From 99aac36ba263e17c0ad5e2a937f4e7ba3398cccb Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Fri, 12 Apr 2024 17:19:39 +0200 Subject: [PATCH] Release 1.28.0 (#210) * feat: moved eks infra/kube terraform folders from furyctl * feat(encryption): added new security parameters in the OnPremises schema * feat(encryption): moved encryption under advanced key * docs: add WIP release for 1.28 * feat: update furyctl version on drone to 0.27.6 * feat: WIP partial kfd.yaml update * feat: WIP update e2e tests * feat: WIP testing and fixing new networking module, fixed a problem on cilium operator default tolerations * feat: update e2e to 1.28 * feat: remove cerebro when using opensearch * feat: remove cerebro on migrations * feat: WIP update kfd.yaml versions * feat: replace gangway with gangplank * feat: replace gangway with gangplank * feat: bump opa version on kfd.yaml * feat: bump on-prem installer to v1.28.7-rev.1 * feat: regenerate pkg apis * feat: put final version on kfd.yaml for logging module * feat: put final auth version on kfd.yaml * feat: update Furyfile.yaml with the same kfd.yaml versions * docs: update release notes with all the correct package version updates * docs: add furyctl on "standard way to deploy KFD" * docs: prepare readme and compatibility matrix for versions 1.28.0, 1.27.5 and 1.26.6 * fix: minio tracing ingress disabled if backend is not minio * fix: remove cerebro also on legacy kustomization.yaml file * feat: add prometheus -> mimir migration as safe * feat: add websocket support on grafana pomerium policy * feat: rename loki config to loki-config.yaml.tpl * feat: add node selectors for gangplank * fix: minio monitoring node selector and tolerations only if backend is actually minio * feat: update drone to use 0.28.0-rc.1 * fix: tfvars kubernetes phase * fix(template/distribution/monitoring/mimir): set max_global_series_per_user to unlimited (#205) Mimir limits by default the amount of time series a user can push to 150000 to protect from a single user DoSing the service. In our installation we have just one "fury" user, used by Prometheus to push all the time series to Mimir. So, as a maximum we will push all the time series available in Prometheus, making it a practical limit. Co-authored-by: Samuele Chiocca * fix: minio monitoring node selectors only if storageclass exists * feat: add entries to schema docs * feat: fix spaces like 1.27.5 * feat: align schemas with 1.27.5 * chore: remove whitespaces * feat: update furyctl version to v0.28.0-rc.2 * docs: update readme badge * feat: update drone furyctl version to rc.4 * feat: add e2e test for upgrades * fix: wrong configuration for the new upgrade pipelines * fix: wrong path on kubeconfig export * fix: e2e script, mising --upgrade flag * docs: update release notes with the actual new features, removals and fixes * feat: add release notes of 1.27.5 1.26.6 --------- Co-authored-by: Alessio Pragliola Co-authored-by: Stefano Ghinelli Co-authored-by: Ramiro Algozino --- .drone.yml | 113 ++++++++- Furyfile.yaml | 18 +- README.md | 12 +- defaults/ekscluster-kfd-v1alpha2.yaml | 2 +- defaults/kfddistribution-kfd-v1alpha2.yaml | 2 +- defaults/onpremises-kfd-v1alpha2.yaml | 2 +- docs/COMPATIBILITY_MATRIX.md | 54 +++-- docs/releases/v1.26.6.md | 108 +++++++++ docs/releases/v1.27.5.md | 108 +++++++++ docs/releases/v1.28.0.md | 110 +++++++++ docs/schemas/ekscluster-kfd-v1alpha2.md | 18 +- docs/schemas/kfddistribution-kfd-v1alpha2.md | 18 +- docs/schemas/onpremises-kfd-v1alpha2.md | 40 +++- kfd.yaml | 28 +-- kustomization.yaml | 1 - .../ekscluster/v1alpha2/private/schema.go | 2 +- pkg/apis/ekscluster/v1alpha2/public/schema.go | 2 +- .../kfddistribution/v1alpha2/public/schema.go | 2 +- pkg/apis/onpremises/v1alpha2/public/schema.go | 179 ++++++++------- rules/ekscluster-kfd-v1alpha2.yaml | 17 +- rules/kfddistribution-kfd-v1alpha2.yaml | 17 +- rules/onpremises-kfd-v1alpha2.yaml | 17 +- schemas/public/ekscluster-kfd-v1alpha2.json | 9 +- .../public/kfddistribution-kfd-v1alpha2.json | 5 +- schemas/public/onpremises-kfd-v1alpha2.json | 21 +- .../config/onpremises-kfd-v1alpha2.yaml.tpl | 26 +++ templates/distribution/_helpers.tpl | 4 +- .../manifests/auth/kustomization.yaml.tpl | 18 +- .../auth/patches/infra-nodes.yml.tpl | 16 ++ .../auth/resources/ingress-infra.yml.tpl | 10 +- .../auth/resources/pomerium-policy.yml.tpl | 7 +- .../manifests/auth/secrets/dex.yml.tpl | 10 +- .../{gangway.yml.tpl => gangplank.yml.tpl} | 2 +- .../manifests/logging/kustomization.yaml.tpl | 3 +- .../logging/patches/infra-nodes.yml.tpl | 14 -- .../{config.yaml.tpl => loki-config.yaml.tpl} | 2 + .../logging/resources/ingress-infra.yml.tpl | 41 ---- .../monitoring/patches/infra-nodes.yml.tpl | 4 + .../monitoring/patches/mimir.yaml.tpl | 3 +- .../networking/kustomization.yaml.tpl | 9 + .../cilium-operator-tolerations.yaml.tpl | 8 + .../manifests/tracing/kustomization.yaml.tpl | 2 + .../distribution/scripts/pre-apply.sh.tpl | 32 ++- .../ekscluster/terraform/main.auto.tfvars.tpl | 51 +++++ .../ekscluster/terraform/main.tf.tpl | 77 +++++++ .../ekscluster/terraform/output.tf | 46 ++++ .../ekscluster/terraform/variables.tf | 118 ++++++++++ .../kubernetes/ekscluster/terraform/data.tf | 13 ++ .../ekscluster/terraform/main.auto.tfvars.tpl | 214 ++++++++++++++++++ .../ekscluster/terraform/main.tf.tpl | 74 ++++++ .../kubernetes/ekscluster/terraform/output.tf | 66 ++++++ .../ekscluster/terraform/variables.tf | 208 +++++++++++++++++ .../onpremises/encryption-config.yaml.tpl | 7 + .../kubernetes/onpremises/hosts.yaml.tpl | 9 + tests/e2e-kfddistribution-upgrades.sh | 14 ++ .../furyctl-init-cluster-1.27.4.yaml | 104 +++++++++ .../furyctl-init-cluster-1.28.0.yaml | 104 +++++++++ ...l-10-migrate-from-none-to-safe-values.yaml | 2 +- ...-kyverno-default-policies-to-disabled.yaml | 2 +- ...-from-alertmanagerconfigs-to-disabled.yaml | 2 +- .../furyctl-2-migrate-from-tempo-to-none.yaml | 2 +- ...uryctl-3-migrate-from-kyverno-to-none.yaml | 2 +- ...furyctl-4-migrate-from-velero-to-none.yaml | 2 +- .../furyctl-5-migrate-from-loki-to-none.yaml | 2 +- .../furyctl-6-migrate-from-mimir-to-none.yaml | 2 +- ...ryctl-7-migrate-from-basicAuth-to-sso.yaml | 2 +- .../furyctl-8-migrate-from-sso-to-none.yaml | 2 +- .../furyctl-9-migrate-from-nginx-to-none.yaml | 2 +- .../kfddistribution/furyctl-cleanup-all.yaml | 2 +- .../kfddistribution/furyctl-init-cluster.yaml | 2 +- .../furyctl-init-with-values-from-nil.yaml | 2 +- 71 files changed, 1936 insertions(+), 313 deletions(-) create mode 100644 docs/releases/v1.26.6.md create mode 100644 docs/releases/v1.27.5.md create mode 100644 docs/releases/v1.28.0.md rename templates/distribution/manifests/auth/secrets/{gangway.yml.tpl => gangplank.yml.tpl} (95%) rename templates/distribution/manifests/logging/patches/{config.yaml.tpl => loki-config.yaml.tpl} (98%) create mode 100644 templates/distribution/manifests/networking/patchesjson/cilium-operator-tolerations.yaml.tpl create mode 100644 templates/infrastructure/ekscluster/terraform/main.auto.tfvars.tpl create mode 100644 templates/infrastructure/ekscluster/terraform/main.tf.tpl create mode 100644 templates/infrastructure/ekscluster/terraform/output.tf create mode 100644 templates/infrastructure/ekscluster/terraform/variables.tf create mode 100644 templates/kubernetes/ekscluster/terraform/data.tf create mode 100644 templates/kubernetes/ekscluster/terraform/main.auto.tfvars.tpl create mode 100644 templates/kubernetes/ekscluster/terraform/main.tf.tpl create mode 100644 templates/kubernetes/ekscluster/terraform/output.tf create mode 100644 templates/kubernetes/ekscluster/terraform/variables.tf create mode 100644 templates/kubernetes/onpremises/encryption-config.yaml.tpl create mode 100755 tests/e2e-kfddistribution-upgrades.sh create mode 100644 tests/e2e/kfddistribution-upgrades/furyctl-init-cluster-1.27.4.yaml create mode 100644 tests/e2e/kfddistribution-upgrades/furyctl-init-cluster-1.28.0.yaml diff --git a/.drone.yml b/.drone.yml index 172f3193..f5dfc41f 100644 --- a/.drone.yml +++ b/.drone.yml @@ -93,7 +93,7 @@ steps: - /pluto detect distribution.yml --ignore-deprecations --target-versions=k8s=v1.27.0 --- -name: e2e-kubernetes-1.27 +name: e2e-kubernetes-1.28 kind: pipeline type: docker @@ -124,7 +124,7 @@ steps: - name: dockersock path: /var/run/docker.sock environment: - CLUSTER_VERSION: v1.27.3 + CLUSTER_VERSION: v1.28.0 CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER} # /drone/src is the default workdir for the pipeline # using this folder we don't need to mount another @@ -159,7 +159,7 @@ steps: environment: CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER} KUBECONFIG: /drone/src/kubeconfig - FURYCTL_VERSION: v0.27.6 + FURYCTL_VERSION: v0.28.0-rc.4 depends_on: [create Kind cluster] commands: - export KUBECONFIG=/drone/src/kubeconfig @@ -197,14 +197,119 @@ volumes: - name: dockersock host: path: /var/run/docker.sock +--- +name: e2e-kubernetes-1.27.4-1.28.0 +kind: pipeline +type: docker + +depends_on: + - qa + +clone: + depth: 1 + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/tags/** + - refs/heads/main + - refs/heads/release-v** + exclude: + - refs/tags/**-docs* + +steps: + - name: create Kind cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.20.0_1.29.1_3.10.0 + pull: always + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_VERSION: v1.28.0 + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-upgrades + # /drone/src is the default workdir for the pipeline + # using this folder we don't need to mount another + # shared volume between the steps + KUBECONFIG: /drone/src/kubeconfig-upgrades + commands: + # create a custom config to disable Kind's default CNI so + # we can test using KFD's networking module. + - | + cat < kind-config.yaml + kind: Cluster + apiVersion: kind.x-k8s.io/v1alpha4 + networking: + disableDefaultCNI: true + nodes: + - role: control-plane + - role: worker + EOF + # NOTE: kind's `--wait` flag that waits for the control-plane ot be ready + # does not work when disabling the default CNI. It will always go in timeout. + - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} --config kind-config.yaml + # save the kubeconfig so we can use it from other steps. + - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG} + - name: e2e-kfddistribution + # KUBECTL_KUSTOMIZE_HELM_YQ_ISTIOCTL_FURYCTL_BATS + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 + pull: always + # we need to use host network to access Kind API port that is listening on the worker's loopback + # beacuse we mount the host's Docker socket to run Kind. + network_mode: host + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-upgrades + KUBECONFIG: /drone/src/kubeconfig-upgrades + FURYCTL_VERSION: v0.28.0-rc.4 + depends_on: [create Kind cluster] + commands: + - export KUBECONFIG=/drone/src/kubeconfig-upgrades + # We change the loopback IP in the kubeconfig to use the service hostname and keep the port. + # - 'sed -Ei "s#(server: https://)(.*)(:.*)#\1kind-cluster\3#" $${KUBECONFIG}' + - echo "Installing the correct furyctl version..." + - curl -L "https://github.com/sighupio/furyctl/releases/download/$${FURYCTL_VERSION}/furyctl-$(uname -s)-amd64.tar.gz" -o /tmp/furyctl.tar.gz && tar xfz /tmp/furyctl.tar.gz -C /tmp + # to use furyctl latest, use the following instead: + # - curl -L "https://github.com/sighupio/furyctl/releases/latest/download/furyctl-$(uname -s)-amd64.tar.gz" -o /tmp/furyctl.tar.gz && tar xfz /tmp/furyctl.tar.gz -C /tmp + - chmod +x /tmp/furyctl + # check that the kind cluster is ready before we move on + # - kubectl wait --timeout=180s --for=condition=ready pod --all -n kube-system + - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done + # finally, run the e2e tests + - tests/e2e-kfddistribution-upgrades.sh + + - name: delete-kind-cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.20.0_1.29.1_3.10.0 + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-upgrades + commands: + # does not matter if the command fails + - kind delete cluster --name $${CLUSTER_NAME} || true + depends_on: + - e2e-kfddistribution + when: + status: + - success + - failure + +volumes: + - name: dockersock + host: + path: /var/run/docker.sock --- name: release kind: pipeline type: docker depends_on: - - e2e-kubernetes-1.27 + - e2e-kubernetes-1.28 + - e2e-kubernetes-1.27.4-1.28.0 platform: os: linux diff --git a/Furyfile.yaml b/Furyfile.yaml index ad16b0c6..c07372e4 100644 --- a/Furyfile.yaml +++ b/Furyfile.yaml @@ -4,15 +4,15 @@ --- versions: - auth: v0.1.0 - aws: v4.1.0 - dr: v2.2.0 - ingress: v2.2.0 - logging: v3.3.1 - monitoring: v3.0.1 - opa: v1.11.1 - networking: v1.15.0 - tracing: v1.0.2 + auth: v0.2.0 + aws: v4.2.0 + dr: v2.3.0 + ingress: v2.3.0 + logging: v3.4.0 + monitoring: v3.1.0 + opa: v1.12.0 + networking: v1.16.0 + tracing: v1.0.3 bases: - name: auth diff --git a/README.md b/README.md index 7efae286..f5da1058 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ [![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.27.4)](http://ci.sighup.io/sighupio/fury-distribution) -[![Release](https://img.shields.io/badge/release-v1.27.4-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest) +[![Release](https://img.shields.io/badge/release-v1.28.0-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest) [![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack)](https://kubernetes.slack.com/archives/C0154HYTAQH) [![License](https://img.shields.io/github/license/sighupio/fury-distribution)](https://github.com/sighupio/fury-distribution/blob/main/LICENSE) @@ -46,8 +46,8 @@ Kubernetes Fury Distribution is structured on modules, and each module has a set The standard way to deploy KFD is to: -- Deploy all the [Core Modules](#core-modules-) of the distribution -- Deploy (if needed) any of the [Addon modules](#add-on-modules-) +- Deploy all the [Core Modules](#core-modules-) of the distribution using furyctl providers +- Deploy (if needed) any of the [Addon modules](#add-on-modules-) using furyctl plugin feature ### Recommended Hardware Requirements @@ -128,9 +128,9 @@ Current supported versions of KFD are: | KFD Version | Kubernetes Version | | :------------------------------------------------------------------------------: | :----------------: | -| [`1.27.4`](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.4) | `1.27.x` | -| [`1.26.5`](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.5) | `1.26.x` | -| [`1.25.10`](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.10) | `1.25.x` | +| [`1.28.0`](https://github.com/sighupio/fury-distribution/releases/tag/v1.28.0) | `1.28.x` | +| [`1.27.5`](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.5) | `1.27.x` | +| [`1.26.6`](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.6) | `1.26.x` | Check the [compatibility matrix][compatibility-matrix] for additional information about previous releases of the Distribution and the compatibility with `furyctl`. diff --git a/defaults/ekscluster-kfd-v1alpha2.yaml b/defaults/ekscluster-kfd-v1alpha2.yaml index 1cd5367a..baa4ee82 100644 --- a/defaults/ekscluster-kfd-v1alpha2.yaml +++ b/defaults/ekscluster-kfd-v1alpha2.yaml @@ -252,7 +252,7 @@ data: dex: host: "" ingressClass: "" - gangway: # only needed as default + gangplank: # only needed as default host: "" ingressClass: "" tolerations: null diff --git a/defaults/kfddistribution-kfd-v1alpha2.yaml b/defaults/kfddistribution-kfd-v1alpha2.yaml index 246cff5c..e112ceff 100644 --- a/defaults/kfddistribution-kfd-v1alpha2.yaml +++ b/defaults/kfddistribution-kfd-v1alpha2.yaml @@ -239,7 +239,7 @@ data: dex: host: "" ingressClass: "" - gangway: # only needed as default + gangplank: # only needed as default host: "" ingressClass: "" tolerations: null diff --git a/defaults/onpremises-kfd-v1alpha2.yaml b/defaults/onpremises-kfd-v1alpha2.yaml index 9b2efdbd..0813461d 100644 --- a/defaults/onpremises-kfd-v1alpha2.yaml +++ b/defaults/onpremises-kfd-v1alpha2.yaml @@ -239,7 +239,7 @@ data: dex: host: "" ingressClass: "" - gangway: + gangplank: host: "" ingressClass: "" tolerations: null diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index 7432b81b..7d0fdd85 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -8,31 +8,35 @@ For a complete list of all KFD releases and their compatibility with Kubernetes ℹī¸ **Use the latest patch release for your desired version whenever it's possible**. See [the versioning file](VERSIONING.md) for more information. -| KFD / Kubernetes Version | v1.27.X | v1.26.X | 1.25.X | 1.24.X | -| ------------------------------------------------------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | -| [v1.27.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.3) | :white_check_mark: | | | | -| [v1.27.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.2) | :white_check_mark: | | | | -| [v1.27.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.1) | :white_check_mark: | | | | -| [v1.27.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.0) | :white_check_mark: | | | | -| [v1.26.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.5) | | :white_check_mark: | | | -| [v1.26.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.4) | | :white_check_mark: | | | -| [v1.26.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.3) | | :white_check_mark: | | | -| [v1.26.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.2) | | :white_check_mark: | | | -| [v1.26.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.1) | | :white_check_mark: | | | -| [v1.26.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.0) | | :white_check_mark: | | | -| [v1.25.10](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.10) | | | :white_check_mark: | | -| [v1.25.9](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.9) | | | :white_check_mark: | | -| [v1.25.8](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.8) | | | :white_check_mark: | | -| [v1.25.7](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.7) | | | :white_check_mark: | | -| [v1.25.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.6) | | | :white_check_mark: | | -| [v1.25.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.5) | | | :white_check_mark: | | -| [v1.25.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.4) | | | :white_check_mark: | | -| [v1.25.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.3) | | | :white_check_mark: | | -| [v1.25.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.2) | | | :white_check_mark: | | -| [v1.25.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.1) | | | :white_check_mark: | | -| [v1.25.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.0) | | | :white_check_mark: | | -| [v1.24.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.24.1) | | | | :white_check_mark: | -| [v1.24.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.24.0) | | | | :white_check_mark: | +| KFD / Kubernetes Version | v1.28.X | v1.27.X | v1.26.X | 1.25.X | 1.24.X | +| ------------------------------------------------------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | +| [v1.28.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.28.0) | :white_check_mark: | | | | | +| [v1.27.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.5) | | :white_check_mark: | | | | +| [v1.27.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.4) | | :white_check_mark: | | | | +| [v1.27.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.3) | | :white_check_mark: | | | | +| [v1.27.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.2) | | :white_check_mark: | | | | +| [v1.27.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.1) | | :white_check_mark: | | | | +| [v1.27.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.0) | | :white_check_mark: | | | | +| [v1.26.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.6) | | | :white_check_mark: | | | +| [v1.26.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.5) | | | :white_check_mark: | | | +| [v1.26.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.4) | | | :white_check_mark: | | | +| [v1.26.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.3) | | | :white_check_mark: | | | +| [v1.26.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.2) | | | :white_check_mark: | | | +| [v1.26.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.1) | | | :white_check_mark: | | | +| [v1.26.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.0) | | | :white_check_mark: | | | +| [v1.25.10](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.10) | | | | :white_check_mark: | | +| [v1.25.9](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.9) | | | | :white_check_mark: | | +| [v1.25.8](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.8) | | | | :white_check_mark: | | +| [v1.25.7](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.7) | | | | :white_check_mark: | | +| [v1.25.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.6) | | | | :white_check_mark: | | +| [v1.25.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.5) | | | | :white_check_mark: | | +| [v1.25.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.4) | | | | :white_check_mark: | | +| [v1.25.3](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.3) | | | | :white_check_mark: | | +| [v1.25.2](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.2) | | | | :white_check_mark: | | +| [v1.25.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.1) | | | | :white_check_mark: | | +| [v1.25.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.0) | | | | :white_check_mark: | | +| [v1.24.1](https://github.com/sighupio/fury-distribution/releases/tag/v1.24.1) | | | | | :white_check_mark: | +| [v1.24.0](https://github.com/sighupio/fury-distribution/releases/tag/v1.24.0) | | | | | :white_check_mark: | | Legend | Meaning | | :----------------: | ---------------- | diff --git a/docs/releases/v1.26.6.md b/docs/releases/v1.26.6.md new file mode 100644 index 00000000..b85bbeca --- /dev/null +++ b/docs/releases/v1.26.6.md @@ -0,0 +1,108 @@ +# Kubernetes Fury Distribution Release v1.26.6 + +Welcome to KFD release `v1.26.6`. + +The distribution is maintained with ❤ī¸ by the team [SIGHUP](https://sighup.io/) it is battle tested in production environments. + +## New Features since `v1.26.5` + +### Core Module Updates + +- [networking](https://github.com/sighupio/fury-kubernetes-networking) đŸ“Ļ core module: [**v1.16.0**](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.16.0) + - Updated calico to `3.27.0`. + - Updated tigera operator to `1.32.3`. + - Updated cilium to `1.15.2`. +- [monitoring](https://github.com/sighupio/fury-kubernetes-monitoring) đŸ“Ļ core module: [**v3.1.0**](https://github.com/sighupio/fury-kubernetes-monitoring/releases/tag/vTBD) + - Updated thanos to `v0.34.0`. + - Updated x509-exporter to `v3.12.0`. + - Updated mimir to `v2.11.0`. + - Updated minio-ha to `RELEASE.2024-02-09T21-25-16Z`. +- [logging](https://github.com/sighupio/fury-kubernetes-logging) đŸ“Ļ core module: [**v3.4.0**](https://github.com/sighupio/fury-kubernetes-logging/releases/tag/v3.4.0) + - Removed cerebro. + - Updated opensearch to `2.12.0`. + - Updated opensearch-dashboards to `2.12.0`. + - Updated logging-operator to `4.5.6`. +- [ingress](https://github.com/sighupio/fury-kubernetes-ingress) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-ingress/releases/tag/v2.3.0) + - Updated cert-manager to `1.14.2`. + - Updated external-dns to `0.14.0`. + - Updated forecastle to `1.0.136`. + - Updated nginx to `1.9.6`. +- [dr](https://github.com/sighupio/fury-kubernetes-dr) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-dr/releases/tag/v2.3.0) + - Updated velero to `1.13.0`. + - Updated all plugins to `1.9.0`. +- [OPA](https://github.com/sighupio/fury-kubernetes-opa) đŸ“Ļ core module: [**v1.12.0**](https://github.com/sighupio/fury-kubernetes-opa/releases/tag/v1.12.0) + - Updated gatekeeper to `3.15.1`. + - Updated gatekeeper-policy-manager to `1.0.10`. + - Updated kyverno to `1.11.4`. +- [auth](https://github.com/sighupio/fury-kubernetes-auth) đŸ“Ļ core module: [**v0.2.0**](https://github.com/sighupio/fury-kubernetes-auth/releases/tag/v0.2.0) + - Updated dex to `2.38.0`. + - Updated pomerium to `0.25.0`. +- [tracing](https://github.com/sighupio/fury-kubernetes-tracing) đŸ“Ļ core module: [**v1.0.3**](https://github.com/sighupio/fury-kubernetes-tracing/releases/tag/v1.0.3) + +> Please refer the individual release notes for detailed information. + +## New features 🌟 + +This release add the following features: + +- **New Encryption Feature on ETCD**: This version introduces a feature for the OnPremises provider that allows inserting the `encryption-provider-config` parameter into the API server to enable encryption within the ETCD database. You can adjust the parameter using `.spec.kubernetes.advanced.encryption.configuration: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters). An example configuration to encrypt new secrets with fallback to plaintext is: + ```yaml + apiVersion: apiserver.config.k8s.io/v1 + kind: EncryptionConfiguration + resources: + - resources: + - secrets + providers: + - aescbc: + keys: + - name: key1 + # example base64 encode of "passwordpassword" + secret: cGFzc3dvcmRwYXNzd29yZAo= + # fallback to read non encrypted secrets + - identity: {} + ``` + +- **New Encryption Parameters to Change TLS Cipher Suites in ETCD and API Server**: A new parameter to customize the TLS cipher suites available in the API server and ETCD service has been added, `.spec.kubernetes.advanced.encryption.tlsCipherSuites: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters, along with a manual restart of the ETCD service). +- **Image Directive on CustomPatches on All Providers**: With this release, we added the possibility to customize the image using the following configuration: + ```yaml + spec: + distribution: + customPatches: + images: + - name: registry.sighup.io/fury/prometheus-operator/prometheus-operator + newName: quay.io/prometheus-operator/prometheus-operator + newTag: latest + ``` +- **Auto Role Setting on Workers for the OnPremises Provider**: Automatic labeling of worker nodes with their name in the privileged label `node-role.kubernetes.io/{{ node_role }}=` has been added. +- **Replaced Gangway with Gangplank**: We created a fork, Gangplank, of the open-source Gangway project archived by VMware. This new fork updates all dependencies and revamps the UI. +- **Additional Static Clients on DEX**: A new parameter, `additionalStaticClients`, on DEX configuration can now be configured: + ```yaml + spec: + distribution: + modules: + auth: + dex: + connectors: + - type: ldap + ... + additionalStaticClients: + - id: test + redirectURIs: + - https://argocd.test/auth/callback + - https://argocd.test/auth/login + name: 'ArgoCD Login' + secret: XXXXXX + ``` + +## Fixes + +- **Mimir Tolerations and Selectors**: Tolerations and selectors on the Mimir deployment were not being honored. +- **Mimir max_global_series_per_user to Unlimited**: We changed the default value of `max_global_series_per_user` to unlimited since Mimir, after the cluster was up and running for a while, was rejecting metrics from Prometheus. + +## Removals 🗑ī¸ + +- **Removed Cerebro**: Cerebro is an unmaintained open-source project. Due to security reasons, we decided to remove it from the logging module without replacement. + +## Upgrade procedure + +Check the [upgrade docs](https://github.com/sighupio/furyctl/tree/main/docs/upgrades/kfd) for the detailed procedure. diff --git a/docs/releases/v1.27.5.md b/docs/releases/v1.27.5.md new file mode 100644 index 00000000..e54dda6f --- /dev/null +++ b/docs/releases/v1.27.5.md @@ -0,0 +1,108 @@ +# Kubernetes Fury Distribution Release v1.27.5 + +Welcome to KFD release `v1.27.5`. + +The distribution is maintained with ❤ī¸ by the team [SIGHUP](https://sighup.io/) it is battle tested in production environments. + +## New Features since `v1.27.4` + +### Core Module Updates + +- [networking](https://github.com/sighupio/fury-kubernetes-networking) đŸ“Ļ core module: [**v1.16.0**](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.16.0) + - Updated calico to `3.27.0`. + - Updated tigera operator to `1.32.3`. + - Updated cilium to `1.15.2`. +- [monitoring](https://github.com/sighupio/fury-kubernetes-monitoring) đŸ“Ļ core module: [**v3.1.0**](https://github.com/sighupio/fury-kubernetes-monitoring/releases/tag/vTBD) + - Updated thanos to `v0.34.0`. + - Updated x509-exporter to `v3.12.0`. + - Updated mimir to `v2.11.0`. + - Updated minio-ha to `RELEASE.2024-02-09T21-25-16Z`. +- [logging](https://github.com/sighupio/fury-kubernetes-logging) đŸ“Ļ core module: [**v3.4.0**](https://github.com/sighupio/fury-kubernetes-logging/releases/tag/v3.4.0) + - Removed cerebro. + - Updated opensearch to `2.12.0`. + - Updated opensearch-dashboards to `2.12.0`. + - Updated logging-operator to `4.5.6`. +- [ingress](https://github.com/sighupio/fury-kubernetes-ingress) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-ingress/releases/tag/v2.3.0) + - Updated cert-manager to `1.14.2`. + - Updated external-dns to `0.14.0`. + - Updated forecastle to `1.0.136`. + - Updated nginx to `1.9.6`. +- [dr](https://github.com/sighupio/fury-kubernetes-dr) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-dr/releases/tag/v2.3.0) + - Updated velero to `1.13.0`. + - Updated all plugins to `1.9.0`. +- [OPA](https://github.com/sighupio/fury-kubernetes-opa) đŸ“Ļ core module: [**v1.12.0**](https://github.com/sighupio/fury-kubernetes-opa/releases/tag/v1.12.0) + - Updated gatekeeper to `3.15.1`. + - Updated gatekeeper-policy-manager to `1.0.10`. + - Updated kyverno to `1.11.4`. +- [auth](https://github.com/sighupio/fury-kubernetes-auth) đŸ“Ļ core module: [**v0.2.0**](https://github.com/sighupio/fury-kubernetes-auth/releases/tag/v0.2.0) + - Updated dex to `2.38.0`. + - Updated pomerium to `0.25.0`. +- [tracing](https://github.com/sighupio/fury-kubernetes-tracing) đŸ“Ļ core module: [**v1.0.3**](https://github.com/sighupio/fury-kubernetes-tracing/releases/tag/v1.0.3) + +> Please refer the individual release notes for detailed information. + +## New features 🌟 + +This release add the following features: + +- **New Encryption Feature on ETCD**: This version introduces a feature for the OnPremises provider that allows inserting the `encryption-provider-config` parameter into the API server to enable encryption within the ETCD database. You can adjust the parameter using `.spec.kubernetes.advanced.encryption.configuration: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters). An example configuration to encrypt new secrets with fallback to plaintext is: + ```yaml + apiVersion: apiserver.config.k8s.io/v1 + kind: EncryptionConfiguration + resources: + - resources: + - secrets + providers: + - aescbc: + keys: + - name: key1 + # example base64 encode of "passwordpassword" + secret: cGFzc3dvcmRwYXNzd29yZAo= + # fallback to read non encrypted secrets + - identity: {} + ``` + +- **New Encryption Parameters to Change TLS Cipher Suites in ETCD and API Server**: A new parameter to customize the TLS cipher suites available in the API server and ETCD service has been added, `.spec.kubernetes.advanced.encryption.tlsCipherSuites: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters, along with a manual restart of the ETCD service). +- **Image Directive on CustomPatches on All Providers**: With this release, we added the possibility to customize the image using the following configuration: + ```yaml + spec: + distribution: + customPatches: + images: + - name: registry.sighup.io/fury/prometheus-operator/prometheus-operator + newName: quay.io/prometheus-operator/prometheus-operator + newTag: latest + ``` +- **Auto Role Setting on Workers for the OnPremises Provider**: Automatic labeling of worker nodes with their name in the privileged label `node-role.kubernetes.io/{{ node_role }}=` has been added. +- **Replaced Gangway with Gangplank**: We created a fork, Gangplank, of the open-source Gangway project archived by VMware. This new fork updates all dependencies and revamps the UI. +- **Additional Static Clients on DEX**: A new parameter, `additionalStaticClients`, on DEX configuration can now be configured: + ```yaml + spec: + distribution: + modules: + auth: + dex: + connectors: + - type: ldap + ... + additionalStaticClients: + - id: test + redirectURIs: + - https://argocd.test/auth/callback + - https://argocd.test/auth/login + name: 'ArgoCD Login' + secret: XXXXXX + ``` + +## Fixes + +- **Mimir Tolerations and Selectors**: Tolerations and selectors on the Mimir deployment were not being honored. +- **Mimir max_global_series_per_user to Unlimited**: We changed the default value of `max_global_series_per_user` to unlimited since Mimir, after the cluster was up and running for a while, was rejecting metrics from Prometheus. + +## Removals 🗑ī¸ + +- **Removed Cerebro**: Cerebro is an unmaintained open-source project. Due to security reasons, we decided to remove it from the logging module without replacement. + +## Upgrade procedure + +Check the [upgrade docs](https://github.com/sighupio/furyctl/tree/main/docs/upgrades/kfd) for the detailed procedure. diff --git a/docs/releases/v1.28.0.md b/docs/releases/v1.28.0.md new file mode 100644 index 00000000..4ec17a42 --- /dev/null +++ b/docs/releases/v1.28.0.md @@ -0,0 +1,110 @@ +# Kubernetes Fury Distribution Release v1.28.0 + +Welcome to KFD release `v1.28.0`. + +The distribution is maintained with ❤ī¸ by the team [SIGHUP](https://sighup.io/) it is battle tested in production environments. + +This release adds compatibility with Kubernetes 1.28. + +## New Features since `v1.27.4` + +### Core Module Updates + +- [networking](https://github.com/sighupio/fury-kubernetes-networking) đŸ“Ļ core module: [**v1.16.0**](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.16.0) + - Updated calico to `3.27.0`. + - Updated tigera operator to `1.32.3`. + - Updated cilium to `1.15.2`. +- [monitoring](https://github.com/sighupio/fury-kubernetes-monitoring) đŸ“Ļ core module: [**v3.1.0**](https://github.com/sighupio/fury-kubernetes-monitoring/releases/tag/vTBD) + - Updated thanos to `v0.34.0`. + - Updated x509-exporter to `v3.12.0`. + - Updated mimir to `v2.11.0`. + - Updated minio-ha to `RELEASE.2024-02-09T21-25-16Z`. +- [logging](https://github.com/sighupio/fury-kubernetes-logging) đŸ“Ļ core module: [**v3.4.0**](https://github.com/sighupio/fury-kubernetes-logging/releases/tag/v3.4.0) + - Removed cerebro. + - Updated opensearch to `2.12.0`. + - Updated opensearch-dashboards to `2.12.0`. + - Updated logging-operator to `4.5.6`. +- [ingress](https://github.com/sighupio/fury-kubernetes-ingress) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-ingress/releases/tag/v2.3.0) + - Updated cert-manager to `1.14.2`. + - Updated external-dns to `0.14.0`. + - Updated forecastle to `1.0.136`. + - Updated nginx to `1.9.6`. +- [dr](https://github.com/sighupio/fury-kubernetes-dr) đŸ“Ļ core module: [**v2.3.0**](https://github.com/sighupio/fury-kubernetes-dr/releases/tag/v2.3.0) + - Updated velero to `1.13.0`. + - Updated all plugins to `1.9.0`. +- [OPA](https://github.com/sighupio/fury-kubernetes-opa) đŸ“Ļ core module: [**v1.12.0**](https://github.com/sighupio/fury-kubernetes-opa/releases/tag/v1.12.0) + - Updated gatekeeper to `3.15.1`. + - Updated gatekeeper-policy-manager to `1.0.10`. + - Updated kyverno to `1.11.4`. +- [auth](https://github.com/sighupio/fury-kubernetes-auth) đŸ“Ļ core module: [**v0.2.0**](https://github.com/sighupio/fury-kubernetes-auth/releases/tag/v0.2.0) + - Updated dex to `2.38.0`. + - Updated pomerium to `0.25.0`. +- [tracing](https://github.com/sighupio/fury-kubernetes-tracing) đŸ“Ļ core module: [**v1.0.3**](https://github.com/sighupio/fury-kubernetes-tracing/releases/tag/v1.0.3) + +> Please refer the individual release notes for detailed information. + +## New features 🌟 + +This release add the following features: + +- **New Encryption Feature on ETCD**: This version introduces a feature for the OnPremises provider that allows inserting the `encryption-provider-config` parameter into the API server to enable encryption within the ETCD database. You can adjust the parameter using `.spec.kubernetes.advanced.encryption.configuration: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters). An example configuration to encrypt new secrets with fallback to plaintext is: + ```yaml + apiVersion: apiserver.config.k8s.io/v1 + kind: EncryptionConfiguration + resources: + - resources: + - secrets + providers: + - aescbc: + keys: + - name: key1 + # example base64 encode of "passwordpassword" + secret: cGFzc3dvcmRwYXNzd29yZAo= + # fallback to read non encrypted secrets + - identity: {} + ``` + +- **New Encryption Parameters to Change TLS Cipher Suites in ETCD and API Server**: A new parameter to customize the TLS cipher suites available in the API server and ETCD service has been added, `.spec.kubernetes.advanced.encryption.tlsCipherSuites: ` (NOTE: For existing clusters, manual execution of the command `kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml` is required on all masters, along with a manual restart of the ETCD service). +- **Image Directive on CustomPatches on All Providers**: With this release, we added the possibility to customize the image using the following configuration: + ```yaml + spec: + distribution: + customPatches: + images: + - name: registry.sighup.io/fury/prometheus-operator/prometheus-operator + newName: quay.io/prometheus-operator/prometheus-operator + newTag: latest + ``` +- **Auto Role Setting on Workers for the OnPremises Provider**: Automatic labeling of worker nodes with their name in the privileged label `node-role.kubernetes.io/{{ node_role }}=` has been added. +- **Replaced Gangway with Gangplank**: We created a fork, Gangplank, of the open-source Gangway project archived by VMware. This new fork updates all dependencies and revamps the UI. +- **Additional Static Clients on DEX**: A new parameter, `additionalStaticClients`, on DEX configuration can now be configured: + ```yaml + spec: + distribution: + modules: + auth: + dex: + connectors: + - type: ldap + ... + additionalStaticClients: + - id: test + redirectURIs: + - https://argocd.test/auth/callback + - https://argocd.test/auth/login + name: 'ArgoCD Login' + secret: XXXXXX + ``` + +## Fixes + +- **Mimir Tolerations and Selectors**: Tolerations and selectors on the Mimir deployment were not being honored. +- **Mimir max_global_series_per_user to Unlimited**: We changed the default value of `max_global_series_per_user` to unlimited since Mimir, after the cluster was up and running for a while, was rejecting metrics from Prometheus. + +## Removals 🗑ī¸ + +- **Removed Cerebro**: Cerebro is an unmaintained open-source project. Due to security reasons, we decided to remove it from the logging module without replacement. + +## Upgrade procedure + +Check the [upgrade docs](https://github.com/sighupio/furyctl/tree/main/docs/upgrades/kfd) for the detailed procedure. diff --git a/docs/schemas/ekscluster-kfd-v1alpha2.md b/docs/schemas/ekscluster-kfd-v1alpha2.md index 75245c93..46848712 100644 --- a/docs/schemas/ekscluster-kfd-v1alpha2.md +++ b/docs/schemas/ekscluster-kfd-v1alpha2.md @@ -5285,6 +5285,7 @@ The password for the minio root user | [secretGenerator](#specdistributioncustompatchessecretgenerator) | `array` | Optional | | [patches](#specdistributioncustompatchespatches) | `array` | Optional | | [patchesStrategicMerge](#specdistributioncustompatchespatchesstrategicmerge) | `array` | Optional | +| [images](#specdistributioncustompatchesimages) | `array` | Optional | ## .spec.distribution.customPatches.configMapGenerator @@ -5385,13 +5386,10 @@ The annotations of the configmap ### Properties -### Properties - -Elements can be either `string` or: - | Property | Type | Required | |:--------------------------------------------------------------------|:---------|:---------| | [name](#specdistributioncustompatchessecretgeneratorname) | `string` | Required | +| [type](#specdistributioncustompatchessecretgeneratortype) | `string` | Optional | | [behavior](#specdistributioncustompatchessecretgeneratorbehavior) | `string` | Optional | | [files](#specdistributioncustompatchessecretgeneratorfiles) | `array` | Optional | | [envs](#specdistributioncustompatchessecretgeneratorenvs) | `array` | Optional | @@ -5405,6 +5403,12 @@ Elements can be either `string` or: The name of the secret +## .spec.distribution.customPatches.secretGenerator.type + +### Description + +The type of the secret + ## .spec.distribution.customPatches.secretGenerator.behavior ### Description @@ -5587,3 +5591,9 @@ The patch ### Description Each entry should be either a relative file path or an inline content resolving to a partial or complete resource definition + +## .spec.distribution.customPatches.images + +### Description + +Each entry should follow the format of Kustomize's images patch diff --git a/docs/schemas/kfddistribution-kfd-v1alpha2.md b/docs/schemas/kfddistribution-kfd-v1alpha2.md index 6d9d8586..686a2105 100644 --- a/docs/schemas/kfddistribution-kfd-v1alpha2.md +++ b/docs/schemas/kfddistribution-kfd-v1alpha2.md @@ -3785,6 +3785,7 @@ The password for the minio root user | [secretGenerator](#specdistributioncustompatchessecretgenerator) | `array` | Optional | | [patches](#specdistributioncustompatchespatches) | `array` | Optional | | [patchesStrategicMerge](#specdistributioncustompatchespatchesstrategicmerge) | `array` | Optional | +| [images](#specdistributioncustompatchesimages) | `array` | Optional | ## .spec.distribution.customPatches.configMapGenerator @@ -3885,13 +3886,10 @@ The annotations of the configmap ### Properties -### Properties - -Elements can be either `string` or: - | Property | Type | Required | |:--------------------------------------------------------------------|:---------|:---------| | [name](#specdistributioncustompatchessecretgeneratorname) | `string` | Required | +| [type](#specdistributioncustompatchessecretgeneratortype) | `string` | Optional | | [behavior](#specdistributioncustompatchessecretgeneratorbehavior) | `string` | Optional | | [files](#specdistributioncustompatchessecretgeneratorfiles) | `array` | Optional | | [envs](#specdistributioncustompatchessecretgeneratorenvs) | `array` | Optional | @@ -3905,6 +3903,12 @@ Elements can be either `string` or: The name of the secret +## .spec.distribution.customPatches.secretGenerator.type + +### Description + +The type of the secret + ## .spec.distribution.customPatches.secretGenerator.behavior ### Description @@ -4087,3 +4091,9 @@ The patch ### Description Each entry should be either a relative file path or an inline content resolving to a partial or complete resource definition + +## .spec.distribution.customPatches.images + +### Description + +Each entry should follow the format of Kustomize's images patch diff --git a/docs/schemas/onpremises-kfd-v1alpha2.md b/docs/schemas/onpremises-kfd-v1alpha2.md index d662101b..61384a35 100644 --- a/docs/schemas/onpremises-kfd-v1alpha2.md +++ b/docs/schemas/onpremises-kfd-v1alpha2.md @@ -3864,6 +3864,7 @@ The password for the minio root user | [secretGenerator](#specdistributioncustompatchessecretgenerator) | `array` | Optional | | [patches](#specdistributioncustompatchespatches) | `array` | Optional | | [patchesStrategicMerge](#specdistributioncustompatchespatchesstrategicmerge) | `array` | Optional | +| [images](#specdistributioncustompatchesimages) | `array` | Optional | ## .spec.distribution.customPatches.configMapGenerator @@ -3964,13 +3965,10 @@ The annotations of the configmap ### Properties -### Properties - -Elements can be either `string` or: - | Property | Type | Required | |:--------------------------------------------------------------------|:---------|:---------| | [name](#specdistributioncustompatchessecretgeneratorname) | `string` | Required | +| [type](#specdistributioncustompatchessecretgeneratortype) | `string` | Optional | | [behavior](#specdistributioncustompatchessecretgeneratorbehavior) | `string` | Optional | | [files](#specdistributioncustompatchessecretgeneratorfiles) | `array` | Optional | | [envs](#specdistributioncustompatchessecretgeneratorenvs) | `array` | Optional | @@ -3984,6 +3982,12 @@ Elements can be either `string` or: The name of the secret +## .spec.distribution.customPatches.secretGenerator.type + +### Description + +The type of the secret + ## .spec.distribution.customPatches.secretGenerator.behavior ### Description @@ -4167,6 +4171,12 @@ The patch Each entry should be either a relative file path or an inline content resolving to a partial or complete resource definition +## .spec.distribution.customPatches.images + +### Description + +Each entry should follow the format of Kustomize's images patch + ## .spec.kubernetes ### Properties @@ -4530,6 +4540,7 @@ The effect of the taint | [users](#speckubernetesadvancedusers) | `object` | Optional | | [oidc](#speckubernetesadvancedoidc) | `object` | Optional | | [containerd](#speckubernetesadvancedcontainerd) | `object` | Optional | +| [encryption](#speckubernetesadvancedencryption) | `object` | Optional | ## .spec.kubernetes.advanced.cloud @@ -4652,6 +4663,27 @@ If true, the registry config will skip tls verification The mirror endpoint of the registry config +## .spec.kubernetes.advanced.encryption + +### Properties + +| Property | Type | Required | +|:-------------------------------------------------------------------------|:---------|:---------| +| [tlsCipherSuites](#speckubernetesadvancedencryptiontlsciphersuites) | `array` | Optional | +| [configuration](#speckubernetesadvancedencryptionconfiguration) | `string` | Optional | + +## .spec.kubernetes.advanced.encryption.tlsCipherSuites + +### Description + +The tls cipher suites to use + +## .spec.kubernetes.advanced.encryption.configuration + +### Description + +The configuration to use + ## .spec.plugins ### Properties diff --git a/kfd.yaml b/kfd.yaml index 34f4a0a9..9db752d5 100644 --- a/kfd.yaml +++ b/kfd.yaml @@ -2,24 +2,24 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -version: v1.27.4 +version: v1.28.0 modules: - auth: v0.1.0 - aws: v4.1.0 - dr: v2.2.0 - ingress: v2.2.0 - logging: v3.3.1 - monitoring: v3.0.1 - opa: v1.11.1 - networking: v1.15.0 - tracing: v1.0.2 + auth: v0.2.0 + aws: v4.2.0 + dr: v2.3.0 + ingress: v2.3.0 + logging: v3.4.0 + monitoring: v3.1.0 + opa: v1.12.0 + networking: v1.16.0 + tracing: v1.0.3 kubernetes: eks: - version: 1.27 + version: 1.28 installer: v3.1.1 onpremises: - version: 1.27.6 - installer: v1.28.7 + version: 1.28.7 + installer: v1.28.7-rev.1 furyctlSchemas: eks: - apiVersion: kfd.sighup.io/v1alpha2 @@ -35,7 +35,7 @@ tools: furyagent: version: 0.4.0 kubectl: - version: 1.27.6 + version: 1.28.7 kustomize: version: 3.10.0 terraform: diff --git a/kustomization.yaml b/kustomization.yaml index f68af1a6..efe55acd 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -29,7 +29,6 @@ resources: # Logging - ./vendor/katalog/logging/opensearch-single - ./vendor/katalog/logging/opensearch-dashboards - - ./vendor/katalog/logging/cerebro - ./vendor/katalog/logging/logging-operator - ./vendor/katalog/logging/logging-operated - ./vendor/katalog/logging/minio-ha diff --git a/pkg/apis/ekscluster/v1alpha2/private/schema.go b/pkg/apis/ekscluster/v1alpha2/private/schema.go index a704dd78..56a95346 100644 --- a/pkg/apis/ekscluster/v1alpha2/private/schema.go +++ b/pkg/apis/ekscluster/v1alpha2/private/schema.go @@ -1,4 +1,4 @@ -// Code generated by github.com/atombender/go-jsonschema, DO NOT EDIT. +// Code generated by github.com/sighupio/go-jsonschema, DO NOT EDIT. package private diff --git a/pkg/apis/ekscluster/v1alpha2/public/schema.go b/pkg/apis/ekscluster/v1alpha2/public/schema.go index ea3a73fb..6734a796 100644 --- a/pkg/apis/ekscluster/v1alpha2/public/schema.go +++ b/pkg/apis/ekscluster/v1alpha2/public/schema.go @@ -1,4 +1,4 @@ -// Code generated by github.com/atombender/go-jsonschema, DO NOT EDIT. +// Code generated by github.com/sighupio/go-jsonschema, DO NOT EDIT. package public diff --git a/pkg/apis/kfddistribution/v1alpha2/public/schema.go b/pkg/apis/kfddistribution/v1alpha2/public/schema.go index 30efa2ef..89224f09 100644 --- a/pkg/apis/kfddistribution/v1alpha2/public/schema.go +++ b/pkg/apis/kfddistribution/v1alpha2/public/schema.go @@ -1,4 +1,4 @@ -// Code generated by github.com/atombender/go-jsonschema, DO NOT EDIT. +// Code generated by github.com/sighupio/go-jsonschema, DO NOT EDIT. package public diff --git a/pkg/apis/onpremises/v1alpha2/public/schema.go b/pkg/apis/onpremises/v1alpha2/public/schema.go index c99c0c59..fd0f1819 100644 --- a/pkg/apis/onpremises/v1alpha2/public/schema.go +++ b/pkg/apis/onpremises/v1alpha2/public/schema.go @@ -1,4 +1,4 @@ -// Code generated by github.com/atombender/go-jsonschema, DO NOT EDIT. +// Code generated by github.com/sighupio/go-jsonschema, DO NOT EDIT. package public @@ -1049,6 +1049,9 @@ type SpecKubernetesAdvanced struct { // Containerd corresponds to the JSON schema field "containerd". Containerd *SpecKubernetesAdvancedContainerd `json:"containerd,omitempty" yaml:"containerd,omitempty" mapstructure:"containerd,omitempty"` + // Encryption corresponds to the JSON schema field "encryption". + Encryption *SpecKubernetesAdvancedEncryption `json:"encryption,omitempty" yaml:"encryption,omitempty" mapstructure:"encryption,omitempty"` + // Oidc corresponds to the JSON schema field "oidc". Oidc *SpecKubernetesAdvancedOIDC `json:"oidc,omitempty" yaml:"oidc,omitempty" mapstructure:"oidc,omitempty"` @@ -1086,6 +1089,14 @@ type SpecKubernetesAdvancedContainerdRegistryConfigs []struct { Username *string `json:"username,omitempty" yaml:"username,omitempty" mapstructure:"username,omitempty"` } +type SpecKubernetesAdvancedEncryption struct { + // Configuration corresponds to the JSON schema field "configuration". + Configuration *string `json:"configuration,omitempty" yaml:"configuration,omitempty" mapstructure:"configuration,omitempty"` + + // TlsCipherSuites corresponds to the JSON schema field "tlsCipherSuites". + TlsCipherSuites []string `json:"tlsCipherSuites,omitempty" yaml:"tlsCipherSuites,omitempty" mapstructure:"tlsCipherSuites,omitempty"` +} + type SpecKubernetesAdvancedOIDC struct { // CaFile corresponds to the JSON schema field "ca_file". CaFile *string `json:"ca_file,omitempty" yaml:"ca_file,omitempty" mapstructure:"ca_file,omitempty"` @@ -1402,27 +1413,6 @@ func (j *SpecKubernetesLoadBalancersStats) UnmarshalJSON(b []byte) error { return nil } -// UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesPolicyGatekeeper) UnmarshalJSON(b []byte) error { - var raw map[string]interface{} - if err := json.Unmarshal(b, &raw); err != nil { - return err - } - if v, ok := raw["enforcementAction"]; !ok || v == nil { - return fmt.Errorf("field enforcementAction in SpecDistributionModulesPolicyGatekeeper: required") - } - if v, ok := raw["installDefaultPolicies"]; !ok || v == nil { - return fmt.Errorf("field installDefaultPolicies in SpecDistributionModulesPolicyGatekeeper: required") - } - type Plain SpecDistributionModulesPolicyGatekeeper - var plain Plain - if err := json.Unmarshal(b, &plain); err != nil { - return err - } - *j = SpecDistributionModulesPolicyGatekeeper(plain) - return nil -} - // UnmarshalJSON implements json.Unmarshaler. func (j *SpecDistributionCustomPatchesSecretGeneratorResource) UnmarshalJSON(b []byte) error { var raw map[string]interface{} @@ -1532,20 +1522,20 @@ func (j *SpecDistributionModulesPolicyKyverno) UnmarshalJSON(b []byte) error { } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthOIDCKubernetesAuth) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesAuthDex) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["enabled"]; !ok || v == nil { - return fmt.Errorf("field enabled in SpecDistributionModulesAuthOIDCKubernetesAuth: required") + if v, ok := raw["connectors"]; !ok || v == nil { + return fmt.Errorf("field connectors in SpecDistributionModulesAuthDex: required") } - type Plain SpecDistributionModulesAuthOIDCKubernetesAuth + type Plain SpecDistributionModulesAuthDex var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesAuthOIDCKubernetesAuth(plain) + *j = SpecDistributionModulesAuthDex(plain) return nil } @@ -1626,23 +1616,20 @@ func (j *TypesKubeToleration) UnmarshalJSON(b []byte) error { } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthOverridesIngress) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesAuthOIDCKubernetesAuth) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["host"]; !ok || v == nil { - return fmt.Errorf("field host in SpecDistributionModulesAuthOverridesIngress: required") - } - if v, ok := raw["ingressClass"]; !ok || v == nil { - return fmt.Errorf("field ingressClass in SpecDistributionModulesAuthOverridesIngress: required") + if v, ok := raw["enabled"]; !ok || v == nil { + return fmt.Errorf("field enabled in SpecDistributionModulesAuthOIDCKubernetesAuth: required") } - type Plain SpecDistributionModulesAuthOverridesIngress + type Plain SpecDistributionModulesAuthOIDCKubernetesAuth var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesAuthOverridesIngress(plain) + *j = SpecDistributionModulesAuthOIDCKubernetesAuth(plain) return nil } @@ -1739,6 +1726,27 @@ func (j *SpecDistributionModulesLoggingOpensearchType) UnmarshalJSON(b []byte) e return nil } +// UnmarshalJSON implements json.Unmarshaler. +func (j *SpecDistributionModulesAuthOverridesIngress) UnmarshalJSON(b []byte) error { + var raw map[string]interface{} + if err := json.Unmarshal(b, &raw); err != nil { + return err + } + if v, ok := raw["host"]; !ok || v == nil { + return fmt.Errorf("field host in SpecDistributionModulesAuthOverridesIngress: required") + } + if v, ok := raw["ingressClass"]; !ok || v == nil { + return fmt.Errorf("field ingressClass in SpecDistributionModulesAuthOverridesIngress: required") + } + type Plain SpecDistributionModulesAuthOverridesIngress + var plain Plain + if err := json.Unmarshal(b, &plain); err != nil { + return err + } + *j = SpecDistributionModulesAuthOverridesIngress(plain) + return nil +} + // UnmarshalJSON implements json.Unmarshaler. func (j *SpecDistributionModulesPolicyGatekeeperEnforcementAction) UnmarshalJSON(b []byte) error { var v string @@ -1765,30 +1773,6 @@ var enumValues_SpecDistributionModulesPolicyGatekeeperEnforcementAction = []inte "warn", } -// UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthPomeriumSecrets) UnmarshalJSON(b []byte) error { - var raw map[string]interface{} - if err := json.Unmarshal(b, &raw); err != nil { - return err - } - if v, ok := raw["COOKIE_SECRET"]; !ok || v == nil { - return fmt.Errorf("field COOKIE_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") - } - if v, ok := raw["IDP_CLIENT_SECRET"]; !ok || v == nil { - return fmt.Errorf("field IDP_CLIENT_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") - } - if v, ok := raw["SHARED_SECRET"]; !ok || v == nil { - return fmt.Errorf("field SHARED_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") - } - type Plain SpecDistributionModulesAuthPomeriumSecrets - var plain Plain - if err := json.Unmarshal(b, &plain); err != nil { - return err - } - *j = SpecDistributionModulesAuthPomeriumSecrets(plain) - return nil -} - var enumValues_SpecDistributionModulesTracingType = []interface{}{ "none", "tempo", @@ -1815,62 +1799,65 @@ func (j *SpecDistributionModulesTracingType) UnmarshalJSON(b []byte) error { } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesNetworking) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesAuthPomeriumSecrets) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["type"]; !ok || v == nil { - return fmt.Errorf("field type in SpecDistributionModulesNetworking: required") + if v, ok := raw["COOKIE_SECRET"]; !ok || v == nil { + return fmt.Errorf("field COOKIE_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") } - type Plain SpecDistributionModulesNetworking + if v, ok := raw["IDP_CLIENT_SECRET"]; !ok || v == nil { + return fmt.Errorf("field IDP_CLIENT_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") + } + if v, ok := raw["SHARED_SECRET"]; !ok || v == nil { + return fmt.Errorf("field SHARED_SECRET in SpecDistributionModulesAuthPomeriumSecrets: required") + } + type Plain SpecDistributionModulesAuthPomeriumSecrets var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesNetworking(plain) + *j = SpecDistributionModulesAuthPomeriumSecrets(plain) return nil } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthPomerium) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesNetworking) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["policy"]; !ok || v == nil { - return fmt.Errorf("field policy in SpecDistributionModulesAuthPomerium: required") - } - if v, ok := raw["secrets"]; !ok || v == nil { - return fmt.Errorf("field secrets in SpecDistributionModulesAuthPomerium: required") + if v, ok := raw["type"]; !ok || v == nil { + return fmt.Errorf("field type in SpecDistributionModulesNetworking: required") } - type Plain SpecDistributionModulesAuthPomerium + type Plain SpecDistributionModulesNetworking var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesAuthPomerium(plain) + *j = SpecDistributionModulesNetworking(plain) return nil } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthProviderBasicAuth) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesAuthPomerium) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["password"]; !ok || v == nil { - return fmt.Errorf("field password in SpecDistributionModulesAuthProviderBasicAuth: required") + if v, ok := raw["policy"]; !ok || v == nil { + return fmt.Errorf("field policy in SpecDistributionModulesAuthPomerium: required") } - if v, ok := raw["username"]; !ok || v == nil { - return fmt.Errorf("field username in SpecDistributionModulesAuthProviderBasicAuth: required") + if v, ok := raw["secrets"]; !ok || v == nil { + return fmt.Errorf("field secrets in SpecDistributionModulesAuthPomerium: required") } - type Plain SpecDistributionModulesAuthProviderBasicAuth + type Plain SpecDistributionModulesAuthPomerium var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesAuthProviderBasicAuth(plain) + *j = SpecDistributionModulesAuthPomerium(plain) return nil } @@ -1963,6 +1950,27 @@ func (j *SpecDistribution) UnmarshalJSON(b []byte) error { return nil } +// UnmarshalJSON implements json.Unmarshaler. +func (j *SpecDistributionModulesAuthProviderBasicAuth) UnmarshalJSON(b []byte) error { + var raw map[string]interface{} + if err := json.Unmarshal(b, &raw); err != nil { + return err + } + if v, ok := raw["password"]; !ok || v == nil { + return fmt.Errorf("field password in SpecDistributionModulesAuthProviderBasicAuth: required") + } + if v, ok := raw["username"]; !ok || v == nil { + return fmt.Errorf("field username in SpecDistributionModulesAuthProviderBasicAuth: required") + } + type Plain SpecDistributionModulesAuthProviderBasicAuth + var plain Plain + if err := json.Unmarshal(b, &plain); err != nil { + return err + } + *j = SpecDistributionModulesAuthProviderBasicAuth(plain) + return nil +} + var enumValues_SpecDistributionModulesAuthProviderType = []interface{}{ "none", "basicAuth", @@ -2133,20 +2141,23 @@ func (j *SpecDistributionModulesDrType) UnmarshalJSON(b []byte) error { } // UnmarshalJSON implements json.Unmarshaler. -func (j *SpecDistributionModulesAuthDex) UnmarshalJSON(b []byte) error { +func (j *SpecDistributionModulesPolicyGatekeeper) UnmarshalJSON(b []byte) error { var raw map[string]interface{} if err := json.Unmarshal(b, &raw); err != nil { return err } - if v, ok := raw["connectors"]; !ok || v == nil { - return fmt.Errorf("field connectors in SpecDistributionModulesAuthDex: required") + if v, ok := raw["enforcementAction"]; !ok || v == nil { + return fmt.Errorf("field enforcementAction in SpecDistributionModulesPolicyGatekeeper: required") } - type Plain SpecDistributionModulesAuthDex + if v, ok := raw["installDefaultPolicies"]; !ok || v == nil { + return fmt.Errorf("field installDefaultPolicies in SpecDistributionModulesPolicyGatekeeper: required") + } + type Plain SpecDistributionModulesPolicyGatekeeper var plain Plain if err := json.Unmarshal(b, &plain); err != nil { return err } - *j = SpecDistributionModulesAuthDex(plain) + *j = SpecDistributionModulesPolicyGatekeeper(plain) return nil } diff --git a/rules/ekscluster-kfd-v1alpha2.yaml b/rules/ekscluster-kfd-v1alpha2.yaml index ff1095bb..040138e8 100644 --- a/rules/ekscluster-kfd-v1alpha2.yaml +++ b/rules/ekscluster-kfd-v1alpha2.yaml @@ -26,7 +26,7 @@ distribution: - path: .spec.distribution.modules.policy.type immutable: false description: "changes to the policy module type have been detected. This will cause the reconfiguration or deletion of the current policy stack." - safe: + safe: - from: none unsupported: - to: gatekeeper @@ -59,7 +59,7 @@ distribution: - path: .spec.distribution.modules.tracing.type immutable: false description: "changes to the tracing module type have been detected. This will cause the replacement of the current tracing stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesTracingType @@ -73,7 +73,7 @@ distribution: - path: .spec.distribution.modules.dr.type immutable: false description: "changes to the Disaster Recovery module type have been detected. This will cause the replacement of the current DR (velero) stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesDRType @@ -82,8 +82,10 @@ distribution: - path: .spec.distribution.modules.monitoring.type immutable: false description: "changes to the Monitoring module type have been detected. This will cause the reconfiguration or deletion of the current monitoring stack." - safe: + safe: - from: none + - from: prometheus + to: mimir reducers: - key: distributionModulesMonitoringType lifecycle: pre-apply @@ -91,9 +93,6 @@ distribution: - from: mimir to: prometheus reason: "switching from Mimir to Prometheus is not currently supported. You need to first remove the current stack with type: none." - - from: prometheus - to: mimir - reason: "switching from Prometheus to Mimir is not currently supported. You need to first remove the current stack with type: none." - path: .spec.distribution.modules.monitoring.mimir.backend immutable: false description: "changes to the mimir backend have been detected. This will cause the reconfiguration of mimir and the deletion of the current minio storage, if minio was disabled" @@ -103,7 +102,7 @@ distribution: - path: .spec.distribution.modules.ingress.nginx.type immutable: false description: "changes to the nginx type in the Ingress module have been detected. This will cause the reconfiguration or deletion of the current ingress stack." - safe: + safe: - from: none unsupported: - to: single @@ -118,7 +117,7 @@ distribution: - path: .spec.distribution.modules.auth.provider.type immutable: false description: "changes to the auth provider type will trigger the reconfiguration of the security on the infrastructural ingresses" - safe: + safe: - from: none reducers: - key: distributionModulesAuthProviderType diff --git a/rules/kfddistribution-kfd-v1alpha2.yaml b/rules/kfddistribution-kfd-v1alpha2.yaml index f8a577f6..ad81d7ac 100644 --- a/rules/kfddistribution-kfd-v1alpha2.yaml +++ b/rules/kfddistribution-kfd-v1alpha2.yaml @@ -26,7 +26,7 @@ distribution: - path: .spec.distribution.modules.policy.type immutable: false description: "changes to the policy module type have been detected. This will cause the reconfiguration or deletion of the current policy stack." - safe: + safe: - from: none unsupported: - to: gatekeeper @@ -59,7 +59,7 @@ distribution: - path: .spec.distribution.modules.tracing.type immutable: false description: "changes to the tracing module type have been detected. This will cause the replacement of the current tracing stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesTracingType @@ -73,7 +73,7 @@ distribution: - path: .spec.distribution.modules.dr.type immutable: false description: "changes to the Disaster Recovery module type have been detected. This will cause the replacement of the current DR (velero) stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesDRType @@ -87,8 +87,10 @@ distribution: - path: .spec.distribution.modules.monitoring.type immutable: false description: "changes to the Monitoring module type have been detected. This will cause the reconfiguration or deletion of the current monitoring stack." - safe: + safe: - from: none + - from: prometheus + to: mimir reducers: - key: distributionModulesMonitoringType lifecycle: pre-apply @@ -96,9 +98,6 @@ distribution: - from: mimir to: prometheus reason: "switching from Mimir to Prometheus is not currently supported. You need to first remove the current stack with type: none." - - from: prometheus - to: mimir - reason: "switching from Prometheus to Mimir is not currently supported. You need to first remove the current stack with type: none." - path: .spec.distribution.modules.monitoring.mimir.backend immutable: false description: "changes to the mimir backend have been detected. This will cause the reconfiguration of mimir and the deletion of the current minio storage, if minio was disabled" @@ -108,7 +107,7 @@ distribution: - path: .spec.distribution.modules.ingress.nginx.type immutable: false description: "changes to the nginx type in the Ingress module have been detected. This will cause the reconfiguration or deletion of the current ingress stack." - safe: + safe: - from: none unsupported: - to: single @@ -123,7 +122,7 @@ distribution: - path: .spec.distribution.modules.auth.provider.type immutable: false description: "changes to the auth provider type will trigger the reconfiguration of the security on the infrastructural ingresses" - safe: + safe: - from: none reducers: - key: distributionModulesAuthProviderType diff --git a/rules/onpremises-kfd-v1alpha2.yaml b/rules/onpremises-kfd-v1alpha2.yaml index c7bba065..95f8f909 100644 --- a/rules/onpremises-kfd-v1alpha2.yaml +++ b/rules/onpremises-kfd-v1alpha2.yaml @@ -35,7 +35,7 @@ distribution: - path: .spec.distribution.modules.policy.type immutable: false description: "changes to the policy module type have been detected. This will cause the reconfiguration or deletion of the current policy stack." - safe: + safe: - from: none unsupported: - to: gatekeeper @@ -68,7 +68,7 @@ distribution: - path: .spec.distribution.modules.tracing.type immutable: false description: "changes to the tracing module type have been detected. This will cause the replacement of the current tracing stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesTracingType @@ -82,7 +82,7 @@ distribution: - path: .spec.distribution.modules.dr.type immutable: false description: "changes to the Disaster Recovery module type have been detected. This will cause the replacement of the current DR (velero) stack (removal or creation)." - safe: + safe: - from: none reducers: - key: distributionModulesDRType @@ -96,8 +96,10 @@ distribution: - path: .spec.distribution.modules.monitoring.type immutable: false description: "changes to the Monitoring module type have been detected. This will cause the reconfiguration or deletion of the current monitoring stack." - safe: + safe: - from: none + - from: prometheus + to: mimir reducers: - key: distributionModulesMonitoringType lifecycle: pre-apply @@ -105,9 +107,6 @@ distribution: - from: mimir to: prometheus reason: "switching from Mimir to Prometheus is not currently supported. You need to first remove the current stack with type: none." - - from: prometheus - to: mimir - reason: "switching from Prometheus to Mimir is not currently supported. You need to first remove the current stack with type: none." - path: .spec.distribution.modules.monitoring.mimir.backend immutable: false description: "changes to the mimir backend have been detected. This will cause the reconfiguration of mimir and the deletion of the current minio storage, if minio was disabled" @@ -117,7 +116,7 @@ distribution: - path: .spec.distribution.modules.ingress.nginx.type immutable: false description: "changes to the nginx type in the Ingress module have been detected. This will cause the reconfiguration or deletion of the current ingress stack." - safe: + safe: - from: none unsupported: - to: single @@ -132,7 +131,7 @@ distribution: - path: .spec.distribution.modules.auth.provider.type immutable: false description: "changes to the auth provider type will trigger the reconfiguration of the security on the infrastructural ingresses" - safe: + safe: - from: none reducers: - key: distributionModulesAuthProviderType diff --git a/schemas/public/ekscluster-kfd-v1alpha2.json b/schemas/public/ekscluster-kfd-v1alpha2.json index 3ab1feb2..9e5db9a1 100644 --- a/schemas/public/ekscluster-kfd-v1alpha2.json +++ b/schemas/public/ekscluster-kfd-v1alpha2.json @@ -460,7 +460,10 @@ "properties": { "type": { "type": "string", - "enum": ["eks-managed", "self-managed"] + "enum": [ + "eks-managed", + "self-managed" + ] }, "name": { "type": "string" @@ -1175,7 +1178,7 @@ "storageSize": { "type": "string" }, - "rootUser": { + "rootUser" : { "type": "object", "additionalProperties": false, "properties": { @@ -1514,7 +1517,7 @@ }, "type": { "type": "string", - "enum": ["none", "gatekeeper", "kyverno"] + "enum": ["none", "gatekeeper","kyverno"] }, "gatekeeper": { "$ref": "#/$defs/Spec.Distribution.Modules.Policy.Gatekeeper" diff --git a/schemas/public/kfddistribution-kfd-v1alpha2.json b/schemas/public/kfddistribution-kfd-v1alpha2.json index ee38dd5a..19953645 100644 --- a/schemas/public/kfddistribution-kfd-v1alpha2.json +++ b/schemas/public/kfddistribution-kfd-v1alpha2.json @@ -50,7 +50,6 @@ }, "required": ["distributionVersion", "distribution"] }, - "Spec.Distribution": { "type": "object", "additionalProperties": false, @@ -65,7 +64,7 @@ "$ref": "#/$defs/Spec.Distribution.Modules" }, "customPatches": { - "$ref": "./spec-distribution-custom-patches.json" + "$ref": "../public/spec-distribution-custom-patches.json" } }, "required": ["modules", "kubeconfig"], @@ -803,7 +802,7 @@ }, "type": { "type": "string", - "enum": ["none", "gatekeeper", "kyverno"] + "enum": ["none", "gatekeeper","kyverno"] }, "gatekeeper": { "$ref": "#/$defs/Spec.Distribution.Modules.Policy.Gatekeeper" diff --git a/schemas/public/onpremises-kfd-v1alpha2.json b/schemas/public/onpremises-kfd-v1alpha2.json index 0d0cf424..9abc6b69 100644 --- a/schemas/public/onpremises-kfd-v1alpha2.json +++ b/schemas/public/onpremises-kfd-v1alpha2.json @@ -310,6 +310,9 @@ }, "containerd": { "$ref": "#/$defs/Spec.Kubernetes.Advanced.Containerd" + }, + "encryption": { + "$ref": "#/$defs/Spec.Kubernetes.Advanced.Encryption" } } }, @@ -392,7 +395,21 @@ } } }, - + "Spec.Kubernetes.Advanced.Encryption": { + "type": "object", + "additionalProperties": false, + "properties": { + "tlsCipherSuites": { + "type": "array", + "items": { + "type": "string" + } + }, + "configuration": { + "type": "string" + } + } + }, "Spec.Distribution": { "type": "object", "additionalProperties": false, @@ -404,7 +421,7 @@ "$ref": "#/$defs/Spec.Distribution.Modules" }, "customPatches": { - "$ref": "./spec-distribution-custom-patches.json" + "$ref": "../public/spec-distribution-custom-patches.json" } }, "required": ["modules"], diff --git a/templates/config/onpremises-kfd-v1alpha2.yaml.tpl b/templates/config/onpremises-kfd-v1alpha2.yaml.tpl index 3cf947e8..5ef16529 100644 --- a/templates/config/onpremises-kfd-v1alpha2.yaml.tpl +++ b/templates/config/onpremises-kfd-v1alpha2.yaml.tpl @@ -74,6 +74,32 @@ spec: ip: 192.168.1.104 - name: worker2 ip: 192.168.1.105 + # advanced: + # # This section configures the encryption features + # encryption: + # # This section defines custom cipher suites for: etcd, kubelet, kubeadm static pods + # tlsCipherSuites: + # - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + # - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + # - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + # - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + # - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + # - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + # - "TLS_AES_128_GCM_SHA256" + # - "TLS_AES_256_GCM_SHA384" + # - "TLS_CHACHA20_POLY1305_SHA256" + # # This section adds secrets encryption feature in etcd + # configuration: | + # apiVersion: apiserver.config.k8s.io/v1 + # kind: EncryptionConfiguration + # resources: + # - resources: + # - secrets + # providers: + # - aescbc: + # keys: + # - name: mykey + # secret: base64_encoded_secret # This section describes how the KFD distribution will be installed distribution: # This common configuration will be applied to all the packages that will be installed in the cluster diff --git a/templates/distribution/_helpers.tpl b/templates/distribution/_helpers.tpl index dc7138e6..0d08d241 100644 --- a/templates/distribution/_helpers.tpl +++ b/templates/distribution/_helpers.tpl @@ -205,6 +205,6 @@ cert-manager.io/cluster-issuer: {{ .spec.distribution.modules.ingress.certManage {{- template "ingressHostAuth" (dict "module" "auth" "package" "dex" "prefix" "login." "spec" .) -}} {{ end }} -{{ define "gangwayUrl" }} - {{- template "ingressHostAuth" (dict "module" "auth" "package" "gangway" "prefix" "gangway." "spec" .) -}} +{{ define "gangplankUrl" }} + {{- template "ingressHostAuth" (dict "module" "auth" "package" "gangplank" "prefix" "gangplank." "spec" .) -}} {{ end }} \ No newline at end of file diff --git a/templates/distribution/manifests/auth/kustomization.yaml.tpl b/templates/distribution/manifests/auth/kustomization.yaml.tpl index d44ba7ea..5ab2396a 100644 --- a/templates/distribution/manifests/auth/kustomization.yaml.tpl +++ b/templates/distribution/manifests/auth/kustomization.yaml.tpl @@ -11,7 +11,7 @@ resources: - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/dex" }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/pomerium" }} {{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} - - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangway" }} + - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangplank" }} {{- end }} {{- if ne .spec.distribution.modules.ingress.nginx.type "none" }} - resources/ingress-infra.yml @@ -41,10 +41,10 @@ secretGenerator: envs: - secrets/pomerium.env {{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} - - name: gangway + - name: gangplank namespace: kube-system files: - - gangway.yml=secrets/gangway.yml + - gangplank.yml=secrets/gangplank.yml {{- end }} {{- end }} @@ -56,7 +56,7 @@ resources: - secrets/basic-auth.yml {{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/dex" }} - - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangway" }} + - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangplank" }} - resources/ingress-infra.yml {{- end }} @@ -66,10 +66,10 @@ secretGenerator: namespace: kube-system files: - config.yml=secrets/dex.yml - - name: gangway + - name: gangplank namespace: kube-system files: - - gangway.yml=secrets/gangway.yml + - gangplank.yml=secrets/gangplank.yml patchesStrategicMerge: - patches/infra-nodes.yml @@ -82,7 +82,7 @@ patchesStrategicMerge: {{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} resources: - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/dex" }} - - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangway" }} + - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/auth/katalog/gangplank" }} - resources/ingress-infra.yml {{- end }} @@ -92,10 +92,10 @@ secretGenerator: namespace: kube-system files: - config.yml=secrets/dex.yml - - name: gangway + - name: gangplank namespace: kube-system files: - - gangway.yml=secrets/gangway.yml + - gangplank.yml=secrets/gangplank.yml patchesStrategicMerge: - patches/infra-nodes.yml diff --git a/templates/distribution/manifests/auth/patches/infra-nodes.yml.tpl b/templates/distribution/manifests/auth/patches/infra-nodes.yml.tpl index 9e51110c..8d84d8c4 100644 --- a/templates/distribution/manifests/auth/patches/infra-nodes.yml.tpl +++ b/templates/distribution/manifests/auth/patches/infra-nodes.yml.tpl @@ -4,6 +4,7 @@ {{- $dexArgs := dict "module" "auth" "package" "dex" "spec" .spec -}} {{- $pomeriumArgs := dict "module" "auth" "package" "pomerium" "spec" .spec -}} +{{- $gangplankArgs := dict "module" "auth" "package" "gangplank" "spec" .spec -}} --- apiVersion: apps/v1 kind: Deployment @@ -32,3 +33,18 @@ spec: tolerations: {{ template "tolerations" $pomeriumArgs }} {{- end }} +{{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gangplank + namespace: kube-system +spec: + template: + spec: + nodeSelector: + {{ template "nodeSelector" $pomeriumArgs }} + tolerations: + {{ template "tolerations" $pomeriumArgs }} +{{- end }} diff --git a/templates/distribution/manifests/auth/resources/ingress-infra.yml.tpl b/templates/distribution/manifests/auth/resources/ingress-infra.yml.tpl index 0b873baf..37f0b871 100644 --- a/templates/distribution/manifests/auth/resources/ingress-infra.yml.tpl +++ b/templates/distribution/manifests/auth/resources/ingress-infra.yml.tpl @@ -38,21 +38,21 @@ metadata: annotations: {{ template "certManagerClusterIssuer" . }} {{- end }} - name: gangway + name: gangplank namespace: kube-system spec: # Needs to be externally available in order to act as callback from GitHub. - ingressClassName: {{ template "ingressClass" (dict "module" "auth" "package" "gangway" "type" "external" "spec" .spec) }} + ingressClassName: {{ template "ingressClass" (dict "module" "auth" "package" "gangplank" "type" "external" "spec" .spec) }} rules: - - host: {{ template "gangwayUrl" .spec }} + - host: {{ template "gangplankUrl" .spec }} http: paths: - path: / pathType: Prefix backend: service: - name: gangway-svc + name: gangplank-svc port: name: http -{{- template "ingressTlsAuth" (dict "module" "auth" "package" "gangway" "prefix" "gangway." "spec" .spec) }} +{{- template "ingressTlsAuth" (dict "module" "auth" "package" "gangplank" "prefix" "gangplank." "spec" .spec) }} {{- end }} diff --git a/templates/distribution/manifests/auth/resources/pomerium-policy.yml.tpl b/templates/distribution/manifests/auth/resources/pomerium-policy.yml.tpl index ed97653d..7cf091b3 100644 --- a/templates/distribution/manifests/auth/resources/pomerium-policy.yml.tpl +++ b/templates/distribution/manifests/auth/resources/pomerium-policy.yml.tpl @@ -24,6 +24,7 @@ routes: - authenticated_user: true - from: https://{{ template "grafanaUrl" .spec }} to: http://grafana.monitoring.svc.cluster.local:3000 + allow_websockets: true policy: - allow: and: @@ -34,12 +35,6 @@ routes: - allow: and: - authenticated_user: true - - from: https://{{ template "cerebroUrl" .spec }} - to: http://cerebro.logging.svc.cluster.local:9000 - policy: - - allow: - and: - - authenticated_user: true - from: https://{{ template "opensearchDashboardsUrl" .spec }} to: http://opensearch-dashboards.logging.svc.cluster.local:5601 policy: diff --git a/templates/distribution/manifests/auth/secrets/dex.yml.tpl b/templates/distribution/manifests/auth/secrets/dex.yml.tpl index 26ec680b..a908db54 100644 --- a/templates/distribution/manifests/auth/secrets/dex.yml.tpl +++ b/templates/distribution/manifests/auth/secrets/dex.yml.tpl @@ -16,11 +16,11 @@ {{ print "https://pomerium." .spec.distribution.modules.auth.baseDomain "/oauth2/callback" }} {{- end }} {{- end -}} -{{- define "gangwayHost" -}} - {{ if .spec.distribution.modules.auth.overrides.ingresses.gangway.host -}} - {{ print "https://" .spec.distribution.modules.auth.overrides.ingresses.gangway.host }} +{{- define "gangplankHost" -}} + {{ if .spec.distribution.modules.auth.overrides.ingresses.gangplank.host -}} + {{ print "https://" .spec.distribution.modules.auth.overrides.ingresses.gangplank.host }} {{- else -}} - {{ print "https://gangway." .spec.distribution.modules.auth.baseDomain }} + {{ print "https://gangplank." .spec.distribution.modules.auth.baseDomain }} {{- end }} {{- end }} issuer: {{ template "dexHost" . }} @@ -48,7 +48,7 @@ staticClients: {{- if .spec.distribution.modules.auth.oidcKubernetesAuth.enabled }} - id: {{ .spec.distribution.modules.auth.oidcKubernetesAuth.clientID }} redirectURIs: - - {{ template "gangwayHost" . }}/callback + - {{ template "gangplankHost" . }}/callback name: 'In cluster LOGIN' secret: {{ .spec.distribution.modules.auth.oidcKubernetesAuth.clientSecret }} {{- end }} diff --git a/templates/distribution/manifests/auth/secrets/gangway.yml.tpl b/templates/distribution/manifests/auth/secrets/gangplank.yml.tpl similarity index 95% rename from templates/distribution/manifests/auth/secrets/gangway.yml.tpl rename to templates/distribution/manifests/auth/secrets/gangplank.yml.tpl index 77a50014..34e10522 100644 --- a/templates/distribution/manifests/auth/secrets/gangway.yml.tpl +++ b/templates/distribution/manifests/auth/secrets/gangplank.yml.tpl @@ -12,7 +12,7 @@ trustedCAPath: "/tls/ca.crt" tokenURL: "https://{{ template "dexUrl" .spec }}/token" clientID: "{{ .spec.distribution.modules.auth.oidcKubernetesAuth.clientID }}" clientSecret: "{{ .spec.distribution.modules.auth.oidcKubernetesAuth.clientSecret }}" -redirectURL: "https://{{ template "gangwayUrl" .spec }}/callback" +redirectURL: "https://{{ template "gangplankUrl" .spec }}/callback" {{- if index .spec.distribution.modules.auth.oidcKubernetesAuth "scopes" }} scopes: {{ .spec.distribution.modules.auth.oidcKubernetesAuth.scopes | toYaml | indent 10 }} diff --git a/templates/distribution/manifests/logging/kustomization.yaml.tpl b/templates/distribution/manifests/logging/kustomization.yaml.tpl index f47d33db..b973bef3 100644 --- a/templates/distribution/manifests/logging/kustomization.yaml.tpl +++ b/templates/distribution/manifests/logging/kustomization.yaml.tpl @@ -11,7 +11,6 @@ resources: - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/logging-operator" }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/minio-ha" }} {{- if eq .spec.distribution.modules.logging.type "opensearch" }} - - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/cerebro" }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/configs/audit" }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/configs/events" }} - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/configs/infra" }} @@ -72,7 +71,7 @@ secretGenerator: namespace: logging behavior: merge files: - - patches/config.yaml + - config.yaml=patches/loki-config.yaml {{- end }} - name: minio-logging namespace: logging diff --git a/templates/distribution/manifests/logging/patches/infra-nodes.yml.tpl b/templates/distribution/manifests/logging/patches/infra-nodes.yml.tpl index 82b5e747..28b44438 100644 --- a/templates/distribution/manifests/logging/patches/infra-nodes.yml.tpl +++ b/templates/distribution/manifests/logging/patches/infra-nodes.yml.tpl @@ -2,7 +2,6 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -{{- $cerebroArgs := dict "module" "logging" "package" "cerebro" "spec" .spec -}} {{- $opensearchArgs := dict "module" "logging" "package" "opensearch" "spec" .spec -}} {{- $minioArgs := dict "module" "logging" "package" "minio" "spec" .spec -}} {{- $operatorArgs := dict "module" "logging" "package" "operator" "spec" .spec -}} @@ -11,19 +10,6 @@ {{- if eq .spec.distribution.modules.logging.type "opensearch" }} --- apiVersion: apps/v1 -kind: Deployment -metadata: - name: cerebro - namespace: logging -spec: - template: - spec: - nodeSelector: - {{ template "nodeSelector" $cerebroArgs }} - tolerations: - {{ template "tolerations" $cerebroArgs }} ---- -apiVersion: apps/v1 kind: StatefulSet metadata: name: opensearch-cluster-master diff --git a/templates/distribution/manifests/logging/patches/config.yaml.tpl b/templates/distribution/manifests/logging/patches/loki-config.yaml.tpl similarity index 98% rename from templates/distribution/manifests/logging/patches/config.yaml.tpl rename to templates/distribution/manifests/logging/patches/loki-config.yaml.tpl index 55652ce8..f1851f75 100644 --- a/templates/distribution/manifests/logging/patches/config.yaml.tpl +++ b/templates/distribution/manifests/logging/patches/loki-config.yaml.tpl @@ -2,6 +2,8 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. +analytics: + reporting_enabled: false auth_enabled: false chunk_store_config: max_look_back_period: 0s diff --git a/templates/distribution/manifests/logging/resources/ingress-infra.yml.tpl b/templates/distribution/manifests/logging/resources/ingress-infra.yml.tpl index b5e509a2..df9656f8 100644 --- a/templates/distribution/manifests/logging/resources/ingress-infra.yml.tpl +++ b/templates/distribution/manifests/logging/resources/ingress-infra.yml.tpl @@ -6,47 +6,6 @@ --- apiVersion: networking.k8s.io/v1 kind: Ingress -metadata: - labels: - cluster.kfd.sighup.io/useful-link.enable: "true" - annotations: - cluster.kfd.sighup.io/useful-link.url: https://{{ template "cerebroUrl" .spec }} - cluster.kfd.sighup.io/useful-link.name: "Cerebro" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Cerebro" - forecastle.stakater.com/icon: "https://github.com/stakater/ForecastleIcons/raw/master/cerebro.png" - {{ if not .spec.distribution.modules.logging.overrides.ingresses.cerebro.disableAuth }}{{ template "ingressAuth" . }}{{ end }} - {{ template "certManagerClusterIssuer" . }} - name: cerebro - {{ if and (not .spec.distribution.modules.logging.overrides.ingresses.cerebro.disableAuth) (eq .spec.distribution.modules.auth.provider.type "sso") }} - namespace: pomerium - {{ else }} - namespace: logging - {{ end }} -spec: - ingressClassName: {{ template "ingressClass" (dict "module" "logging" "package" "cerebro" "type" "internal" "spec" .spec) }} - rules: - - host: {{ template "cerebroUrl" .spec }} - http: - paths: - - path: / - pathType: Prefix - backend: - {{ if and (not .spec.distribution.modules.logging.overrides.ingresses.cerebro.disableAuth) (eq .spec.distribution.modules.auth.provider.type "sso") }} - service: - name: pomerium - port: - number: 80 - {{ else }} - service: - name: cerebro - port: - name: http - {{ end }} -{{- template "ingressTls" (dict "module" "logging" "package" "cerebro" "prefix" "cerebro." "spec" .spec) }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress metadata: labels: cluster.kfd.sighup.io/useful-link.enable: "true" diff --git a/templates/distribution/manifests/monitoring/patches/infra-nodes.yml.tpl b/templates/distribution/manifests/monitoring/patches/infra-nodes.yml.tpl index 6aa28843..7812abc2 100644 --- a/templates/distribution/manifests/monitoring/patches/infra-nodes.yml.tpl +++ b/templates/distribution/manifests/monitoring/patches/infra-nodes.yml.tpl @@ -127,6 +127,7 @@ spec: {{ if eq .spec.distribution.modules.monitoring.type "mimir" -}} {{- $mimirArgs := dict "module" "monitoring" "package" "mimir" "spec" .spec -}} +{{- if .checks.storageClassAvailable }} --- apiVersion: apps/v1 kind: StatefulSet @@ -166,6 +167,7 @@ spec: {{ template "nodeSelector" $mimirArgs }} tolerations: {{ template "tolerations" $mimirArgs }} +{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }} --- apiVersion: apps/v1 kind: StatefulSet @@ -179,6 +181,7 @@ spec: {{ template "nodeSelector" $mimirArgs }} tolerations: {{ template "tolerations" $mimirArgs }} +{{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -258,4 +261,5 @@ spec: tolerations: {{ template "tolerations" $mimirArgs }} --- +{{- end }} {{ end }} diff --git a/templates/distribution/manifests/monitoring/patches/mimir.yaml.tpl b/templates/distribution/manifests/monitoring/patches/mimir.yaml.tpl index 789cb666..8f5599a9 100644 --- a/templates/distribution/manifests/monitoring/patches/mimir.yaml.tpl +++ b/templates/distribution/manifests/monitoring/patches/mimir.yaml.tpl @@ -70,6 +70,7 @@ ingester_client: max_recv_msg_size: 104857600 max_send_msg_size: 104857600 limits: + max_global_series_per_user: 0 # we disable the limit on series a user can push because we have only Prometheus pushing with the fury user. max_cache_freshness: 10m max_query_parallelism: 240 max_total_query_length: 12000h @@ -100,4 +101,4 @@ store_gateway: unregister_on_shutdown: false wait_stability_min_duration: 1m usage_stats: - installation_mode: helm \ No newline at end of file + installation_mode: helm diff --git a/templates/distribution/manifests/networking/kustomization.yaml.tpl b/templates/distribution/manifests/networking/kustomization.yaml.tpl index 1734e535..dafbc038 100644 --- a/templates/distribution/manifests/networking/kustomization.yaml.tpl +++ b/templates/distribution/manifests/networking/kustomization.yaml.tpl @@ -48,6 +48,15 @@ patchesJson6902: {{- end }} {{- if eq .spec.distribution.modules.networking.type "cilium" }} +patchesJson6902: + - target: + group: apps + version: v1 + kind: Deployment + name: cilium-operator + namespace: kube-system + path: patchesjson/cilium-operator-tolerations.yaml + configMapGenerator: - behavior: merge envs: diff --git a/templates/distribution/manifests/networking/patchesjson/cilium-operator-tolerations.yaml.tpl b/templates/distribution/manifests/networking/patchesjson/cilium-operator-tolerations.yaml.tpl new file mode 100644 index 00000000..68c744c8 --- /dev/null +++ b/templates/distribution/manifests/networking/patchesjson/cilium-operator-tolerations.yaml.tpl @@ -0,0 +1,8 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +- op: add + path: /spec/template/spec/tolerations + value: + - operator: Exists diff --git a/templates/distribution/manifests/tracing/kustomization.yaml.tpl b/templates/distribution/manifests/tracing/kustomization.yaml.tpl index d18c491d..bf54f613 100644 --- a/templates/distribution/manifests/tracing/kustomization.yaml.tpl +++ b/templates/distribution/manifests/tracing/kustomization.yaml.tpl @@ -12,8 +12,10 @@ resources: - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/tracing/katalog/minio-ha" }} {{- end }} {{- if ne .spec.distribution.modules.ingress.nginx.type "none" }} +{{- if eq .spec.distribution.modules.tracing.tempo.backend "minio" }} - resources/ingress-infra.yml {{- end }} +{{- end }} patchesStrategicMerge: - patches/infra-nodes.yml diff --git a/templates/distribution/scripts/pre-apply.sh.tpl b/templates/distribution/scripts/pre-apply.sh.tpl index 4d310a08..8e3e79e0 100644 --- a/templates/distribution/scripts/pre-apply.sh.tpl +++ b/templates/distribution/scripts/pre-apply.sh.tpl @@ -28,20 +28,18 @@ vendorPath="{{ .paths.vendorPath }}" deleteOpensearch() { $kubectlbin delete --ignore-not-found --wait --timeout=180s ingress -n logging opensearch-dashboards $kubectlbin delete --ignore-not-found --wait --timeout=180s ingress -n pomerium opensearch-dashboards - $kubectlbin delete --ignore-not-found --wait --timeout=180s ingress -n pomerium cerebro - $kustomizebin build $vendorPath/modules/logging/katalog/opensearch-dashboards > delete-opensearch-cerebro.yaml - $kustomizebin build $vendorPath/modules/logging/katalog/opensearch-triple >> delete-opensearch-cerebro.yaml - $kustomizebin build $vendorPath/modules/logging/katalog/cerebro >> delete-opensearch-cerebro.yaml + $kustomizebin build $vendorPath/modules/logging/katalog/opensearch-dashboards > delete-opensearch.yaml + $kustomizebin build $vendorPath/modules/logging/katalog/opensearch-triple >> delete-opensearch.yaml {{- if eq .spec.distribution.modules.monitoring.type "none" }} if ! $kubectlbin get apiservice v1.monitoring.coreos.com; then - cat delete-opensearch-cerebro.yaml | $yqbin 'select(.apiVersion != "monitoring.coreos.com/v1")' > delete-opensearch-cerebro-filtered.yaml - cp delete-opensearch-cerebro-filtered.yaml delete-opensearch-cerebro.yaml + cat delete-opensearch.yaml | $yqbin 'select(.apiVersion != "monitoring.coreos.com/v1")' > delete-opensearch-filtered.yaml + cp delete-opensearch-filtered.yaml delete-opensearch.yaml fi {{- end }} - $kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-opensearch-cerebro.yaml + $kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-opensearch.yaml $kubectlbin delete --ignore-not-found -l app.kubernetes.io/name=opensearch pvc -n logging --wait --timeout=180s echo "Opensearch resources deleted" } @@ -543,20 +541,20 @@ deleteDex() { echo "dex has been deleted from the cluster" } -deleteGangway() { +deleteGangplank() { - $kustomizebin build $vendorPath/modules/auth/katalog/gangway > delete-gangway.yaml + $kustomizebin build $vendorPath/modules/auth/katalog/gangplank > delete-gangplank.yaml {{- if eq .spec.distribution.modules.monitoring.type "none" }} if ! $kubectlbin get apiservice v1.monitoring.coreos.com; then - cat delete-gangway.yaml | $yqbin 'select(.apiVersion != "monitoring.coreos.com/v1")' > delete-gangway-filtered.yaml - cp delete-gangway-filtered.yaml delete-pomerium.yaml + cat delete-gangplank.yaml | $yqbin 'select(.apiVersion != "monitoring.coreos.com/v1")' > delete-gangplank-filtered.yaml + cp delete-gangplank-filtered.yaml delete-pomerium.yaml fi {{- end }} - $kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-gangway.yaml - $kubectlbin delete --ignore-not-found --wait --timeout=180s ingress -n kube-system gangway - echo "dex has been deleted from the cluster" + $kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-gangplank.yaml + $kubectlbin delete --ignore-not-found --wait --timeout=180s ingress -n kube-system gangplank + echo "gangplank has been deleted from the cluster" } deletePomerium() { @@ -595,7 +593,7 @@ deleteInfraIngresses() { {{- if eq .reducers.distributionModulesAuthProviderType.to "none" }} deleteDex -deleteGangway +deleteGangplank deletePomeriumIngresses deletePomerium @@ -605,7 +603,7 @@ deletePomerium {{- if eq .reducers.distributionModulesAuthProviderType.from "basicAuth" }} deleteDex -deleteGangway +deleteGangplank deletePomeriumIngresses deletePomerium {{- end }} @@ -616,7 +614,7 @@ deletePomerium {{- if eq .reducers.distributionModulesAuthProviderType.from "basicAuth" }} deleteDex -deleteGangway +deleteGangplank deleteInfraIngresses deletePomerium {{- end }} diff --git a/templates/infrastructure/ekscluster/terraform/main.auto.tfvars.tpl b/templates/infrastructure/ekscluster/terraform/main.auto.tfvars.tpl new file mode 100644 index 00000000..0b0912b3 --- /dev/null +++ b/templates/infrastructure/ekscluster/terraform/main.auto.tfvars.tpl @@ -0,0 +1,51 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +name = {{ .metadata.name | quote }} +{{- if and .spec.infrastructure (index .spec.infrastructure "vpc") }} +vpc_enabled = true +cidr = {{ .spec.infrastructure.vpc.network.cidr | quote }} +vpc_public_subnetwork_cidrs = {{ toJson .spec.infrastructure.vpc.network.subnetsCidrs.public }} +vpc_private_subnetwork_cidrs = {{ toJson .spec.infrastructure.vpc.network.subnetsCidrs.private }} +{{- else }} +vpc_enabled = false +{{- end }} +{{- if and .spec.infrastructure (index .spec.infrastructure "vpn") ((hasKeyAny .spec.infrastructure.vpn "instances") | ternary (and (index .spec.infrastructure.vpn "instances") (gt .spec.infrastructure.vpn.instances 0)) true) }} +vpn_enabled = true +vpn_subnetwork_cidr = {{ .spec.infrastructure.vpn.vpnClientsSubnetCidr | quote }} +{{- if index .spec.infrastructure.vpn "vpcId" }} +vpn_vpc_id = {{ .spec.infrastructure.vpn.vpcId | quote }} +{{- end }} +{{- if index .spec.infrastructure.vpn "instances" }} +vpn_instances = {{ .spec.infrastructure.vpn.instances }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "port") (ne .spec.infrastructure.vpn.port 0) }} +vpn_port = {{ .spec.infrastructure.vpn.port }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "instanceType") (ne .spec.infrastructure.vpn.instanceType "") }} +vpn_instance_type = {{ .spec.infrastructure.vpn.instanceType | quote }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "diskSize") (ne .spec.infrastructure.vpn.diskSize 0) }} +vpn_instance_disk_size = {{ .spec.infrastructure.vpn.diskSize }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "operatorName") (ne .spec.infrastructure.vpn.operatorName "") }} +vpn_operator_name = {{ .spec.infrastructure.vpn.operatorName | quote }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "dhParamsBits") (ne .spec.infrastructure.vpn.dhParamsBits 0) }} +vpn_dhparams_bits = {{ .spec.infrastructure.vpn.dhParamsBits }} +{{- end }} +{{- if and (index .spec.infrastructure.vpn "bucketNamePrefix") (ne .spec.infrastructure.vpn.bucketNamePrefix "") }} +vpn_bucket_name_prefix = {{ .spec.infrastructure.vpn.bucketNamePrefix | quote }} +{{- end }} +{{- if gt (len .spec.infrastructure.vpn.ssh.allowedFromCidrs) 0 }} +vpn_operator_cidrs = {{ toJson (.spec.infrastructure.vpn.ssh.allowedFromCidrs | uniq) }} +{{- end }} +{{- if gt (len .spec.infrastructure.vpn.ssh.githubUsersName) 0 }} +vpn_ssh_users = {{ toJson .spec.infrastructure.vpn.ssh.githubUsersName }} +{{- end }} +{{- else }} +vpn_enabled = false +{{- end }} diff --git a/templates/infrastructure/ekscluster/terraform/main.tf.tpl b/templates/infrastructure/ekscluster/terraform/main.tf.tpl new file mode 100644 index 00000000..31b774ff --- /dev/null +++ b/templates/infrastructure/ekscluster/terraform/main.tf.tpl @@ -0,0 +1,77 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +terraform { + backend "s3" { + bucket = "{{ .spec.toolsConfiguration.terraform.state.s3.bucketName }}" + key = "{{ .spec.toolsConfiguration.terraform.state.s3.keyPrefix }}/infrastructure.json" + region = "{{ .spec.toolsConfiguration.terraform.state.s3.region }}" + + {{- if index .spec.toolsConfiguration.terraform.state.s3 "skipRegionValidation" }} + skip_region_validation = {{ default false .spec.toolsConfiguration.terraform.state.s3.skipRegionValidation }} + {{- end }} + } + + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} + +provider "aws" { + region = "{{ .spec.region }}" + default_tags { + tags = { + {{- range $k, $v := .spec.tags }} + {{ $k }} = "{{ $v }}" + {{- end}} + } + } +} + +module "vpc" { + source = "{{ .infrastructure.vpcInstallerPath }}" + + count = var.vpc_enabled ? 1 : 0 + + name = var.name + tags = var.tags + + cidr = var.cidr + private_subnetwork_cidrs = var.vpc_private_subnetwork_cidrs + public_subnetwork_cidrs = var.vpc_public_subnetwork_cidrs + + # extra_ipv4_cidr_blocks = [] + # availability_zone_names = [] + # single_nat_gateway = false + # one_nat_gateway_per_az = true + names_of_kubernetes_cluster_integrated_with_subnets = [var.name] +} + +module "vpn" { + source = "{{ .infrastructure.vpnInstallerPath }}" + + count = var.vpn_enabled ? 1 : 0 + + name = var.name + tags = var.tags + + vpc_id = var.vpc_enabled ? one(module.vpc[*].vpc_id) : var.vpn_vpc_id + public_subnets = var.vpc_enabled ? one(module.vpc[*].public_subnets) : var.vpn_public_subnets + + vpn_subnetwork_cidr = var.vpn_subnetwork_cidr + vpn_port = var.vpn_port + vpn_instances = var.vpn_instances + vpn_instance_type = var.vpn_instance_type + vpn_instance_disk_size = var.vpn_instance_disk_size + vpn_operator_name = var.vpn_operator_name + vpn_dhparams_bits = var.vpn_dhparams_bits + vpn_operator_cidrs = var.vpn_operator_cidrs + vpn_ssh_users = var.vpn_ssh_users + vpn_bucket_name_prefix = var.vpn_bucket_name_prefix + # vpn_routes = [] +} diff --git a/templates/infrastructure/ekscluster/terraform/output.tf b/templates/infrastructure/ekscluster/terraform/output.tf new file mode 100644 index 00000000..780aed4c --- /dev/null +++ b/templates/infrastructure/ekscluster/terraform/output.tf @@ -0,0 +1,46 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +output "vpc_id" { + description = "The ID of the VPC" + value = one(module.vpc[*].vpc_id) +} + +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = one(module.vpc[*].vpc_cidr_block) +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = one(module.vpc[*].public_subnets) +} + +output "public_subnets_cidr_blocks" { + description = "List of cidr_blocks of public subnets" + value = one(module.vpc[*].public_subnets_cidr_blocks) +} + +output "private_subnets" { + description = "List of IDs of private subnets" + value = one(module.vpc[*].private_subnets) +} + +output "private_subnets_cidr_blocks" { + description = "List of cidr_blocks of private subnets" + value = one(module.vpc[*].private_subnets_cidr_blocks) +} + +output "furyagent" { + description = "furyagent.yml used by the vpn instance and ready to use to create a vpn profile" + sensitive = true + value = var.vpn_enabled ? one(module.vpn[*].furyagent) : null +} + +output "vpn_ip" { + description = "VPN instance IPs" + value = var.vpn_enabled ? one(module.vpn[*].vpn_ip) : null +} diff --git a/templates/infrastructure/ekscluster/terraform/variables.tf b/templates/infrastructure/ekscluster/terraform/variables.tf new file mode 100644 index 00000000..a0d33b56 --- /dev/null +++ b/templates/infrastructure/ekscluster/terraform/variables.tf @@ -0,0 +1,118 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +variable "name" { + description = "Name of the resources. Used as cluster name" + type = string +} + +variable "cidr" { + description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden" + type = string + default = "10.0.0.0/16" +} + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +variable "vpc_enabled" { + description = "Enable VPC creation" + type = bool + default = true +} + +variable "vpc_public_subnetwork_cidrs" { + description = "Public subnet CIDRs" + type = list(string) + default = [] +} + +variable "vpc_private_subnetwork_cidrs" { + description = "Private subnet CIDRs" + type = list(string) + default = [] +} + +variable "vpn_enabled" { + description = "Enable VPN" + type = bool + default = true +} + +variable "vpn_vpc_id" { + description = "ID of the VPC" + type = string + default = "" +} + +variable "vpn_public_subnets" { + description = "Enable VPC" + type = list(string) + default = [] +} + +variable "vpn_subnetwork_cidr" { + description = "CIDR used to assign VPN clients IP addresses, should be different from the network_cidr" + type = string + default = "192.168.200.0/24" +} + +variable "vpn_instances" { + description = "VPN Servers" + type = number + default = 1 +} + +variable "vpn_port" { + description = "VPN Server Port" + type = number + default = 1194 +} + +variable "vpn_instance_type" { + description = "EC2 instance type" + type = string + default = "t3.micro" +} + +variable "vpn_instance_disk_size" { + description = "VPN main disk size" + type = number + default = 50 +} + +variable "vpn_operator_name" { + description = "VPN operator name. Used to log into the instance via SSH" + type = string + default = "sighup" +} + +variable "vpn_dhparams_bits" { + description = "Diffie-Hellman (D-H) key size in bytes" + type = number + default = 2048 +} + +variable "vpn_operator_cidrs" { + description = "VPN Operator cidrs. Used to log into the instance via SSH" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "vpn_ssh_users" { + description = "GitHub users to sync public keys for SSH access" + type = list(string) + default = [] +} + +variable "vpn_bucket_name_prefix" { + type = string + description = "Bucket name prefix for VPN configuration files" + default = "" +} diff --git a/templates/kubernetes/ekscluster/terraform/data.tf b/templates/kubernetes/ekscluster/terraform/data.tf new file mode 100644 index 00000000..2f160baa --- /dev/null +++ b/templates/kubernetes/ekscluster/terraform/data.tf @@ -0,0 +1,13 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +data "aws_eks_cluster" "fury" { + name = module.fury.cluster_id +} + +data "aws_eks_cluster_auth" "fury" { + name = module.fury.cluster_id +} diff --git a/templates/kubernetes/ekscluster/terraform/main.auto.tfvars.tpl b/templates/kubernetes/ekscluster/terraform/main.auto.tfvars.tpl new file mode 100644 index 00000000..670c95a0 --- /dev/null +++ b/templates/kubernetes/ekscluster/terraform/main.auto.tfvars.tpl @@ -0,0 +1,214 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +cluster_name = {{ .metadata.name | quote }} + +{{- if hasKeyAny .spec.kubernetes "logsTypes" }} +cluster_enabled_log_types = {{ toJson .spec.kubernetes.logsTypes }} +{{- end }} +kubectl_path = {{ .kubernetes.kubectlPath | quote }} +cluster_version = {{ .kubernetes.version | quote }} +cluster_endpoint_private_access = {{ .spec.kubernetes.apiServer.privateAccess }} + +{{- $privateAccessCidrs := .spec.kubernetes.apiServer.privateAccessCidrs }} +{{- if hasKeyAny .infrastructure "clusterEndpointPrivateAccessCidrs" }} + {{- $privateAccessCidrs = append $privateAccessCidrs .infrastructure.clusterEndpointPrivateAccessCidrs }} +{{- end }} +cluster_endpoint_private_access_cidrs = {{ toJson ($privateAccessCidrs | uniq) }} +cluster_endpoint_public_access = {{ .spec.kubernetes.apiServer.publicAccess }} + +{{- $publicAccessCidrs := .spec.kubernetes.apiServer.publicAccessCidrs }} +{{- if eq (len $publicAccessCidrs) 0 }} + {{- $publicAccessCidrs = append $publicAccessCidrs "0.0.0.0/0" }} +{{- end}} +cluster_endpoint_public_access_cidrs = {{ toJson ($publicAccessCidrs | uniq) }} + +{{- if not (hasKeyAny .spec.kubernetes "serviceIpV4Cidr") }} +cluster_service_ipv4_cidr = null +{{- else }} +cluster_service_ipv4_cidr = {{ .spec.kubernetes.serviceIpV4Cidr | quote }} +{{- end }} +node_pools_launch_kind = {{ .spec.kubernetes.nodePoolsLaunchKind | quote }} + +{{- if hasKeyAny .spec.kubernetes "logRetentionDays" }} +cluster_log_retention_days = {{ .spec.kubernetes.logRetentionDays }} +{{- end }} + +{{- if hasKeyAny .infrastructure "vpcId" }} +vpc_id = {{ .infrastructure.vpcId | quote }} +{{- else }} +vpc_id = {{ .spec.kubernetes.vpcId | quote }} +{{- end }} + +{{- $subnets := list }} +{{- if hasKeyAny .infrastructure "subnets" }} + {{- $subnets = .infrastructure.subnets }} +{{- else }} + {{- $subnets = .spec.kubernetes.subnetIds }} +{{- end }} +subnets = {{ toJson $subnets }} +ssh_public_key = {{ .spec.kubernetes.nodeAllowedSshPublicKey | quote }} + +{{- if hasKeyAny .spec.kubernetes "awsAuth" }} + {{- if gt (len .spec.kubernetes.awsAuth.additionalAccounts) 0 }} +eks_map_accounts = {{ toJson .spec.kubernetes.awsAuth.additionalAccounts }} + {{- end }} + + {{- if gt (len .spec.kubernetes.awsAuth.users) 0 }} + {{- $users := list }} + + {{- range $u := .spec.kubernetes.awsAuth.users }} + {{- $currUser := dict "username" $u.username "userarn" $u.userarn "groups" $u.groups }} + {{- $users = append $users $currUser }} + {{- end }} +eks_map_users = {{ toPrettyJson $users | join ","}} + {{- end }} + + {{- if gt (len .spec.kubernetes.awsAuth.roles) 0 }} + {{- $roles := list }} + + {{- range $r := .spec.kubernetes.awsAuth.roles }} + {{- $currRole := dict "username" $r.username "rolearn" $r.rolearn "groups" $r.groups }} + {{- $roles = append $roles $currRole }} + {{- end }} +eks_map_roles = {{ toPrettyJson $roles | join "," }} + {{- end }} +{{- end }} + +{{- if gt (len .spec.kubernetes.nodePools) 0 }} + {{- $nodePools := list }} + + {{- range $np := .spec.kubernetes.nodePools }} + {{- $currNodePool := dict "name" $np.name "version" nil "min_size" $np.size.min "max_size" $np.size.max "instance_type" $np.instance.type "spot_instance" false "volume_size" 35 "subnets" nil "additional_firewall_rules" nil "labels" nil "taints" nil "tags" nil }} + + {{- if hasKeyAny $np "type" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "type" $np.type) }} + {{- end}} + + {{- if hasKeyAny $np "ami" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "ami_id" $np.ami.id) }} + {{- end }} + + {{- if hasKeyAny $np.instance "spot" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "spot_instance" $np.instance.spot) }} + {{- end }} + + {{- if hasKeyAny $np "containerRuntime" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "container_runtime" $np.containerRuntime) }} + {{- end }} + + {{- if hasKeyAny $np.instance "maxPods" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "max_pods" $np.instance.maxPods) }} + {{- end }} + + {{- if hasKeyAny $np.instance "volumeSize" }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "volume_size" $np.instance.volumeSize) }} + {{- end }} + + {{- if and (hasKeyAny $np "subnetIds") (gt (len $np.subnetIds) 0) }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "subnets" $np.subnetIds) }} + {{- end }} + + {{- if hasKeyAny $np "additionalFirewallRules" }} + {{- $additionalFirewallRules := dict }} + + {{- if and (hasKeyAny $np.additionalFirewallRules "cidrBlocks") (gt (len $np.additionalFirewallRules.cidrBlocks) 0)}} + {{- $cidrBlocks := list }} + + {{- range $c := $np.additionalFirewallRules.cidrBlocks }} + {{- $currCidrBlock := dict "description" $c.name "type" $c.type "protocol" $c.protocol "from_port" $c.ports.from "to_port" $c.ports.to "tags" (dict) "cidr_blocks" ($c.cidrBlocks | uniq) }} + + {{- if hasKeyAny $c "tags" }} + {{- $tags := dict }} + + {{- range $k, $v := $c.tags }} + {{- $tags = mergeOverwrite $tags (dict $k $v) }} + {{- end }} + + {{- $currCidrBlock = mergeOverwrite $currCidrBlock (dict "tags" $tags) }} + {{- end }} + + {{- $cidrBlocks = append $cidrBlocks $currCidrBlock }} + {{- end }} + + {{- $additionalFirewallRules = mergeOverwrite $additionalFirewallRules (dict "cidr_blocks" $cidrBlocks) }} + {{- end }} + + {{- if and (hasKeyAny $np.additionalFirewallRules "sourceSecurityGroupId") (gt (len $np.additionalFirewallRules.sourceSecurityGroupId) 0)}} + {{- $sourceSecurityGroupId := list }} + + {{- range $s := $np.additionalFirewallRules.sourceSecurityGroupId }} + {{- $currSourceSecurityGroupId := dict "description" $s.name "type" $s.type "protocol" $s.protocol "from_port" $s.ports.from "to_port" $s.ports.to "tags" (dict) "source_security_group_id" $s.sourceSecurityGroupId }} + + {{- if hasKeyAny $s "tags" }} + {{- $tags := dict }} + + {{- range $k, $v := $s.tags }} + {{- $tags = mergeOverwrite $tags (dict $k $v) }} + {{- end }} + + {{- $currSourceSecurityGroupId = mergeOverwrite $currSourceSecurityGroupId (dict "tags" $tags) }} + {{- end }} + + {{- $sourceSecurityGroupId = append $sourceSecurityGroupId $currSourceSecurityGroupId }} + {{- end }} + + {{- $additionalFirewallRules = mergeOverwrite $additionalFirewallRules (dict "source_security_group_id" $sourceSecurityGroupId) }} + {{- end }} + + {{- if and (hasKeyAny $np.additionalFirewallRules "self") (gt (len $np.additionalFirewallRules.self) 0)}} + {{- $self := list }} + + {{- range $s := $np.additionalFirewallRules.self }} + {{- $currSelf := dict "description" $s.name "type" $s.type "protocol" $s.protocol "from_port" $s.ports.from "to_port" $s.ports.to "tags" (dict) "self" $s.self }} + + {{- if hasKeyAny $s "tags" }} + {{- $tags := dict }} + + {{- range $k, $v := $s.tags }} + {{- $tags = mergeOverwrite $tags (dict $k $v) }} + {{- end }} + + {{- $currSelf = mergeOverwrite $currSelf (dict "tags" $tags) }} + {{- end }} + + {{- $self = append $self $currSelf }} + {{- end }} + + {{- $additionalFirewallRules = mergeOverwrite $additionalFirewallRules (dict "self" $self) }} + {{- end }} + + {{- $currNodePool = mergeOverwrite $currNodePool (dict "additional_firewall_rules" $additionalFirewallRules) }} + {{- end }} + + {{- if and (hasKeyAny $np "labels") (gt (len $np.labels) 0) }} + {{- $labels := dict }} + + {{- range $k, $v := $np.labels }} + {{- $labels = mergeOverwrite $labels (dict $k $v) }} + {{- end }} + + {{- $currNodePool = mergeOverwrite $currNodePool (dict "labels" $labels) }} + {{- end }} + + {{- if and (hasKeyAny $np "taints") (gt (len $np.taints) 0) }} + {{- $currNodePool = mergeOverwrite $currNodePool (dict "taints" $np.taints) }} + {{- end }} + + {{- if and (hasKeyAny $np "tags") (gt (len $np.tags) 0) }} + {{- $tags := dict }} + + {{- range $k, $v := $np.tags }} + {{- $tags = mergeOverwrite $tags (dict $k $v) }} + {{- end }} + + {{- $currNodePool = mergeOverwrite $currNodePool (dict "tags" $tags) }} + {{- end }} + + {{- $nodePools = append $nodePools $currNodePool }} + {{- end }} +node_pools = {{ toPrettyJson $nodePools }} +{{- end }} diff --git a/templates/kubernetes/ekscluster/terraform/main.tf.tpl b/templates/kubernetes/ekscluster/terraform/main.tf.tpl new file mode 100644 index 00000000..89079526 --- /dev/null +++ b/templates/kubernetes/ekscluster/terraform/main.tf.tpl @@ -0,0 +1,74 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +terraform { + backend "s3" { + bucket = "{{ .spec.toolsConfiguration.terraform.state.s3.bucketName }}" + key = "{{ .spec.toolsConfiguration.terraform.state.s3.keyPrefix }}/cluster.json" + region = "{{ .spec.toolsConfiguration.terraform.state.s3.region }}" + + {{- if index .spec.toolsConfiguration.terraform.state.s3 "skipRegionValidation" }} + skip_region_validation = {{ default false .spec.toolsConfiguration.terraform.state.s3.skipRegionValidation }} + {{- end }} + } + + required_providers { + aws = { + source = "hashicorp/aws" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } +} + +provider "aws" { + region = "{{ .spec.region }}" + default_tags { + tags = { + {{- range $k, $v := .spec.tags }} + {{ $k }} = "{{ $v }}" + {{- end}} + } + } +} + +provider "kubernetes" { + host = data.aws_eks_cluster.fury.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.fury.certificate_authority[0].data) + token = data.aws_eks_cluster_auth.fury.token + load_config_file = false +} + +module "fury" { + source = "{{ .kubernetes.installerPath }}" + + cluster_name = var.cluster_name + cluster_version = var.cluster_version + cluster_log_retention_days = var.cluster_log_retention_days + {{- if eq .features.logTypesEnabled true }} + cluster_enabled_log_types = var.cluster_enabled_log_types + {{- end }} + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs + cluster_endpoint_private_access = var.cluster_endpoint_private_access + cluster_endpoint_private_access_cidrs = var.cluster_endpoint_private_access_cidrs + cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr + vpc_id = var.vpc_id + subnets = var.subnets + ssh_public_key = var.ssh_public_key + node_pools = var.node_pools + node_pools_launch_kind = var.node_pools_launch_kind + tags = var.tags + + # AWS-specific variables. + # Enables managing auth using these variables + eks_map_users = var.eks_map_users + eks_map_roles = var.eks_map_roles + eks_map_accounts = var.eks_map_accounts + + # ssh_to_nodes_allowed_cidr_blocks = [] +} diff --git a/templates/kubernetes/ekscluster/terraform/output.tf b/templates/kubernetes/ekscluster/terraform/output.tf new file mode 100644 index 00000000..22e32383 --- /dev/null +++ b/templates/kubernetes/ekscluster/terraform/output.tf @@ -0,0 +1,66 @@ +/** + * Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. + * Use of this source code is governed by a BSD-style + * license that can be found in the LICENSE file. + */ + +output "cluster_endpoint" { + description = "The endpoint for your Kubernetes API server" + value = module.fury.cluster_endpoint +} + +output "cluster_certificate_authority" { + description = "The base64 encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster" + value = module.fury.cluster_certificate_authority +} + +output "operator_ssh_user" { + description = "SSH user to access cluster nodes with ssh_public_key" + value = module.fury.operator_ssh_user +} + +output "eks_cluster_oidc_issuer_url" { + description = "The URL on the EKS cluster OIDC Issuer" + value = module.fury.eks_cluster_oidc_issuer_url +} + +output "eks_worker_iam_role_name" { + description = "Default IAM role name for EKS worker groups" + value = module.fury.eks_worker_iam_role_name +} + +output "eks_workers_asg_names" { + description = "Names of the autoscaling groups containing workers." + value = module.fury.eks_workers_asg_names +} + +output "kubeconfig" { + sensitive = true + value = <