=*H8e- zcXMzf#?_R)d-_PhyxxLgFApdeL3-(YI@ZYDk4+m2bW)X}JrhfNMo34-5RqJ`cI4q% zU2nemcj4E}9AqTn|GU+YJ~0vAgm2+zFATHT5P_IrfkzDEl>Nc_NI#+P!a>N-n63qA zq_78`FoVYq*8PA7 zg9P>K-X`9zsz91*qZ2@;6*V~%gXofZv#17B48Rq5#yj(=-?cJBzKn$5ae0RkQ?X4Y z8Q1s$n22%h>s?^~S8}unt6OS?HrKZZF7ZqgQ$Mr+nO9;;qt zQqn=tC@KCh8jBMnM444?DaMUVgg8t(#-BSv8=WJ15t{SH4L_`O!_-ijl(b1#o*Y00z3|MIrEqCv} zLWj5p+MB6J=?@=?g0m!gUqqX!GsCpUnf zDnFGdr`n%;7KxPsrFLm(Bn#b&3)UrMo;cRkSjJpShc|{W zVLI%A!uJmV{L_i10HRs>%W!EH+|5cRmm8X?Z=(IIE=>`~sRdU;+-(WqpGf%++W5gQ zY-ngGs`>$BQ7Z`sjM27nS{i=b+}IM@41~Z74~AnB59o*Ohtj#recW~9qq!XKCut`F z16djQjPSXKn(*_=lqC$Yybu-jmKBMtfuW(8kx^moyvSGakS9k6d!6!yO)^Z(6uvTU zP%|k_JCU^`Xlx)i*EmOh2EDi z6ucCOG;GUetuj@ZJ7*ROoOiiN`8#Mso^I_6*u*ZZuHgW8(uYqtdqFeo7Y((Rh@)2Ca1X(DJ=JNJ zoaNAYK#qTH;|N~6jYts4knlN1mCYGu)h;9ij@m88@iGEy0rJ!p8-3;ds?Qx;;YDR+ zO486~IkmXzZmOMMw(n3Ez@Vhx9zPQsszgkVaeU9=c}Bt}Xdf#Z*s^j>{-yZ2#aSP^*g9$u)Gk~rj3G9BUY zV&Kv!lZZwl&gbYF?B3`812H2pWr^eg$J~}GRt7T|QId@y33k-v4n_-NG6fZ`YIuh_ z3n%F`I=7th2TswK@+-AWIkV^cmP8*Id4$u3$$rYLhdB}4AuQq7nNoO~{CLLQ^RZgW z6_;+9+uC?PLmjrdZfqLK8VMu%1MHts*>khc*CrDZuXV{J#b;2C4g^}wzR$<6i~7}p zq?pN|wDo@eASKW~_Rqw(hBQmrn=DJMdlP*XH|(DE@qW|-w7<$FeQr+LF@ou9(^sSR z$WaCsf4lMp+KwO~X^)b*?o&t0!*=uLD&b1p2TG=ZDOSr5D& ziy9rW*~t|dONu6_u1Jdw)a9?C&NXD7x-(WPik1nd z5sVzBywimG+hdriM-^$-ylaP?pwX&Bk6m#TQ%i{ErPxw9mQ2WgemWxV*X#p8y zW?3jTSfnF8hDktn`f8p*8! z0@{f$CumzVNFL5n_ev@%7@=cvwYBsCR(5uE(K-!QTUsu=5iH-tB#SDD85tR&y|!K! zrEVgu+y!X6-e8qvT?B?Q7jmB=>pA?&gGnXw_mq~$eL}U9Hf6b_ z{Gz($^NLQ0?#(aY-sTca?^VV_E+LP@3%8hF?=%x_q>yPRze1&?dSC^UuD9|&IyqD= zqYw_3pmX55tGsx(*FHK%d+0&XZ`u&^p4Mne zq<9X%Ddxzg9zSt4z%?c_991^rftI)ki_toCw;@=#x+`b84}8$fUWekA%?)?aY<=TRE+akb=wZ?J8kb)abuD2?qvvcy^>Y zc&1%;!H*PGL8m(Zt73#N$;|%>X}Bmvye-K0-s0(;sRhgJtKB;!FITmn7htwu;At5< z{Ojuhz_7jX>DcYS`40L=z7Gw0LP$+UJ|0fXPt(4r56;8fBHVkyG46I5D&BUPUc?aY z@*-I`Xsy#PR+BVoEt`2&RB^t1-2~Gz(AyqD1CH7bCGxF`u%R|&69FjL!Q7efWdk*L zcSki(QhjdIP5K>Aj#j_7BuY4mYIP$>Xt@N;TfWTfVrm107kCkHF#H7Oku2`Y_z1L$ z9YV38C8eJFAQIQkip>}wp?v{@k9cpzyQvB#dI}b)$<$cF!-?Uz-uk~aCZ{|%IjlL` zYcsQ_Ga^&0;mb(fVEI-4Y*_*@(?MI$>A__}X9_Z?>WhNzNm||xt*-7xL`>Pph@;7SWH7;Jst@JWKmB4DqrmrV<~^nK zDO^_?$+AK~`G&ycHlP4YMH}JCHV;9H5$$*MgrB^>?b00;{{IT(-ax-Fm zW$Rcl4UWCc{BDN{2GJ_1fvOjl=2azw2{H4uT~sj{ntvwOJWX;+EKxDqy%+!M zvnVR&<7L%#UibbPC>I$LotRk5beD z(`5bTEykYvv20i^V}JHIF-YL|z@?gWOI6LwI*$u;Yq14{D#h;Jg#`u%L+)}U({hYH z*Gh$K{2`GA0*RW)i>+0HSJ_3!_=MaqdviI*x@?zY6gvzsDs*#ErN{>CW;yU%vp{uCRwzX`Bafp|ZAz|1m-0StjPWC8j{Tx zVs!D%{RGE#NDooYw<4Ku2ThK7E7wk8-8oyEvX`Il+)yJEGk z7K_EQUBmsFG!zHju}=d7B9H=X(TPDQydAGl@A1d)v^HrqjRmeieGrZVKl->q(ciXP zT|!#gP|T3SFr9Hbql*wHkf5Dw3~__vjyL|6`~h2(q8Wr=hurxZm3e5qR-6M`ONO+| zcgyqj@|T?Gi`SMYDI(9Nt64Z7gQKTCx?JZ9|mn?05nf?QKjEU=#!sa!uR}|!khqokCTU-_wkwk`cF7aFaqiqGpc@N zrNE4la_#I)Qauwd&4lL6PczBfsI7&_yR!Z^D~@5oeM-4b77Hjx@iqJp33)GjnJLT^ zr2qQJZr|?CR_5n-5wzL^Sz<>Kh!!Z1svcVs)L%{S3sSaL7G-Y^b`9m}(G<#)bkX{@ z3W4=*7aN~saU#mGZWr?E^Lmvl7H z`0hZ%nN?nOIklgKuW_9@2q2-ENT9{kGoI9Q7*Q}Uiv!N}!6FSzOb`%zRq-Wsavl75 z_gEX!vNbJjsMSHjxE1P9z62`FulssR6x)=LLRR4}$L!=`RXLlj7OcXj!gD$}OUOEi z!-}f;Y8w?e@89uvjgL#jgx`h#jFmCK(W>hb8>6~RXb?jag|3-x8Z^Yf=#G)ucQsUV z3^gbyq9m0*eaiUz>YIR zH)KXmJ^adKJf0Pjsr7~uX%qNBgDj%x8L*1FLqUqAQh9eTC#I1129P7W+8T4CtuAuVHFQ!l*J-Swd7S2T-|3 zE|SEmOXCnYpVQ}%lir8Bz`ob9PqQ2)N}>_U_Zt%Q{P=_u0oz=M!~S+Cs&*>g9)>dE z3~vVkZvWumP%o6uDExMK-xhnDLrO|2-jb0>C3=^m%_-ewyybSu<#IDZ z{%s|2^p%2wg5P#3`Ir8FAa-REkRU%4r_rPf1oLHIprc2{?HRP&|7At2vE3KDsT#r$ zQpyr{xtkH$2N*hXhK8!bWpi7DPMa6l!sYfo#PoCRmvn;7e6ILvbF(T zU`V-YoiLy){k76!SELBY#dD*nuYppe5XtqRBE*|>U*O}Yg+zBO>Zk^|6%j?k*=P2V zz5_a|Vq@KW6p!G%#y#irhNY1Vr_G#9%?LV};ChmT*jQ?bMCyf2a9d92tL$~BEf0A) zxty0wcGO1Q*o{fHL-TXPNJt;uDDMwuL^nP+3Z1qht@IKtbN{)qU=KLFqq?EBunT>% ztY(vrzPU&?&NdpQ12iqN&&D50AMJm8t7DWep!gRi5dh>@v)wnl^cVMpYY8*a+%93?t1)U2dy*bH~^ z-xLje3?1U_$L4_5MrB&+5jt&h9LnVh!A;z4LkUo)-k<}YgB^m-$4q~z&>upX|s}77*R8%Jj&)~!{ zVhaRFJYcjxO1ax>H1Jk6h|ev51R?r=$$A>-2^*)HIM;G9m8mFaUnU^`Ry3yk{rl*d zZ~X<@AGbJ>blrE$9~?1K+w5>&BJQX@l3!aoLzhES29(Od=)a)x&2RZ>n~ zkAJo>P;3yoOb|uPsaHPb|*qeEbDjUL&$HL-`L*jis9JOVaf_x>s_04SR zZo$~k3WuJ0aJt#;Q^f>yLV~bLI<#JS^q5)~cV<%%-NP0?n%D?Omxn!j8#3R5*@(G{ zyA<$=o4rk=73eVTQ2xB1N8@Qsyd(C`n>C|VQ!a39q;0fH-O5P?oBK%-Otdcc${pzp zObUbfLS9QZHG1hokIW-qq15-Gp>;B9A=dm!Wy;(M*?h@$YrnkLbGDzwbIM|21jVWz zd!D(%^W%5Al*6&Cj!n8I%{xG3{xWOno8$k}1JTfhfIZG`AADyVVMwxSpq8i!EMjz_ zt6tgRNDZU|Nx|NXuHJcXz77Snb6@wPCM@8^+LT9{Y|hRS z?e81b0uf;@Kt+frMHoD!BPCVp1ne4ydjr0{DzRmKH%R{I4?*pPF2*_4dTE&&!)@9k zQ(W}g2_fH8$a;wnH_DYUGb_X4cE|V~+ligJyXerjOPb{VTbH+2s@|%M$y|FfiCUG2 z!FVzr3g2B;%Vi%;#kv%pwD0*ApeP`lnwlm^&~-5G@l2Bgc$h$^R~)ugyPR%sBmF8a z%~W*$BVfuRZrSv3Tp^FQ2%3!j&Qqog5uTu?Uz6+HF!n~K@N4QW{iWG^`Uv2v;TWMx?gq39M@dgM3o)ejuATC0OBnz%k#+N?Kj=W zx`V_Ze$&k@4Cds>yBq;0DU`X^v#nRY;p{)`3=S;s3#gaxx%QFA!Gnm)H2E)xtPhac zd|jY%vgadkZ^$0A*!}kaXa{+~G-S6Sq)lvs!vwDsx>)-W!-B3PqrU61Mhx2@^Xq~o z^_^;?d0Gn+)r-mgFp09$qtPm1?Bt|;f^IMC*{Lq)9yvp>*M7Rkw;jxY_-V@QA4vh5h$)9X^nSS%{s2*!`X^B-sqBc zq&OUHlEmM?_UsGKf$-S9)+CVBJZK26w(%MJx-EcS<{O3Y{;bNWar)ons7h?J*1O$z z6=%W0x%+~-+C_%BiScp8XO-KdTeh{y9?hMyiZgW-_pRp~$%oZ0lI!H>X{7V@iKRq_ci|B^imQ(S> z@+*=_c`PD&0*2_Fbji%O*}H5tf8F8_*Fjsevq3l{WKN}S$jo_&WoM@eKi?fg%u7vr zUU3})m^sXG_Dq8uLY;UYTrRES(tnYvS88gI?9#t}a$uK@f0W|xTrt9o$mWgKRGKnD zjiU7mxh%TXJ5@X=|Gly#hNHyU9CHjJI{2Y+rigI*ChgE8-cY84H$2t$@WIO-@ALRH zx5ZXK(j6Y?W4Dc+%IbV>ff4_NO3Ghq{cC?OQFu6h(mQ@gJyr=gz5nXKl+0cqF9ZTbOa@{>j*# zJ$6w_l$7M-`0;rXF+pu^EZQ0c%w&%9YB*VhQ${5M50rUP&XlqS_xe)#=%b`JlD2#f zu~FzB<&NaIG|Tf2&ifg&%r4imW#tuTNS!CDACswJ!%#4@wPUr^S=8fV@x9>&hBM?? zMogk^OyyKu@KlVTV}ddAQ2BKSMia_O?5^dNHphMJr0+&<8S31Xmdb+pDJ~?^gN_jd zuPUIvpXXH+o_dFRrMnrU+t+tn$`B4^Q4a^#QiNDPy54Sp6gSP% z&wzHUhGcD=A@Lj6RG>xUPkNr=5jPKwws9yZCP$UaB2xtKNjgJ+9?cy6bRq9uP0t@x z9wmTFUFt;j|7bePpf=mCYZrI77IzI^+>2XrcXucb#oaBqYjH1Hthl>71b27)();<| zpP9)_1}3@AeeSi^u?pg12|SS}$@tNTIMqLoNJZ(3Zwc&)`cuM%3wB>nY>G~=Xq#&9 z|MVcsJ8&ZQzMQoFZUyR-9sx;Hk|o^8Q^s7rC8wlR5A@b;yb)U1ZFcH$I&2gT>^1E7 z+;4ZolI{$|B-Z%7!SXz;InS>t`AsNreEnM5`l)FcVTY!?l^}-mplm|$#nuxiIPq+? zd3fFZgBkE+EMaYJjpbWBst|rGq0OcxkuYe!+@*+XSBRor>)uBHC!FCM{Q zCFqq!K;C**l=wYmZ!~of$DsxG&)YrUZXnWx#!cg&4;?+dUmF}1>QzAY3GTv8@dI!6 zgL%Pc_)OewJxfo~kgw{fJIDJ5bF z$o!Br>2w+yk(EltZ*uMyXHhfzp=Oq&;k^g$veLbOrd%*6#LR03Ve|WbdK$~uFk5Nu zu%8sl7cyT_MA;^nmE1}-ENj07H~g_7^ZL>8>Bgy*F40VP;0m};3r{uqGV3fvwZl#$ zZ8a-m8#o16EzbpBr`TEIeWr!cD_D=<)u;0;n{7umb$&0tE&5^p}6rYpsMZgH|b1 zsw-?lHp}}~2_8`;j1m9yiTI@=?Uw=Z|@XcS?x>tI7AfZ_#vlLtewA@S^e-* z!V*Lk&SXn6u<4cnDpU#{ENGWL|IWJUB!4wDnu9Yl(mq#G_sOG`Gc&UBaZXUCyMjK6 z-c{Tw4lxI5{}V^t3mHV`JFsUBrx}P>T-#>O#cMqe_E&7vU4}KIAL-Hbtju8?nEHDt$ktsne_J*!+Bx zb)|{+<;xc~^Rdt3@!P14widSp){-Gmf>B@%@*1pN(u%_g-l%RA7=J4Yj7v#v1J2Z) zt{tU~a05=jUekgVg53E4r!|~sF#APym!Y%maeUWn>bO)GT#nsbww@y`#j8DNktt*7 z4L2j+$$sZN{J@fIh&+8@iE-ie%9zY}UD%8&YbE+JrE_&u{aJJPPI&rZufz3vV%xmc z+pSucqf1elFaYN8yny&jz<{T+9L1YclEM7->WUa0u2NyFQxmgTM4ABw>E4b5wEooY z(JUANmlCOVsKh|77)UwRDurpDjW%Nm0T@V*bU0uKtzYqB z7Xg=L#21_*ODo96LtkoI`&0SmQu$Tj3fv${%+UV zsE$RsH0c;{YEOhRWjgF0c*ZpBb3{M|*V9%-%iwV8BgK)d<0)GjsRO9UHr;9*dH{G9)( zc>Nq_Wj|;B^-md%gGrbKQ%z5D)~MKbxj3q#N@By2LO1%)?=H^(9VTSa7$7`#+Z!*o=l_b_{ZC2AwhaEISU8HT2b; z6$rzgrn zfo%Q2%||l!EAb(l{dN{%$;VQv#fG#dd$UQ7bQ`XF*zt`d^4qPQ>+WYozWY_zrJ>su zfhAoO&swAfy^kCtS~RF%yeu09aDz?C%4`5Bj(BP$$I2Lffk>7=F=CF6FLiZIv$bnX_H15- zmf;WG@X8K}nd$4oX%`+TAzt4fx-_~}6a>^d!6dgbaeaC%O&pF&$Dh0hOle4XOiAFT zD=n>qEq2WD1Q+2Rh++0r{hwA{=sr>do{!sMINjaPudIFy#NN%gI5@-L8pqG_4NSfO zD7;=PqR<6JaHsB_PwzD(zUtOrToiEGaavrhK-+K z0Oh5AybpCmSH8qrjS$)S-9c*_xKg<=pr)qrJf!t%>`taPcTF)qcXHyTOequj=jgORNk*!eo;# z)6ZZ`{7lEGD%Nhbuzh;cdvnF6pc(eD%6gj4Vf>(`YGDx(dY_&J&l0cQ6%;<_5pjTA`wqYPdo z=iy?2s}6DnuGYNiGK#d$9+MefKyFd+?CWDMQ0iT7Z31%>1D!GxLp?P1u-846nFmkN zG9)UX96Ry+$2Zb?=F%>s+XEgyUgUPlUaM3rM4+jF6b=Vb`N2X7NUhwb3+GAW2yL&2HYD&mgXFqi*p&7GK<}A$C!>6g{cf4>BIf1FE-`)4xLZ=>Ki>^2 zDl4otHkX&EP^1Q4rtE;W=rz~1)3SoGTXFeSMuWz2^5yHCWiHD_xRSDtkO_sazt`Y0 z1V~?8hCCAmNC7}V4`I)G0xlW=zj4GFE)xfW{?-1LVL=Zc{%g|jsUtWhi2gRzc<*vu zNS-rgv=jBSmh)ky2~O1!TuqXU)RW*4Kw6#1hfSZA^t{w`g#pfe@j!~xEl z_F_TAhH<0r6r(XRjvuc&f;GXi)_h9>u^)xO3+m^i~s-3qEfGT=PP%!F+a%U0@v)s+cr_o4sVKrFaH(&JgFY7x)dyR5XBuMv^ME z1s^F*&;U{4^t3VR$>1?}+|^x;L5Y-NLk6E_Y^LSwE{#w!*yshJeeQVUVtHjr2F_HU&DKRrEntIU9KvT1blhG3t;TQ582H2U%=EL4t)V-O< z(A%YwO&I~pj?^{afKMr5R@*;iV9oF24eZOf-Gp`YR~-f{h9jb@p<8;V(D^3x9s%3njl(KwNns_~oC^&SFuDHY%(Zm5LpV9CJ%D@GjoRWpY- zKHAlU39+6DTT=XALBeVk1IO9Twzbvom2%@eYUe=TEW-`C6C z`f;7l`F{pE*e?(+0?6GK@vL0SU!Vn#;0>j0v%u4XA^PWZ_#aM_5>?2rbJz-(gzOsD zG7%3)9&?CX&!5}#&mD=QDaq)8iqfImp1X}Q6drR&Wi3#*k`ZcJAn8p^7KjnB$Llmj zFZI)m0;JoVM45+>F|bCq9wPjY$1DXMtAAmK2S(Bb6V^fHjsNVFH|N*;Kkv63^isBp zIhQ+N)$9q%6?z@#ufo*}+_}iwg0rPI`l>k%74~ zmHCNyT^43W#uzPpAbiW`HZXZI{i_v_FvbZYmrC2g6U+zxNeQvLw^z1qaxk8Wr_!V_ zf+94;(^)S%#chk(6?SamFOy%yMV~W$}GjCm<$}1}7e~%p8 zf$3?A7ZDywo?eNm2sY^9p?_bfVy?$E(CEq4*BEZ6G4aWTgf{$MtUH{>qo|zr>b_jx zVMRjuJo}~$UIc>lO%QOe7_+Z^CknZS>vT^3B6cBZ!+7QK3s#Zx)S6hdgSOYLC$p=i z1S!`&7T-t)FsJ?qe{4FwU-S#!=+^mopoI%i0c&ry#jnBAiWGl^Ly&nV7H^QgW7Z2_ zodU1)=}v061KI*%a;PLWBiily6$Em82>Qm&yF>rWRqtU7g%B=u{T5n^tV(~|+ZS*4 z#i$!#mvAv$f7?3*vTE%P_YL8jPR6%Oe3-l4AdSY$pZ#&B2Mgoh6Di`ccOA^IB6>mENU=xg#B?7s6Y~kEYsnbipT#(+uQ=q7+b3iXr zZSRcVe7EQi5^+w%qNG6}$RPdDtR^%g`%*&GhbX55E!@)`Stw|MPx*szpqMsnLPjf#cz-~kDH&mR?L#Zi*L8>hhTKq?2Aky_9o2E0b;3$oXks<96G^9 z`q?Awna$PcOXJc)qeKymbbUL-;_`;ePkNHIYDg0^heAp1RX$P%w~p8}K5I$Q{AlLn zhP>|)?6Y%hu)8QVe3{StyVTF7ZW#*S2VUn~hSE`}QHE*l(Y=n1qz}*VyV`Xu5<996 zCntAL5f&QN2J|cXY#r~hi<`x#hg$KF2gv&p@_TTK#MTXu9T5=f92nJib|Caz6L?-7| zvv$n-9ieMD^<5!JdzeoK48W4dMIr6oy z_RGi;T6J~O%Vv4JIc*$?5Rcx*%eFTMwxZ82aY*kAY#;ufb_LWR>G0;waa^r-4%NFG zAf;sAf6Tf5QOOrGurD3sG4yc_^mO?E8p@7j@tpII%b;*4#nDE6Mg~A8?Ec^QWBX|<5$4OsCq(+=+YB6%ToGpz zYe?vyu+ePuq{SzI^Rk$`ioZ3q^B)WK{3Fp@>T}?{KQnE~lFLE>;&ru7fu1l{z|>?2 zSroebcGsWlLEpXHj1vp`-t{WYuv%;e|TDRhJsibK*tZvgCt# zlEMP_dFtFqiIPz-p%0S>FX(GKX)v+Q98-Uo?)4#A%_*z_=d}t39c$+&($c42<>QQY zOmRh`t(ttmMZs@Iy^iNea=EPXDTZ1pl7cFSsr{Z2KwwTWfT=DA(hl1-GIY|Z7Oh*b z<#@4o60UU~&6Ja5V1_A910$7iDTkMlN)auI?n`lYG02lSEh+k{&On>&B8R%GU3CWm zG^jXDbmJO0#f6kR7c~eqitKx$*|h=_pC8;noU|(!_&WUA&!snfR%zUEiR|ywXKlv) z0cJC^Jz!Q=a10TX@=eyySIK-Uh!BFt_UGe@5lr}1S}tqw%_a5uY@1-p9muxlacT%Cc`u&?mt#f!K%Tu{Cv>v(76+spqc5B_wn%a+Y(b>96(XmgE zB=!_b07+O!NNbxs+5b7pJbvqaKwrgJU2*VrE{Sg+LdlI?sDh!3zp+aoI0m0rC`)qI zZcFTL4W8+b|DKi8WLx)5Jw0-2b5_}fvOI3KK=1F_w{|=}BXL3M-UVSqxpi^_gukWg z6D>w6yc{6N24f!7ZfhGl*(n~rMK|&e5-r51Ph2^zBpHO0_*@^jZ$|3K!P@{nFMS`^ zqRkb!7aS9sXqGr~$~hhyT)LViz0IQLDiD7>{rIV6UVkdTBOKM(>p{yl0-NDk*ENvnkW!OL1HKF<@j&iZ%tP@%#YgmpAnVnfTw2C6og}IE0)(*A5ri ziE4_k+0b4+r)0@PrvG2aqJum%{~S0;Tcx7{0K2|K{-XOx$jE=;`6uk9!5>N^Yd?UU z<-O}2+^qqhpNT0>oSzxk(0XR#My@EM6rY5#d_0O~pnJ7;%A>ZQEwuO=EuJaqDn#4w z5I}TL+i-okr5P|O%bd2*ez5<)46U_UmfU&11x*JeR2t+DVCG@x%=jz3sqL|%g zzXZdQM_U|su%}CyC!z6vw0i9n%V&}&qP3ZWpCI4FQAaEY^#|o$Yh7x^+m~GN)L2bp z#YilUAg+j)nGtqMP}2$Dl38)`eP4G-Mswe9X~209lV^tIw4?Z4=cm0?Sv|e%=X>NL zC*)iuV0v{62=Qsu;GMj+wUu>`jq6{eAg_F$s>`I&C)hj%)XBODU`mphV8D;s6OgV17)z9|cQ*W*mft1bO>%l{l+ z2v|UdJLYHAvenvwrFTs{XAvg71c>8NUhD5R#wNq#it5*k4v0Sa!41(dD!yN|#<07Q zVt-g|?~Hlpj*ZC!A>+N5YWBUw+hY~vP%1Z7|E{3E_#$}3dO0C0Wd)J|I^q@c23FSl z3ct+|CpljicD`*^e1LVw$8lI~2;|>(*MYQ6+a@ZP8Z2 zi3x02q9>wBXrq#6Bzrji8 z*f{d;Lqy+ou8m|=v{wv^u9+!)D~&WHD*k7LQ}fyC?lzoab_?tGC-ooZJ*wYPcMBn# zQewE3IeC2=au`5p=Qlazm{1Nm&Wlc%U(-;DX6sChW2{OFvZlNf7f>7290V%yTs35H z^sYsc=)c#=x=EDp?j5j*B*hF#_L&I|CGOa+!$Q)feIx{aLSO>pI|Ip|OwG+lex>Ro zigzHJt@mk%j*K9B?j>s!6%|q5>RZ{^B>uCw&Z(Cjayf!1pPm=HHV))XDm{tEJ*|!~ zs4R%X0SgBs8PvH%cmrpPBGMlgA8#sV^7~!yCxf+4*Zv$!;X)<9s3vZ-HtG6;Q&K`_ z#Rc8?YssO^Kl?XGURoXxvO%&+Y)2sIGlm&IiGz~gn@0}o07utO+R|hsl}V}SrsI}^@%DR zNS*s}RI7V)R3_BhmUoa~RIpA*BmdZ>+Gv~nfcha|_=PjF)Xg4H$e9}9Gz)61J+zK@ z(GNDuzSGn=Sot&b#D0F5uxldy4J==!b37>!e?;$c57yaiVZJ4!hehKe{wbi4#rC+adfLfyI>c z6q4Fqaw8GeEKRT76dW?|*b|rS*z@+X9qAv7Iru;Du;+fd#he5L0QZ0}1)v3KeC7aa zhGLr}{3J~q`mxOn@WY4k0d3~4{q%Km+jwAcwZz>OLf~*1u>{)_khvibBk=<#{R?f` z{@K<*B6;rkMOQ_ZJ^$Qp;B2a}KUVI-umXo2R#y8q56#o#&O{b()_fc^y8P}oWGnSO ztzWeFmpEKQ4~0R3VB z>!*tD15drW7sItd8z=Zo>lQLj%;Mc_zg~VFp}O&<7CC{X%VBSC?>hJ6Dc9+u_|n6B)+AXkuTqm$AoZ;_Dc0TIfrJ<^P}$ZW=q6q*S2 zJj#7H1AelgGNGhktS-jRYk81EwV0DqBO>4na-z!CQ5}`+H{3C%&s^4EGx6v-V(DPc z0*g0p<4!vyiqalc?={?zCuDt$nj~Fb-z3ezafL~gDaCn~TvwL1WojMI7a#;sk{pl$ z_WL0doggFrA{9;Qen!x%Y;OP{Cj^sY=SL|)7sSmj`}ihh1t(FnKUJ|o0n{GpQHs|e~{kB^v{A# zjA&|0inm8b?4R`5#r4xy(=Vyn#qivxsp3FpRlaW?Ks7gr!g;e=Xt?`mdZKq1J-1;r zM{1g&EvU}H8OX3`a93nV)>kts(Mgq%-GMbVSU?+Lrb8;i5!3SOsi?}yYl~)u6LiM@fzG;VZ*HU9!C5V z-nq*n)&oY*-naM3OuG)`nnzPq2#2q zdKDI=?T{tBcj2)DjRUj4Y7uW<;cVTR&S~DtHPDR0uwM*vx1-WQ*WSMf)W&|r2`<{9 zoX4>5s9IK|=CjUG?kh=)K)pm6>p}j38kG9F?!L(gHWS88k(avhTXY5Ph}e4!ItDnx zLLfoDzc6J4A$WVfJ};u`9m>f)B`{8-`vM-*RQ|I7pmRYUihK!FShGy`|91~EBsB~d z3<{_p?)|5Oa6{jgbH)Bl$dm-~o~Dr&&X5zmaT}HUb~`gAS%V+m(~G=@J`@q>d;)%#nAD-RjZ@=#^{Hf(N(n8QYbc9cI?|Yj`}O-ttz^k2&*+g3 z481Pi{lY_53eeRew%IV@-a&@!MS);aC+7YkoZ|sPFiQ@LO402*t)dt{00*sq zt>84ZwNReK7u|rFQp4c>pc#e&G{!VVo)DxOb(nym*T>lLkr8kKHy_#v1J?L&IR96> zDo{lky273jpbq)0Ej(9>zT-*or|j-219^pmnEnls0!$Ei$S=9>`grMj(}$(kRl*20 zEeH(_SiNiF>y~B%#Wr(odjB5F;HYTJ+s_dpwTIqdv`V6R;Ebs8u>{QZFSwF30ujGcc0;wci}5v6#b(@7T-sC|G}?rdY&oE!!#fVf)bhFpU~atYm)F z3~PnfbfJ@K8l597G3{M}8b&xZco?{P6OIxzizg$0N*ksmi-LT`3H;oBC1u)LiIFZC zfzKywoS&R+c>!bdNLz#AnyGHYhNY;F9f5C@=NH}l3E33tkK zk1HeXxa-vAk370*YC9Ft8B35$0j770y&Fm!IwpSoP!7c6Zn3<<0^r&_wIFu^h85xw zc&vaq3Hit5>TfhoYstq+J*r{cSU=x6S>5q2Z3nn|O2Q=r5)h<0E;PUzMWSp*L4%eU zlCxzF8|yN2F4LuvI?UHDXC;pa1AO%cRlE2yVI z8hIuXx4-6gnnYO04o73XK?Y?EBKWW1pXUpcI@sGXbHH0EX#JrnNmPwsT9jSughOXU zoAc{5i5rc71*Fga3H7NmR1_sfm-rRTScCYYp#Xq~dNlc%A=Sa;QUyGbciV&f;Z*6hM z8E4CGuOS|2zCTU+m1iHlu)(dw8Q<$DcPq5Z#HEaDP2d@Lvz}@lIDd>gyoc2pqFtjKS}%6J&Ss$y%BxsInS8id#9upua!F{;o8&b~-&Dl`xRk+%LXKGq&9?E=6u^;187jzMeoE1-0rej=V?`D`z77$a)-j=lj*-5cz}#wNlmT+7KPFGKN@@GPc@-27W>%VBKHe+*m2AY=3<;ldsdp~ts?k*G6|V_3(4LpC(HuP(%Nowj)u5uE!Io$9;4D(w(N?CA*OFo}0v(5?&}-9b?9VJ;IY= zaA>Ye^Vlw9cB3BBMM1`a9k!c>99?FDAszA#G_z!s}8V#l# zAUndOo&HXfES0T9kmjV{8DMq)o;Wo*qT|;78_C;%^D#vL4d~*FI?npK3_x z6UCRXbtKvDe+g=02zownUJ}8*W%s-N&ftT-RZ#INjY1A!O)WuP-k1@(u3_xtZqZ<{ z;55Q|ao(dch(+Lh;c-qyf$p2Qd#NLh29vdlX9(8OK!B=>4%zz%1t=I;ixlbNEr6D6 zvZ1T!FUfa>+ysHzQj|r1Yrd^pK`*E^L1q%9hEDV0*h#$+FPqmw; zcbg>Rv!9Jt9VJyLbKW3hREeIgonp9&5Y|O#_YcD4*PUMLWvvDLjYYNem%Zp^p6fUQ z^WlJNPOaP77*ZI|A|k{oVoUDCw3)&r{pKZ$EJlRc3G~SfzWz<+FOPO_sVyg{;WvRV zeW){W4j%;MEf%@8gsb$uSun|;BcMR5*B0S7GhGqx>rl0yZdVU$J@iOBAlr83u6$qd z%s6O`_FF-#FMl3U{a7qLB=D*&3_zA}2;KVJB?o`0`${GA+UlrsJDlSA^ck!Y?&fP< zJ~_!0on#G%w_~-O`wu8qkPx_1QU~oOVy7L16MrpcmPTzP5;S`YjYdSFz(@~(;rm1U4_jJzsQ;>hH2U!;0jh{C4b^8+WS3J5)fU6w}ul&Mt8;37#OWQ9c-rAQ2 zmHOH%6lpW{_CKZ@l4yc>luOgR%41g^irmE93Ou-HLL>`a5>W+SB>4n))AlXfKRM!h zShv8!YjEU=`rw6(on4IWM!U4z#m28B->L`C3C?~J#uqW5KY1_e0tZ)jo|E9-{{R<>Ua5FBU!wc&l9X4Lm?_XcMT)DHeRS7tD#&NBA4oO=(EnHkF5HF0}R0w~*1S2^$yD?qySF-{i}M={oAudU~duwUpKJ)yRU&`gZU+WfyDGYtfU3k7ob zL89VxaWrfIMzrt)yA4H)p@a)~Hs8Vu{6zh1m$lxL5J{RoA~QE~c7#Z6Q*p9Tsqnnh1hU1ho~57(J_=JSVg<{pib{#Q>ylL6#L+5wxCh_+qK!SgJR9MqE89gdq#aDs1S^0=n= z{_c=j2(VEvDx<~tv+9;(uXAwpFRl&IMJFH@$09Ok%>-FfH#BKgH0-i#PinbM6NxC~vCl~S42 zWR5^RSe#0hRIp3s!3skYdR4^m5xgr?h*?@U*b$u$#PB#?X|CjifTwN zb(;W{>g7tYiD}4%wjd6F2Ril2^)XG7I->71Q32O$Pd)y}d!!9AVP2LYNf-2>*wrG5 zzqxCo2U;g%gls2M1kF0~s8BN<5N&LAi_Zzm)Dq9&iJBUhz2Yy5X}FWe!Wvm@)Q19Q z>N;t42`4%Jd|e?ob!r|X(S4Fz(&O9iulTT@)(#KwXWwH13faD#IGZz)zA#?3z@ndV zsy2>x=nxcP_VJx7^$fBKON9f!C3z89+9XfS)7kx&W;O0Xl}-v@_euy>LDR~>NmmJ* zKdJ>J(JB`IO_stXZX|5iP|j}fo_Tu~8pg$`tyh`eSLurqwhp*;(Sp+8bx5XqZ*U-e z_!=K&UUK8JAK$kn0Z93Ltcnq7NETv>jY)@jiE1Pe0!}DJnI}_V-U&}Ed}y>*#pz?Ve8jZ>nja;T`2Q3@^0ZXu;5H1O7BTbfLLlQ5S{+p)Zl zS+(6z8DKVqhS%=)Y1DD)2QLXUUz6XT38ymI8!klj$N3sxFv@}|&1+cAq=z5f7zl)P zuCH`>7ku{!!atanVNAA^M&16tp)PsCv)b&C%C)IWHJZw-K~SN2f!5EHOijl;8lRb3 z5i8)sEUjE1POcqb{>AU@#9(;y;~i}l!k%&9|5yO`VR?{R?m>H&(-v>fuGUaw6Lppk zJxG%k_udOy+mWl!?^1$Jop%{Fo#p#Vtz~Qvb`}r&(%j;t7*bLUx72y|!^j-4@eb$NoB!PVd@gkJRj>l{#t}BvyH=V6KJzW~ z&Wv$te&!|Rvw26Z;8GhBS{f8(L#WN#X)qDCb$mJ5P&cKD!UJS4$jYC%RcKtUK`QsH zb1Gzib@^JFj~!;X-YOi?Bl?3l`8^sxjRanysMs}?zwv~3S@mjQ3h3RiRE|C^Qvem6 zv-5-OEsj`B(pCDkODp~1v&`dT^Wxmy#2TnHv>*F_MpJ0?OV7RQ&8)1qlz$3=gMX1+#tK?ay%${GT#pA|yASL7a6f5DTBxQC|axxv2Fa4gg zNHfhKjGHzJkIP|vrDk10$rkH{0vIsI)PDKxUnD}5PeKAou65J%fQVKzI+0GLSPThs zUvhb&TCZYcalHVWHI2(5rzb)zY=ie)TRutx957O|9F!O--Mo`C*csC^^!$G6;S1gz z%F4^jTVCAcOVR+Gf2MDGrH2^S&1wXx7@O$oUOb4Z!sWOaf7v3T#LS!?QD><`;d?uhX`4lT(v-F z%Y(R6b3|7M@kQl^fGt%T|t}GDBpDJ)$;E;qndr7{*BYxunTwn9NLyjO+`BGi68e%pFT zVd*X~9#rv@ETklKPp+rj^*mSv)hxrvhZlY@N%}AEP$mD>yGM4!oj7N$L|}PFH_Yuj zcG>JdE}58~Eu z8H;tIxw@T94UW)69^z{VX9DuS`I)Nx;v&I>fd@<96ANF_oGX&D&{ID?MEn=T8`cUAs zc#Loeb8;qBN~A`$9a25_IwIX}Ax_zND3ow_sfMpYhMjDyRj7Z_lsDD%o;-F4V2Wys zm)pa|zgM$q&01gpl@3Da?prD?@6>Uzd_742)@^{BKlAp@xhI8f1PPh1+j_1XwY19k z!60gD6$E|f-o)WV8iu`lNfIA1-r5_!TxLvIDRfXMM%GDLd3ln9_s#$r2@<$Jpqz(X z`!rA4k3ZJg9I(^%w#wnOYS)zl1&2Ch@bRqCdOgCh6Jg(Tiv?*LR2kLn(gmi8?7|5> z=C2$EKOMi%gIAvZ^~YkMAxoz$ti2nrx4XsB=FU6DMvNpTc4?=qHr^vj+a`YtKT6(v zJf7x$3wLmI-I_@^HE!}w$Ds;R`oN=61ZC4}nvijAwqO{%3xd07i&e}drCwfMcIt+~ zqa78V2H^{VEhJ+8VjB@yG_gZ5nU9s`=Egbj7mfKYk3U1qgqTd~bbp>w82Q#QbGw}p z>WGD&*bQ@guj{lldrD@2Ew-tJwK zQv($Xi1w*qo_eWuUR+VqS79KQh+)l}DPwlCD&KxleVLYhF~vlS3^d@RtHCxwIwcGJ z>YkN$3v7m~AVd_ElJ9501#m{%bZ;ct`k@Do`0?Y^2hLEpzxA$pM%`*YbC3QZ zG{#Q%lSyq%83OYhIx$r+>M$BJWpHpiB|5M@9$gBOEFf4PsQB&Bu)O=T=wHK~jW%29 zrk|;9AI|&M>TMNvKq?)e#p%4AN+*x|`5NDYuf@b>(#ZG9xI@Z~%RM^_RZ(8-m8Kw) z1UyFVB0}oGm;S9sN`?d$;q(V^CXeGd%xq6&fkE2l?L8UO#dg0)%ciRn z@=2^gzs`;wYZfae>#RUk1y0=17RXn&T*Y4D8|h!P z-^Bh&0rej^@{<2hUjQeDH0YG;I;SCDP<_*Qz`wBMot{;PF2)aVvQ#a-&U|4{ZbE1K ztB52bW{H!NQvr_AJppt9dF_uK-!gwJ9^&%CfukBY?-|?(Py?gS)#EG+1!S-FdseTYbClFMgaVst(j%d#*X3 zIYyB5b57NFYY01D^&HuS;Z+}cq2l z+O?A;rqd7S$_7M<-ccfi81M|Rc3LT@;Wdoi7SrOdTGl`BN3*G;g}(7IPdIN0h&5m$ zSZJQFV+%d4ft4s@ceSY&n~hxs+LwH(yJ_#W;<92 zRF;ECawXRuIWDy{C0B%az7zbNFwpGmUQvkDu(t0d~kU`Tk&Z2JBIRqFLb2vilMkK|{CXTbK zNyK4g;4K9$4@zO8wWprExztXI>TVg>=QPRdac3N0(#Xj}&y9RBKP~E?s4UfZb`p#b zAa*-(F1SO8D?1DMXqY`s-y_V!NZ? z{gqUg%dgdt!FqjM47in|c8+^pr_O~7;<}u>Z%g^8M3|e^_zYF-x&5aen_#Ty9R?-4 zLysPa7423LRBw%EQJV~ZhPZ~qgI+aVzak4r;F<{_wB<4gGvkoB2`&P_S5>m{kL6RbXY zJy@(*PzF({bZ1rMR zasXa?Mq>h58JR_LHMP#~hJ_G2HLgw!4Ta;ekO6Qf z;YFtsK0n-_`h0{6GO9hYw}mREWCTh9lHhss*4Ss#k)!RsOsY|J$#==$&mLVV%OiQ$ zbY2QK@gXtc`(h}PEyLmNc;~fA`hW-L4SodiB?}~YgVvQjig?IQ^Y@&U|GcxY#<(r3 zn8YD}fo`wFofjgeMC?{&M3{oZWnb8@=pyc_Ca3MBPvzSCHs0?K8Hco?q(HO~JyQ~$k5{_ULo3+24f0BrUJMaAlhG~xVSvOW~@^}y`&mohBxMLKaGYUR36 z2N2P?D?YEDLr&mpCQ93VW3LIeis0fFB=Ew?|An@D5esU$U)Hr(KTQ310}K?P*Ev;t z;-2-3^xZ)5yN2MfF8<9nIC1cCeEj_gzY*{t9?78-hHrpsY^Sm~8tt|^`l_=N_fLKQ z33f@jPi&h)2KAuS!X5^}N_$!-9Ik(tc-d{QT;Fu^dEICnb#@%Uk4VvYj3v&xiiDfTE#0L!{))28P{DTRRuo+F;$SRkJE zc}3beg>!lB?Zw!~&^ns`&yfIb&Sm0hFzL)0PJ_V|(!Twfmmwj`3^iZQZ&OcW$H?kc zWjvfg=1RYqzgOCxDj7#=3J)N07p6r~+VdJe6I4)2vJ^b5GGBxWs(aB6`C8e1^ho~t zT|1UCHm1@^!~Tuk;l@+i6KD4@!D_MS=d@8#C{#}$T|o=o5rOinr$--}nl9&xE~9EJ zWk{`;)}DBVbHc-ohl26S%lN1x-M>-nfl{VW$L2hPt(V*$2p&Tl5+IN3aW;y3TFCvc z*<69&l%X4k&Nt2vi@qYMK#_vgMHmf4*DBRFA?ftM>$U0&TVA)eSQ(jDn~df&O_MQF7!Q$U6e%{S8a%<=8-0qFemzF;xqHfyB=Qd zesc1im_%TV$h^ucOO>A8x$i~)mwpXe``d{Zt6m?SZ^=wn`Cn?-z8^qW4L5eAgFeBBpL-`VNkHn> zvd^l^E0Fwv+s z4bJ(QyPd|xs{gstCuzl@uuImb7vh1moJ&vcegWq_1L(vGq3c55&q0&C_)+{D!i83C za&54_t>Drk8d{X+Yv2YpUlkA)60LOk^1GVRP0JqLRwg|3V4Gmt&5SuI^8yZ2DD8oE zm6-{blmMS~!AJDL<>wYjyEg1Lwncj}+K5i#FBB&9Xy;khGyT=~P>|eka3fB@vs0Co zABd3*Y+U`2sVS?jR@106fVlsKG(NXd8vz<~S~E)@I~&I>of{0o)%6Go~?uK@cc&7_R`Fj~!d>Rabs|5w# z`#j%io?AX@HVo_}KgOOXbZ3S?p%Q+dICK3!xG-5R#;EdOW2{#{=la}Ai=Um;u`TYn zETAkNN(0b16jU86YwIH*BO2258($6+s%23C$AjTce=C;D55;%GiX$_H^1>l0>)-A9 z-ZwEq-~w-@Mi&9=sti2C0#?eWI17bpM*2^tR2hftzna&GEZ~N0=N`Wp^^Jdu)H-{j zxY&(?vSY6;=(^}qf+y*#icTB+LDw#e*y~Mg?ak6g?OE*YQ@Z(BLvSxbWUaWr(R1$B6rVq)uTOH@}E8hxyi(fVQ$~vdF*wy z9#ku_tFfm|Hqr5yvvR7#?Z1;Se})8n#IVs@M!4RTNY0q{qUdUscI=2e579Vs^UnyV zVzT+%YXKJYrIkv+hl-{u3h)j7=P3SfgDOCnm=idWG4P0-7yor?hG9?Q)5h1J74Sf2 z$dML_Z#e6j zYf5Bh?uUtz;{ZB#5izj=#K4_=QA13sEKS}eXv$lO_^*{c;PGN&TYTGY|MB)*IjMCd zF1wNU_}W@CqFH7&nX>H}6gL&9-Pnz54A>5&akY)_ilcfb6SG!*uwVxO@?o(dbxNr(k z!N$^qOXs&EH@DU+khWW%i*5o$Y~&g2E)p8M>xtTN%9|jiJ(=okcvDpvakM1C>NfJg zEi3VjqV!E^zIow~{6a-^(5MNNLF@Bx@=PE)_)VG^lcSB60>?qz)U!qZfqktQ3<~BK zQCIDqg8ak8r#5-kIhbT(jML26aWOt?oqR1(grb5HXG}*?sP7Syhod&(G1Ic4cQkOA zmm@VC*5TXop_$*A1u28LRkYUWhqHCfh#~|rd!n&2dZ68~R-TJHdeDmPbIB3-TBGl| z-N|3XDm5K?)KtOk#eWLHvO<}X@IH^o7A-X4S01JmfxK2lviA$b#PjfXfA>v=xo*Zk zbVA@bqkn>qjb4X+8GLuy!-MpZZgmVe%q`EE46}728dsrJ8l~^Tw_5=32A<}qKxcf} z77=tC!c4n#le?T-OUoiF^C4mbSVmdNl~<_*(m89vzE$Lb87ox3nqYPoEmb*P)VT+>9zr&O4Z64SpqYIPJ|aM+_yN3_5S4pRD3bQUk@Y<7J9Cth z?S)5SHkr?8(2iNJ)G8lzmr}|mS^eGwAUFUEqJaQTq^p#h1R>{{8~Mm1UcuMq7vm;E z7$Pohy1rj%SCBiqqQG-|wP7#vVMg@fKc7z=lC&05b!PxDbxJ3FIXpa$z%X%J&y|`z zur?l)W-34KcUSpmP|lhh;C`SAGTw<9y!#3STBtF8Rk-KL%g0ud+F-Qpd^kS?X_V+l z)t@2M6^~O{Zp|-1NtF!f$n^9#_{Vvh;yr+&=;0_?nUszW6=nWO#yiPIQQbUaD6;)i~oE|gUXFg#^wa{)!47ZG^v zp_;VwXBqi(#;(yb&sU)`WSZh?yPB@%J%8ZmS6E5>XehxJ6MjTv#U!Kyx;Ja98ZZ*- zX<{bwM+>}uGo{EyN^k3^qf8FL0M_zdf&=Coa16;LNtGPWq&yXJNt7N!ZX|e9ZpOzd zE4`3YnN;6E2(5+);Y$-@!ln&99PGWXMoLPMRZ6OW!*GXoWI;XlzR~gT1}p11x!lmK zz|CsJo_}4q@MR>3#7AcMN`GY*>M|2;)_ z9fSi680 zqW%Jupb7uKkN)A9qPkMod*Pbs358G(Wok^MnUQ<-zYWO(7CY>IG%u^UIlRQ6s$Z(? zm|q}^UpEkW0%>a^hOr_lX_eofJVHZx4O;DVD3Bg^7~}M_cTaw5Z?v52G;fMNvUT*L zM~PyU7*8-9x*QasdCh6q*)f8M;?$aYZwCbl3P_=hg@V3paO520$0>OIBvs|rNOTy~ zPWnMe=MbixlmG}}3L%_i3Z2E^zY8B%mvlX_&xOBgKXzXA=mL!>ya`O_Nn%uNFkZM? z#+qbW?qHHkAxI_-TwW&&}kAsVc`JpARt@#aIf-)5)~Ah~gJdoTD7bI*-4*CSoAp zh3DVQyy{;ymb7MCkBDJ>kO%tNvaL+%q`=jrBA0UL4mz_y7)Sjlk z;+ZLFRGA8iLlKA!xE6aw-P>4DM5ZVC8quzIV2leloK0*deH&r6Zv^pel3``W%8@JxFYMQ_GcanWj;#{EGb=Yp%80f;Vf7T zyV{=-tqE@_VcuB?2g$om@TwP1o1fC@H+1PH=<=T+)d|(eNPG64&u#S;t~t*o`DFu+ zyoqP*pqyi6^a(-vg)ZTw_@QMBr$5LOD{xF%O1~M*?V}s=y?`;DaWM~vJ)npaft)d3 zV8C70cN)#2`2l@3I*S1iaSc)#aXj;tb-b~=7Z^RbDUZaP=DXtmw-zyd?PFN9!E=|N z#4u8z_BJ*(rRv#`x9?4ePSJClT1Qz3~q`*3(vEv*7f>iXs#n>z621JetK6lwWDU*|O1jF>NxZpm${f|_dhQ2NQ zx1)nrq}Uoj#(?|>@HC15oap0V1sy&d=6DM&r% z>Wa$Xr#nOcB)nIeYxx<4f6Q}f$;y7Pn&6R&)HyfvlL#V={A?e3WIqo}kX{nGT_~)y zZ9`an8;Z=2s%qkx%sjW`L7+QY+?59R7woM#=(t#R?LJG)=llN5zx(?CRch{Di+>sf zBBuXV_l0)E0*Fwaz=V9o`gqgdq>BC5X+-SLU};b2Un zh4Tf;`g$UXz8*mFx(=z(MWzcpJrzqQAL8vih0V^9Y3#x*|H}2Qg~$v?rUlZcJ*0AC zWa`X@4>iDky{ZC5!#Iy#{4-Y#rXZ#-`sKOpskU(*yDY!vdtH0ajjbcTb0hiDfv6JB zShxpeJczoY_c@&W{Y24N&^T-r^n@CBmuR8Hxg=5mUMa92EeDcjugi^-96&bbrZ^29 zYSbzyC=hPhuz+mSvh=KOZ`b0nxY0S}z@?J|aVsnE--rPz-0uf*SbPsG4;WBTP^_+J zYDYuE9os-krj&>L+N-eaYU(HnU+B6$GX|F%gs4 ztT4g35B@~@!GqbgTq^;8KX=6^l9rqhfsb~U(o9tzBA>hIY z-MRAIMv#jHSX%2*$F64|UVTv6h{(9${nKGLG3AmQTKe0?QUcj@*$`2*m!}>CNl(JY z!2!&>>HUnohdlJ=_`l5!F=-s^A#VRRc0t7nGVK0#oem5a!>AO{>2DNHFB%^X+n(S9 zhm+dH3A(fGHkorQVtAeuQITO(!-v1UBgcz78QZ2`TT4M~OimrA)&JWfv*3TDA?cI@ zeos)&KIoVO;0|_HX5V}hpbOU#)j^`ct=j`>PpmS~Pg~E#g~g&25i@bks=atot)}<_ zgP#25iV~HGGY(PVkb;M0F9DxanuRyMF@QCZs&Q~6QwJlF6DNiq644H^_tQnYE}go( z|7Zrse=HDz1S2iKAdg0<6l!Lh6Dn&YXqi$0n^iW|o%Phs?m%uPDXF1HNy(P_Qvrrn zfsfO~pv$S~xOie4_g4AGIhGmP`{mRC}}#ZH}!=DV+3tEFlZS zS!PV4M)zmxjizJh+;zQFc$_v$ac>~Z{Xm%C;YF|TdpN0Vj&}r8fVY|sn3ScImQq$- z!B!%SF}pr2{T+*?ZT?*J(a~I{V&tHyGEL{OV5I zRL*Nn4QN-R%{*u%J9oWHIg;wX7i%N`K(>qC^<}wUDitKIlqeW&S0sIr2~Wt0@ap}6 zwpN$xEkIaWh67CHy5XaK+Ix*-MGqmhb|B&POWi%NAET7U@LD~inS2I8&JLA)&+Ul0 z)R^aad@A&w#`rFk#$?Fo{m>lm8Htiw>kpj8GRn%z#I@T0ENos};6BLL&)GNp4h|Qa zY9G>4!gk(aAl@_N%mgk1tFJ*f>GyZWF%HvDI}>KA2I;uLJ*9Et*)~GvIQ(w2ucS;H zbO?^RxEY*!jJ*4}&&!E3V~J2y-$0N~C=UySAC$+6iS#oO3DsG?NM{%d`p!_>(u^oP z$5IN3Y$IREJ!w2MxWSXzg_Q3X6MItvw=GF-TGe~P;ZRWbh#`Bb=